TrustedComputingGroup · JonathanWilbur · Dec 13, 2022 · Dec 13, 2022
diff --git a/crypto/x509/ext_dat.h b/crypto/x509/ext_dat.h
@@ -42,4 +42,5 @@ extern const X509V3_EXT_METHOD ossl_v3_acc_priv_policies;
 extern const X509V3_EXT_METHOD ossl_v3_authority_attribute_identifier;
 extern const X509V3_EXT_METHOD ossl_v3_issued_on_behalf_of;
 extern const X509V3_EXT_METHOD ossl_v3_allowed_attribute_assignments;
-extern const X509V3_EXT_METHOD ossl_v3_attribute_mappings;
+extern const X509V3_EXT_METHOD ossl_v3_attribute_mappings;
+extern const X509V3_EXT_METHOD ossl_v3_holder_name_constraints;
diff --git a/crypto/x509/standard_exts.h b/crypto/x509/standard_exts.h
@@ -93,7 +93,7 @@ static const X509V3_EXT_METHOD *standard_exts[] = {
     &ossl_v3_group_ac,
     &ossl_v3_allowed_attribute_assignments,
     &ossl_v3_attribute_mappings,
-    // TODO: holderNameConstraints
+    &ossl_v3_holder_name_constraints,
     &ossl_v3_associated_info,
 };
 

diff --git a/crypto/x509/v3_ncons.c b/crypto/x509/v3_ncons.c
@@ -62,6 +62,16 @@ const X509V3_EXT_METHOD ossl_v3_delegated_name_constraints = {
     NULL
 };
 
+const X509V3_EXT_METHOD ossl_v3_holder_name_constraints = {
+    NID_holder_name_constraints, 0,
+    ASN1_ITEM_ref(NAME_CONSTRAINTS),
+    0, 0, 0, 0,
+    0, 0,
+    0, v2i_NAME_CONSTRAINTS,
+    i2r_NAME_CONSTRAINTS, 0,
+    NULL
+};
+
 ASN1_SEQUENCE(GENERAL_SUBTREE) = {
         ASN1_SIMPLE(GENERAL_SUBTREE, base, GENERAL_NAME),
         ASN1_IMP_OPT(GENERAL_SUBTREE, minimum, ASN1_INTEGER, 0),

diff --git a/test/certs/ext-holderNameConstraints.pem b/test/certs/ext-holderNameConstraints.pem
@@ -0,0 +1,12 @@
+-----BEGIN CERTIFICATE-----
+MIIBsDCCAZygAwIBAgIDAQIDMAsGCSqGSIb3DQEBBTAAMCIYDzIwMjEwODMxMDI0
+MTA0WhgPMjAyMTA4MzEwMjQxMDRaMAAwggEgMAsGCSqGSIb3DQEBAQOCAQ8AMIIB
+CgKCAQEAtnjLm1ts1hC4fNNt3UnQD9y73bDXgioTyWYSI3ca/KNfuTydjFTEYAmq
+nuGrBOUfgbmH3PRQ0AmpqljgWTb3d3K8H4UFvDWQTPSS21IMjm8oqd19nE5GxWir
+Gu0oDRzhWLHe1RZ7ZrohCPg/1Ocsy47QZuK2laFB0rEmrRWBmEYbDl3/wxf5XfqI
+qpOynJB02thXrTCcTM7Rz1FqCFt/ZVZB5hKY2S+CTdE9OIVKlr4WHMfuvUYeOj06
+GkwLFJHNv2tU+tovI3mYRxUuY4UupkS3MC+Otey7XKm1P+INjWWoegm6iCAt3Vus
+pVz+6pU2xgl3nrAVMQHB4fReQPH0pQIDAQABozcwNTAzBgNVHUUELDAqoCgwJqQe
+MBwxGjAYBgNVBAMMEVdpbGRib2FyIFNvZnR3YXJlgAEBgQEDMAsGCSqGSIb3DQEB
+BQMBAA==
+-----END CERTIFICATE-----