On Thu, 8 Aug 2019 at 01:40, Denis Kenzior <denkenz(a)gmail.com> wrote:
>> Also, what happens if the strings contain a '/'
character? Or is that
>> not possible?
> So apparently openssl has some \ unescaping support for these strings
> when you generate the certificate and probably the characters are
> escaped again when you extract this string from a cert. We could
> replicate this but in terms of security I think it doesn't add
> anything, users will just need to remember to not escape the
> characters in the iwd configs.
This response doesn't fill me with a lot of confidence :) How is domain
name suffix matching code (for example) going to deal with random '/'
characters if they serve as delimiters?
So with the simple fnmatch or substring matching this wasn't really a
problem as without a regex you had no way to distinguish a '/' from an
escaped "\/". I mean, it was just as bad in both cases :)
With a proper parser for this string in the client code though, and
with proper escaping, we may be able to prevent some attacks where
someone convinces the CA to sell them a certificate with e.g.
"/CN=example.com" contained inside another field in the subject DN, so
yeah, perhaps it's worth adding, I'll do that.