The Name Constraints extension contains GeneralSubtree values
indicating included or excluded subtrees. It is defined as:
GeneralSubtree ::= SEQUENCE {
base GeneralName,
minimum [0] BaseDistance DEFAULT 0,
maximum [1] BaseDistance OPTIONAL }
RFC 5280 further specifies:
Within this profile, the minimum and maximum fields are not used with
any name forms, thus, the minimum MUST be zero, and maximum MUST be
absent.
Because the minimum fields has DEFAULT 0, and certificates should be
encoded using DER, the situation where minimum = 0 occurs in a
certificate should not arise. Nevertheless, it does arise. For
example, I have seen certificates issued by Microsoft programs that
contain GeneralSubtree values encoded thus.
Enhance the Name Constraints matching routine to handle the case
where minimum is specified. If present, it must be zero. The
maximum field remains prohibited.
Reviewed-by: Paul Yang <yang.yang@baishancloud.com>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/7039)
c23e497da7