Blog | G5 Cyber Security

X.509 Name Constraints on macOS

G5 Cyber Security

TL;DR

macOS does support X.509 nameConstraints in certificates, but the level of support varies depending on which application is handling the certificate. Safari and other applications using the system trust store generally respect them. However, some older or non-standard applications might ignore them.

Understanding Name Constraints

X.509 nameConstraints are a feature within digital certificates that allow Certificate Authorities (CAs) to restrict which names a certificate is valid for, even if the Subject Alternative Name (SAN) field allows broader coverage. This adds an extra layer of security by limiting potential misuse of a compromised CA.

Checking Support in macOS

  1. Safari & System Trust Store: Safari and applications that use the macOS system trust store generally honour nameConstraints. To verify this, you need to examine how the certificate is being presented and trusted.
    • Certificate Viewer: Double-click the certificate in Keychain Access. Look for a ‘Name Constraints’ section. If present, it indicates the CA has defined constraints.
    • Trust Settings: In Keychain Access, select the certificate, then go to ‘Trust’. The system will indicate if trust is affected by nameConstraints (though this isn’t always explicitly stated).
  2. Command Line Verification with openssl: You can use OpenSSL to inspect the certificate and confirm the presence of name constraints. 
    openssl x509 -in your_certificate.pem -text

    Look for a section labelled ‘X.509v3 Name Constraints’. If it exists, the constraints are defined in the certificate.

  3. Testing with curl: Use curl to connect to a server using the certificate and observe if the connection succeeds or fails based on whether the name matches the constraints. 
    curl --cacert your_certificate.pem https://example.com

    If the hostname doesn’t match the allowed names in the nameConstraints, curl should return an error.

  4. Applications Outside System Trust Store: Applications that don’t use the system trust store (e.g., older versions of specific software) may not respect X.509 name constraints.
    • Check Application Documentation: Consult the application’s documentation to see if it explicitly supports or ignores nameConstraints.
    • Manual Testing: Test with a certificate containing nameConstraints and observe its behaviour within the application.

Common Scenarios & Troubleshooting

  1. Certificate Not Trusted: If a certificate is not trusted despite being valid, check if the hostname you’re connecting to falls within the nameConstraints defined in the certificate.
  2. Incorrectly Configured Trust Store: Ensure your system trust store is up-to-date and contains the correct root certificates. 
    security update-trust-db -d /System/Library/Keychains/System.keychain
  3. Application Bug: If an application should support nameConstraints but isn’t, it may be a bug in the application itself. Consider updating to the latest version or contacting the vendor.

Conclusion

While macOS generally supports X.509 nameConstraints through Safari and its system trust store, thorough testing is crucial, especially when dealing with applications that manage their own certificate stores. OpenSSL provides a reliable way to inspect certificates directly.

Exit mobile version