Signature scheme constraints are only checked against the root certificate and not the complete trust chain
I have this setup
CA cert : RSA 4096
=> Intermediate CA : RSA 4096
> > Intermediate CA : RSA 2048
> > ==> End Entity cert1 : RSA 2048
When I configure rightauth locallay for a peer that uses cert1 with
The connection to the peer succeeds and works. I expected it to fail since the peer cert is using RSA-2048. Only if I set rightauth to something greater than 4096, such as 8196 the connection fails.
The constraint in rightauth doesn't seem to be applied to all of the certificate in the trust chain.
#1 Updated by Tobias Brunner almost 4 years ago
- Tracker changed from Issue to Bug
- Category set to libstrongswan
- Status changed from New to Feedback
- Target version set to 5.6.2
I think the problem is that these key strength rules are not classified as multi value rules, which means only the value added last is actually used (in this case the root CA). I pushed a fix to the 2515-auth-rule-strength branch.