Merge pull request #1061 from smallstep/name-constraints

Name Constraints Validation
2022-09-27 10:26:46 -07:00 · 2022-09-27 10:26:46 -07:00 · fa7c55a0ec
commit fa7c55a0ec
parent ea229e2ba8 7d46516bbf
9 changed files with 1055 additions and 34 deletions
--- a/authority/authority.go
+++ b/authority/authority.go
@ -1,6 +1,7 @@
 package authority

 import (
+	"bytes"
 	"context"
 	"crypto"
 	"crypto/sha256"
@ -24,6 +25,7 @@ import (
 	adminDBNosql "github.com/smallstep/certificates/authority/admin/db/nosql"
 	"github.com/smallstep/certificates/authority/administrator"
 	"github.com/smallstep/certificates/authority/config"
+	"github.com/smallstep/certificates/authority/internal/constraints"
 	"github.com/smallstep/certificates/authority/policy"
 	"github.com/smallstep/certificates/authority/provisioner"
 	"github.com/smallstep/certificates/cas"
@ -46,14 +48,15 @@ type Authority struct {
 	linkedCAToken string

 	// X509 CA
-	password           []byte
-	issuerPassword     []byte
-	x509CAService      cas.CertificateAuthorityService
-	rootX509Certs      []*x509.Certificate
-	rootX509CertPool   *x509.CertPool
-	federatedX509Certs []*x509.Certificate
-	certificates       *sync.Map
-	x509Enforcers      []provisioner.CertificateEnforcer
+	password              []byte
+	issuerPassword        []byte
+	x509CAService         cas.CertificateAuthorityService
+	rootX509Certs         []*x509.Certificate
+	rootX509CertPool      *x509.CertPool
+	federatedX509Certs    []*x509.Certificate
+	intermediateX509Certs []*x509.Certificate
+	certificates          *sync.Map
+	x509Enforcers         []provisioner.CertificateEnforcer

 	// SCEP CA
 	scepService *scep.Service
@ -80,8 +83,9 @@ type Authority struct {
 	authorizeRenewFunc    provisioner.AuthorizeRenewFunc
 	authorizeSSHRenewFunc provisioner.AuthorizeSSHRenewFunc

-	// Policy engines
-	policyEngine *policy.Engine
+	// Constraints and Policy engines
+	constraintsEngine *constraints.Engine
+	policyEngine      *policy.Engine

 	adminMutex sync.RWMutex

@ -373,6 +377,12 @@ func (a *Authority) init() error {
 			if err != nil {
 				return err
 			}
+			// If not defined with an option, add intermediates to the list of
+			// certificates used for name constraints validation at issuance
+			// time.
+			if len(a.intermediateX509Certs) == 0 {
+				a.intermediateX509Certs = append(a.intermediateX509Certs, options.CertificateChain...)
+			}
 		}
 		a.x509CAService, err = cas.New(ctx, options)
 		if err != nil {
@ -610,6 +620,21 @@ func (a *Authority) init() error {
 		return err
 	}

+	// Load X509 constraints engine.
+	//
+	// This is currently only available in CA mode.
+	if size := len(a.intermediateX509Certs); size > 0 {
+		last := a.intermediateX509Certs[size-1]
+		constraintCerts := make([]*x509.Certificate, 0, size+1)
+		constraintCerts = append(constraintCerts, a.intermediateX509Certs...)
+		for _, root := range a.rootX509Certs {
+			if bytes.Equal(last.RawIssuer, root.RawSubject) && bytes.Equal(last.AuthorityKeyId, root.SubjectKeyId) {
+				constraintCerts = append(constraintCerts, root)
+			}
+		}
+		a.constraintsEngine = constraints.New(constraintCerts...)
+	}
+
 	// Load x509 and SSH Policy Engines
 	if err := a.reloadPolicyEngines(ctx); err != nil {
 		return err
--- a/authority/internal/constraints/constraints.go
+++ b/authority/internal/constraints/constraints.go
@ -0,0 +1,135 @@
+package constraints
+
+import (
+	"crypto/x509"
+	"fmt"
+	"net"
+	"net/http"
+	"net/url"
+
+	"github.com/smallstep/certificates/errs"
+)
+
+// ConstraintError is the typed error that will be returned if a constraint
+// error is found.
+type ConstraintError struct {
+	Type   string
+	Name   string
+	Detail string
+}
+
+// Error implements the error interface.
+func (e ConstraintError) Error() string {
+	return e.Detail
+}
+
+// As implements the As(any) bool interface and allows to use "errors.As()" to
+// convert the ConstraintError to an errs.Error.
+func (e ConstraintError) As(v any) bool {
+	if err, ok := v.(**errs.Error); ok {
+		*err = &errs.Error{
+			Status: http.StatusForbidden,
+			Msg:    e.Detail,
+			Err:    e,
+		}
+		return true
+	}
+	return false
+}
+
+// Engine implements a constraint validator for DNS names, IP addresses, Email
+// addresses and URIs.
+type Engine struct {
+	hasNameConstraints      bool
+	permittedDNSDomains     []string
+	excludedDNSDomains      []string
+	permittedIPRanges       []*net.IPNet
+	excludedIPRanges        []*net.IPNet
+	permittedEmailAddresses []string
+	excludedEmailAddresses  []string
+	permittedURIDomains     []string
+	excludedURIDomains      []string
+}
+
+// New creates a constraint validation engine that contains the given chain of
+// certificates.
+func New(chain ...*x509.Certificate) *Engine {
+	e := new(Engine)
+	for _, crt := range chain {
+		e.permittedDNSDomains = append(e.permittedDNSDomains, crt.PermittedDNSDomains...)
+		e.excludedDNSDomains = append(e.excludedDNSDomains, crt.ExcludedDNSDomains...)
+		e.permittedIPRanges = append(e.permittedIPRanges, crt.PermittedIPRanges...)
+		e.excludedIPRanges = append(e.excludedIPRanges, crt.ExcludedIPRanges...)
+		e.permittedEmailAddresses = append(e.permittedEmailAddresses, crt.PermittedEmailAddresses...)
+		e.excludedEmailAddresses = append(e.excludedEmailAddresses, crt.ExcludedEmailAddresses...)
+		e.permittedURIDomains = append(e.permittedURIDomains, crt.PermittedURIDomains...)
+		e.excludedURIDomains = append(e.excludedURIDomains, crt.ExcludedURIDomains...)
+	}
+
+	e.hasNameConstraints = len(e.permittedDNSDomains) > 0 || len(e.excludedDNSDomains) > 0 ||
+		len(e.permittedIPRanges) > 0 || len(e.excludedIPRanges) > 0 ||
+		len(e.permittedEmailAddresses) > 0 || len(e.excludedEmailAddresses) > 0 ||
+		len(e.permittedURIDomains) > 0 || len(e.excludedURIDomains) > 0
+
+	return e
+}
+
+// Validate checks the given names with the name constraints defined in the
+// service.
+func (e *Engine) Validate(dnsNames []string, ipAddresses []net.IP, emailAddresses []string, uris []*url.URL) error {
+	if e == nil || !e.hasNameConstraints {
+		return nil
+	}
+
+	for _, name := range dnsNames {
+		if err := checkNameConstraints("DNS name", name, name, e.permittedDNSDomains, e.excludedDNSDomains,
+			func(parsedName, constraint any) (bool, error) {
+				return matchDomainConstraint(parsedName.(string), constraint.(string))
+			},
+		); err != nil {
+			return err
+		}
+	}
+
+	for _, ip := range ipAddresses {
+		if err := checkNameConstraints("IP address", ip.String(), ip, e.permittedIPRanges, e.excludedIPRanges,
+			func(parsedName, constraint any) (bool, error) {
+				return matchIPConstraint(parsedName.(net.IP), constraint.(*net.IPNet))
+			},
+		); err != nil {
+			return err
+		}
+	}
+
+	for _, email := range emailAddresses {
+		mailbox, ok := parseRFC2821Mailbox(email)
+		if !ok {
+			return fmt.Errorf("cannot parse rfc822Name %q", email)
+		}
+		if err := checkNameConstraints("Email address", email, mailbox, e.permittedEmailAddresses, e.excludedEmailAddresses,
+			func(parsedName, constraint any) (bool, error) {
+				return matchEmailConstraint(parsedName.(rfc2821Mailbox), constraint.(string))
+			},
+		); err != nil {
+			return err
+		}
+	}
+
+	for _, uri := range uris {
+		if err := checkNameConstraints("URI", uri.String(), uri, e.permittedURIDomains, e.excludedURIDomains,
+			func(parsedName, constraint any) (bool, error) {
+				return matchURIConstraint(parsedName.(*url.URL), constraint.(string))
+			},
+		); err != nil {
+			return err
+		}
+	}
+
+	return nil
+}
+
+// ValidateCertificate validates the DNS names, IP addresses, Email addresses
+// and URIs present in the given certificate.
+func (e *Engine) ValidateCertificate(cert *x509.Certificate) error {
+	return e.Validate(cert.DNSNames, cert.IPAddresses, cert.EmailAddresses, cert.URIs)
+}
--- a/authority/internal/constraints/constraints_test.go
+++ b/authority/internal/constraints/constraints_test.go
@ -0,0 +1,334 @@
+package constraints
+
+import (
+	"crypto/x509"
+	"net"
+	"net/url"
+	"reflect"
+	"testing"
+
+	"go.step.sm/crypto/minica"
+)
+
+func TestNew(t *testing.T) {
+	ca1, err := minica.New()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	ca2, err := minica.New(
+		minica.WithIntermediateTemplate(`{
+			"subject": {{ toJson .Subject }},
+			"keyUsage": ["certSign", "crlSign"],
+			"basicConstraints": {
+				"isCA": true,
+				"maxPathLen": 0
+			},
+			"nameConstraints": {
+				"critical": true,
+				"permittedDNSDomains": ["internal.example.org"],
+				"excludedDNSDomains": ["internal.example.com"],
+				"permittedIPRanges": ["192.168.1.0/24", "192.168.2.1/32"],
+				"excludedIPRanges": ["192.168.3.0/24", "192.168.4.0/28"],
+				"permittedEmailAddresses": ["root@example.org", "example.org", ".acme.org"],
+				"excludedEmailAddresses": ["root@example.com", "example.com", ".acme.com"],
+				"permittedURIDomains": ["host.example.org", ".acme.org"],
+				"excludedURIDomains": ["host.example.com", ".acme.com"]
+			}
+		}`),
+	)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	type args struct {
+		chain []*x509.Certificate
+	}
+	tests := []struct {
+		name string
+		args args
+		want *Engine
+	}{
+		{"ok", args{[]*x509.Certificate{ca1.Intermediate, ca1.Root}}, &Engine{
+			hasNameConstraints: false,
+		}},
+		{"ok with constraints", args{[]*x509.Certificate{ca2.Intermediate, ca2.Root}}, &Engine{
+			hasNameConstraints:  true,
+			permittedDNSDomains: []string{"internal.example.org"},
+			excludedDNSDomains:  []string{"internal.example.com"},
+			permittedIPRanges: []*net.IPNet{
+				{IP: net.ParseIP("192.168.1.0").To4(), Mask: net.IPMask{255, 255, 255, 0}},
+				{IP: net.ParseIP("192.168.2.1").To4(), Mask: net.IPMask{255, 255, 255, 255}},
+			},
+			excludedIPRanges: []*net.IPNet{
+				{IP: net.ParseIP("192.168.3.0").To4(), Mask: net.IPMask{255, 255, 255, 0}},
+				{IP: net.ParseIP("192.168.4.0").To4(), Mask: net.IPMask{255, 255, 255, 240}},
+			},
+			permittedEmailAddresses: []string{"root@example.org", "example.org", ".acme.org"},
+			excludedEmailAddresses:  []string{"root@example.com", "example.com", ".acme.com"},
+			permittedURIDomains:     []string{"host.example.org", ".acme.org"},
+			excludedURIDomains:      []string{"host.example.com", ".acme.com"},
+		}},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			if got := New(tt.args.chain...); !reflect.DeepEqual(got, tt.want) {
+				t.Errorf("New() = %v, want %v", got, tt.want)
+			}
+		})
+	}
+}
+
+func TestNew_hasNameConstraints(t *testing.T) {
+	tests := []struct {
+		name string
+		fn   func(c *x509.Certificate)
+		want bool
+	}{
+		{"no constraints", func(c *x509.Certificate) {}, false},
+		{"permittedDNSDomains", func(c *x509.Certificate) { c.PermittedDNSDomains = []string{"constraint"} }, true},
+		{"excludedDNSDomains", func(c *x509.Certificate) { c.ExcludedDNSDomains = []string{"constraint"} }, true},
+		{"permittedIPRanges", func(c *x509.Certificate) {
+			c.PermittedIPRanges = []*net.IPNet{{IP: net.ParseIP("192.168.3.0").To4(), Mask: net.IPMask{255, 255, 255, 0}}}
+		}, true},
+		{"excludedIPRanges", func(c *x509.Certificate) {
+			c.ExcludedIPRanges = []*net.IPNet{{IP: net.ParseIP("192.168.3.0").To4(), Mask: net.IPMask{255, 255, 255, 0}}}
+		}, true},
+		{"permittedEmailAddresses", func(c *x509.Certificate) { c.PermittedEmailAddresses = []string{"constraint"} }, true},
+		{"excludedEmailAddresses", func(c *x509.Certificate) { c.ExcludedEmailAddresses = []string{"constraint"} }, true},
+		{"permittedURIDomains", func(c *x509.Certificate) { c.PermittedURIDomains = []string{"constraint"} }, true},
+		{"excludedURIDomains", func(c *x509.Certificate) { c.ExcludedURIDomains = []string{"constraint"} }, true},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			cert := &x509.Certificate{}
+			tt.fn(cert)
+			if e := New(cert); e.hasNameConstraints != tt.want {
+				t.Errorf("Engine.hasNameConstraints = %v, want %v", e.hasNameConstraints, tt.want)
+			}
+		})
+	}
+}
+
+func TestEngine_Validate(t *testing.T) {
+	type fields struct {
+		hasNameConstraints      bool
+		permittedDNSDomains     []string
+		excludedDNSDomains      []string
+		permittedIPRanges       []*net.IPNet
+		excludedIPRanges        []*net.IPNet
+		permittedEmailAddresses []string
+		excludedEmailAddresses  []string
+		permittedURIDomains     []string
+		excludedURIDomains      []string
+	}
+	type args struct {
+		dnsNames       []string
+		ipAddresses    []net.IP
+		emailAddresses []string
+		uris           []*url.URL
+	}
+	tests := []struct {
+		name    string
+		fields  fields
+		args    args
+		wantErr bool
+	}{
+		{"ok", fields{hasNameConstraints: false}, args{
+			dnsNames:       []string{"example.com", "host.example.com"},
+			ipAddresses:    []net.IP{{192, 168, 1, 1}, {0x26, 0x00, 0x1f, 0x1c, 0x47, 0x01, 0x9d, 0x00, 0xc3, 0xa7, 0x66, 0x94, 0x87, 0x0f, 0x20, 0x72}},
+			emailAddresses: []string{"root@example.com"},
+			uris:           []*url.URL{{Scheme: "https", Host: "example.com", Path: "/uuid/c6d1a755-0c12-431e-9136-b64cb3173ec7"}},
+		}, false},
+		{"ok permitted dns", fields{
+			hasNameConstraints:  true,
+			permittedDNSDomains: []string{"example.com"},
+		}, args{dnsNames: []string{"example.com", "www.example.com"}}, false},
+		{"ok not excluded dns", fields{
+			hasNameConstraints: true,
+			excludedDNSDomains: []string{"example.org"},
+		}, args{dnsNames: []string{"example.com", "www.example.com"}}, false},
+		{"ok permitted ip", fields{
+			hasNameConstraints: true,
+			permittedIPRanges: []*net.IPNet{
+				{IP: net.ParseIP("192.168.1.0"), Mask: net.IPMask{255, 255, 255, 0}},
+				{IP: net.ParseIP("192.168.2.1").To4(), Mask: net.IPMask{255, 255, 255, 255}},
+				{IP: net.ParseIP("2600:1700:22f8:2600:e559:bd88:350a:34d6"), Mask: net.IPMask{255, 255, 255, 255, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}},
+			},
+		}, args{ipAddresses: []net.IP{{192, 168, 1, 10}, {192, 168, 2, 1}, {0x26, 0x0, 0x17, 0x00, 0x1, 0x2, 0x3, 0x4, 0x5, 0x6, 0x7, 0x8, 0x9, 0xa, 0xb, 0xc}}}, false},
+		{"ok not excluded ip", fields{
+			hasNameConstraints: true,
+			excludedIPRanges: []*net.IPNet{
+				{IP: net.ParseIP("192.168.1.0"), Mask: net.IPMask{255, 255, 255, 0}},
+				{IP: net.ParseIP("192.168.2.1").To4(), Mask: net.IPMask{255, 255, 255, 255}},
+			},
+		}, args{ipAddresses: []net.IP{{192, 168, 2, 2}, {192, 168, 3, 1}}}, false},
+		{"ok permitted emails", fields{
+			hasNameConstraints:      true,
+			permittedEmailAddresses: []string{"root@example.com", "acme.org", ".acme.com"},
+		}, args{emailAddresses: []string{"root@example.com", "name@acme.org", "name@coyote.acme.com", `"(quoted)"@www.acme.com`}}, false},
+		{"ok not excluded emails", fields{
+			hasNameConstraints:     true,
+			excludedEmailAddresses: []string{"root@example.com", "acme.org", ".acme.com"},
+		}, args{emailAddresses: []string{"name@example.com", "root@acme.com", "root@other.com"}}, false},
+		{"ok permitted uris", fields{
+			hasNameConstraints:  true,
+			permittedURIDomains: []string{"example.com", ".acme.com"},
+		}, args{uris: []*url.URL{{Scheme: "https", Host: "example.com", Path: "/path"}, {Scheme: "https", Host: "www.acme.com", Path: "/path"}}}, false},
+		{"ok not excluded uris", fields{
+			hasNameConstraints: true,
+			excludedURIDomains: []string{"example.com", ".acme.com"},
+		}, args{uris: []*url.URL{{Scheme: "https", Host: "example.org", Path: "/path"}, {Scheme: "https", Host: "acme.com", Path: "/path"}}}, false},
+		{"fail permitted dns", fields{
+			hasNameConstraints:  true,
+			permittedDNSDomains: []string{"example.com"},
+		}, args{dnsNames: []string{"www.example.com", "www.example.org"}}, true},
+		{"fail not excluded dns", fields{
+			hasNameConstraints: true,
+			excludedDNSDomains: []string{"example.org"},
+		}, args{dnsNames: []string{"example.com", "www.example.org"}}, true},
+		{"fail permitted ip", fields{
+			hasNameConstraints: true,
+			permittedIPRanges: []*net.IPNet{
+				{IP: net.ParseIP("192.168.1.0").To4(), Mask: net.IPMask{255, 255, 255, 0}},
+				{IP: net.ParseIP("192.168.2.1").To4(), Mask: net.IPMask{255, 255, 255, 255}},
+			},
+		}, args{ipAddresses: []net.IP{{192, 168, 1, 10}, {192, 168, 2, 10}}}, true},
+		{"fail not excluded ip", fields{
+			hasNameConstraints: true,
+			excludedIPRanges: []*net.IPNet{
+				{IP: net.ParseIP("192.168.1.0").To4(), Mask: net.IPMask{255, 255, 255, 0}},
+				{IP: net.ParseIP("192.168.2.1").To4(), Mask: net.IPMask{255, 255, 255, 255}},
+			},
+		}, args{ipAddresses: []net.IP{{192, 168, 2, 2}, {192, 168, 1, 1}}}, true},
+		{"fail permitted emails", fields{
+			hasNameConstraints:      true,
+			permittedEmailAddresses: []string{"root@example.com", "acme.org", ".acme.com"},
+		}, args{emailAddresses: []string{"root@example.com", "name@acme.org", "name@acme.com"}}, true},
+		{"fail not excluded emails", fields{
+			hasNameConstraints:     true,
+			excludedEmailAddresses: []string{"root@example.com", "acme.org", ".acme.com"},
+		}, args{emailAddresses: []string{"name@example.com", "root@example.com"}}, true},
+		{"fail permitted uris", fields{
+			hasNameConstraints:  true,
+			permittedURIDomains: []string{"example.com", ".acme.com"},
+		}, args{uris: []*url.URL{{Scheme: "https", Host: "example.com", Path: "/path"}, {Scheme: "https", Host: "acme.com", Path: "/path"}}}, true},
+		{"fail not excluded uris", fields{
+			hasNameConstraints: true,
+			excludedURIDomains: []string{"example.com", ".acme.com"},
+		}, args{uris: []*url.URL{{Scheme: "https", Host: "www.example.com", Path: "/path"}, {Scheme: "https", Host: "acme.com", Path: "/path"}}}, true},
+		{"fail parse emails", fields{
+			hasNameConstraints:      true,
+			permittedEmailAddresses: []string{"example.com"},
+		}, args{emailAddresses: []string{`(notquoted)@example.com`}}, true},
+		{"fail match dns", fields{
+			hasNameConstraints:  true,
+			permittedDNSDomains: []string{"example.com"},
+		}, args{dnsNames: []string{`www.example.com.`}}, true},
+		{"fail match email", fields{
+			hasNameConstraints:     true,
+			excludedEmailAddresses: []string{`(notquoted)@example.com`},
+		}, args{emailAddresses: []string{`ok@example.com`}}, true},
+		{"fail match uri", fields{
+			hasNameConstraints:  true,
+			permittedURIDomains: []string{"example.com"},
+		}, args{uris: []*url.URL{{Scheme: "urn", Opaque: "uuid:36efb1ae-6617-4b23-b799-874a37aaea1c"}}}, true},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			e := &Engine{
+				hasNameConstraints:      tt.fields.hasNameConstraints,
+				permittedDNSDomains:     tt.fields.permittedDNSDomains,
+				excludedDNSDomains:      tt.fields.excludedDNSDomains,
+				permittedIPRanges:       tt.fields.permittedIPRanges,
+				excludedIPRanges:        tt.fields.excludedIPRanges,
+				permittedEmailAddresses: tt.fields.permittedEmailAddresses,
+				excludedEmailAddresses:  tt.fields.excludedEmailAddresses,
+				permittedURIDomains:     tt.fields.permittedURIDomains,
+				excludedURIDomains:      tt.fields.excludedURIDomains,
+			}
+			if err := e.Validate(tt.args.dnsNames, tt.args.ipAddresses, tt.args.emailAddresses, tt.args.uris); (err != nil) != tt.wantErr {
+				t.Errorf("service.Validate() error = %v, wantErr %v", err, tt.wantErr)
+			}
+		})
+	}
+}
+
+func TestEngine_Validate_nil(t *testing.T) {
+	var e *Engine
+	if err := e.Validate([]string{"www.example.com"}, nil, nil, nil); err != nil {
+		t.Errorf("service.Validate() error = %v, wantErr false", err)
+	}
+}
+
+func TestEngine_ValidateCertificate(t *testing.T) {
+	type fields struct {
+		hasNameConstraints      bool
+		permittedDNSDomains     []string
+		excludedDNSDomains      []string
+		permittedIPRanges       []*net.IPNet
+		excludedIPRanges        []*net.IPNet
+		permittedEmailAddresses []string
+		excludedEmailAddresses  []string
+		permittedURIDomains     []string
+		excludedURIDomains      []string
+	}
+	type args struct {
+		cert *x509.Certificate
+	}
+	tests := []struct {
+		name    string
+		fields  fields
+		args    args
+		wantErr bool
+	}{
+		{"ok", fields{hasNameConstraints: false}, args{&x509.Certificate{
+			DNSNames:       []string{"example.com"},
+			IPAddresses:    []net.IP{{127, 0, 0, 1}},
+			EmailAddresses: []string{"info@example.com"},
+			URIs:           []*url.URL{{Scheme: "https", Host: "uuid.example.com", Path: "/dc4c76b5-5262-4551-a881-48094a604d63"}},
+		}}, false},
+		{"ok with constraints", fields{
+			hasNameConstraints:  true,
+			permittedDNSDomains: []string{"example.com"},
+			permittedIPRanges: []*net.IPNet{
+				{IP: net.ParseIP("127.0.0.1").To4(), Mask: net.IPMask{255, 255, 255, 255}},
+				{IP: net.ParseIP("10.3.0.0").To4(), Mask: net.IPMask{255, 255, 0, 0}},
+			},
+			permittedEmailAddresses: []string{"example.com"},
+			permittedURIDomains:     []string{".example.com"},
+		}, args{&x509.Certificate{
+			DNSNames:       []string{"www.example.com"},
+			IPAddresses:    []net.IP{{127, 0, 0, 1}, {10, 3, 1, 1}},
+			EmailAddresses: []string{"info@example.com"},
+			URIs:           []*url.URL{{Scheme: "https", Host: "uuid.example.com", Path: "/dc4c76b5-5262-4551-a881-48094a604d63"}},
+		}}, false},
+		{"fail", fields{
+			hasNameConstraints:  true,
+			permittedURIDomains: []string{".example.com"},
+		}, args{&x509.Certificate{
+			DNSNames:       []string{"example.com"},
+			IPAddresses:    []net.IP{{127, 0, 0, 1}},
+			EmailAddresses: []string{"info@example.com"},
+			URIs:           []*url.URL{{Scheme: "https", Host: "uuid.example.org", Path: "/dc4c76b5-5262-4551-a881-48094a604d63"}},
+		}}, true},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			e := &Engine{
+				hasNameConstraints:      tt.fields.hasNameConstraints,
+				permittedDNSDomains:     tt.fields.permittedDNSDomains,
+				excludedDNSDomains:      tt.fields.excludedDNSDomains,
+				permittedIPRanges:       tt.fields.permittedIPRanges,
+				excludedIPRanges:        tt.fields.excludedIPRanges,
+				permittedEmailAddresses: tt.fields.permittedEmailAddresses,
+				excludedEmailAddresses:  tt.fields.excludedEmailAddresses,
+				permittedURIDomains:     tt.fields.permittedURIDomains,
+				excludedURIDomains:      tt.fields.excludedURIDomains,
+			}
+			if err := e.ValidateCertificate(tt.args.cert); (err != nil) != tt.wantErr {
+				t.Errorf("Engine.ValidateCertificate() error = %v, wantErr %v", err, tt.wantErr)
+			}
+		})
+	}
+}
--- a/authority/internal/constraints/verify.go
+++ b/authority/internal/constraints/verify.go
@ -0,0 +1,383 @@
+// Copyright (c) 2009 The Go Authors. All rights reserved.
+//
+// Redistribution and use in source and binary forms, with or without
+// modification, are permitted provided that the following conditions are
+// met:
+//
+//    * Redistributions of source code must retain the above copyright
+// notice, this list of conditions and the following disclaimer.
+//    * Redistributions in binary form must reproduce the above
+// copyright notice, this list of conditions and the following disclaimer
+// in the documentation and/or other materials provided with the
+// distribution.
+//    * Neither the name of Google Inc. nor the names of its
+// contributors may be used to endorse or promote products derived from
+// this software without specific prior written permission.
+//
+// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
+// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
+// OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
+// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
+// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+package constraints
+
+import (
+	"bytes"
+	"fmt"
+	"net"
+	"net/url"
+	"reflect"
+	"strings"
+)
+
+func checkNameConstraints(nameType, name string, parsedName, permitted, excluded any, match func(name, constraint any) (bool, error)) error {
+	excludedValue := reflect.ValueOf(excluded)
+	for i := 0; i < excludedValue.Len(); i++ {
+		constraint := excludedValue.Index(i).Interface()
+		match, err := match(parsedName, constraint)
+		if err != nil {
+			return ConstraintError{
+				Type:   nameType,
+				Name:   name,
+				Detail: err.Error(),
+			}
+		}
+
+		if match {
+			return ConstraintError{
+				Type:   nameType,
+				Name:   name,
+				Detail: fmt.Sprintf("%s %q is excluded by constraint %q", nameType, name, constraint),
+			}
+		}
+	}
+
+	var (
+		err error
+		ok  = true
+	)
+
+	permittedValue := reflect.ValueOf(permitted)
+	for i := 0; i < permittedValue.Len(); i++ {
+		constraint := permittedValue.Index(i).Interface()
+		if ok, err = match(parsedName, constraint); err != nil {
+			return ConstraintError{
+				Type:   nameType,
+				Name:   name,
+				Detail: err.Error(),
+			}
+		}
+		if ok {
+			break
+		}
+	}
+	if !ok {
+		return ConstraintError{
+			Type:   nameType,
+			Name:   name,
+			Detail: fmt.Sprintf("%s %q is not permitted by any constraint", nameType, name),
+		}
+	}
+
+	return nil
+}
+
+func matchDomainConstraint(domain, constraint string) (bool, error) {
+	// The meaning of zero length constraints is not specified, but this
+	// code follows NSS and accepts them as matching everything.
+	if constraint == "" {
+		return true, nil
+	}
+
+	domainLabels, ok := domainToReverseLabels(domain)
+	if !ok {
+		return false, fmt.Errorf("internal error: cannot parse domain %q", domain)
+	}
+
+	// RFC 5280 says that a leading period in a domain name means that at least
+	// one label must be prepended, but only for URI and email constraints, not
+	// DNS constraints. The code also supports that behavior for DNS
+	// constraints.
+
+	mustHaveSubdomains := false
+	if constraint[0] == '.' {
+		mustHaveSubdomains = true
+		constraint = constraint[1:]
+	}
+
+	constraintLabels, ok := domainToReverseLabels(constraint)
+	if !ok {
+		return false, fmt.Errorf("internal error: cannot parse domain %q", constraint)
+	}
+
+	if len(domainLabels) < len(constraintLabels) ||
+		(mustHaveSubdomains && len(domainLabels) == len(constraintLabels)) {
+		return false, nil
+	}
+
+	for i, constraintLabel := range constraintLabels {
+		if !strings.EqualFold(constraintLabel, domainLabels[i]) {
+			return false, nil
+		}
+	}
+
+	return true, nil
+}
+
+func normalizeIP(ip net.IP) net.IP {
+	if ip4 := ip.To4(); ip4 != nil {
+		return ip4
+	}
+	return ip
+}
+
+func matchIPConstraint(ip net.IP, constraint *net.IPNet) (bool, error) {
+	ip = normalizeIP(ip)
+	constraintIP := normalizeIP(constraint.IP)
+	if len(ip) != len(constraintIP) {
+		return false, nil
+	}
+
+	for i := range ip {
+		if mask := constraint.Mask[i]; ip[i]&mask != constraintIP[i]&mask {
+			return false, nil
+		}
+	}
+
+	return true, nil
+}
+
+func matchEmailConstraint(mailbox rfc2821Mailbox, constraint string) (bool, error) {
+	// If the constraint contains an @, then it specifies an exact mailbox
+	// name.
+	if strings.Contains(constraint, "@") {
+		constraintMailbox, ok := parseRFC2821Mailbox(constraint)
+		if !ok {
+			return false, fmt.Errorf("internal error: cannot parse constraint %q", constraint)
+		}
+		return mailbox.local == constraintMailbox.local && strings.EqualFold(mailbox.domain, constraintMailbox.domain), nil
+	}
+
+	// Otherwise the constraint is like a DNS constraint of the domain part
+	// of the mailbox.
+	return matchDomainConstraint(mailbox.domain, constraint)
+}
+
+func matchURIConstraint(uri *url.URL, constraint string) (bool, error) {
+	// From RFC 5280, Section 4.2.1.10:
+	// “a uniformResourceIdentifier that does not include an authority
+	// component with a host name specified as a fully qualified domain
+	// name (e.g., if the URI either does not include an authority
+	// component or includes an authority component in which the host name
+	// is specified as an IP address), then the application MUST reject the
+	// certificate.”
+
+	host := uri.Host
+	if host == "" {
+		return false, fmt.Errorf("URI with empty host (%q) cannot be matched against constraints", uri.String())
+	}
+
+	if strings.Contains(host, ":") && !strings.HasSuffix(host, "]") {
+		var err error
+		host, _, err = net.SplitHostPort(uri.Host)
+		if err != nil {
+			return false, err
+		}
+	}
+
+	if strings.HasPrefix(host, "[") && strings.HasSuffix(host, "]") ||
+		net.ParseIP(host) != nil {
+		return false, fmt.Errorf("URI with IP (%q) cannot be matched against constraints", uri.String())
+	}
+
+	return matchDomainConstraint(host, constraint)
+}
+
+// domainToReverseLabels converts a textual domain name like foo.example.com to
+// the list of labels in reverse order, e.g. ["com", "example", "foo"].
+func domainToReverseLabels(domain string) (reverseLabels []string, ok bool) {
+	for len(domain) > 0 {
+		if i := strings.LastIndexByte(domain, '.'); i == -1 {
+			reverseLabels = append(reverseLabels, domain)
+			domain = ""
+		} else {
+			reverseLabels = append(reverseLabels, domain[i+1:])
+			domain = domain[:i]
+		}
+	}
+
+	if len(reverseLabels) > 0 && reverseLabels[0] == "" {
+		// An empty label at the end indicates an absolute value.
+		return nil, false
+	}
+
+	for _, label := range reverseLabels {
+		if label == "" {
+			// Empty labels are otherwise invalid.
+			return nil, false
+		}
+
+		for _, c := range label {
+			if c < 33 || c > 126 {
+				// Invalid character.
+				return nil, false
+			}
+		}
+	}
+
+	return reverseLabels, true
+}
+
+// rfc2821Mailbox represents a “mailbox” (which is an email address to most
+// people) by breaking it into the “local” (i.e. before the '@') and “domain”
+// parts.
+type rfc2821Mailbox struct {
+	local, domain string
+}
+
+// parseRFC2821Mailbox parses an email address into local and domain parts,
+// based on the ABNF for a “Mailbox” from RFC 2821. According to RFC 5280,
+// Section 4.2.1.6 that's correct for an rfc822Name from a certificate: “The
+// format of an rfc822Name is a "Mailbox" as defined in RFC 2821, Section 4.1.2”.
+func parseRFC2821Mailbox(in string) (mailbox rfc2821Mailbox, ok bool) {
+	if in == "" {
+		return mailbox, false
+	}
+
+	localPartBytes := make([]byte, 0, len(in)/2)
+
+	if in[0] == '"' {
+		// Quoted-string = DQUOTE *qcontent DQUOTE
+		// non-whitespace-control = %d1-8 / %d11 / %d12 / %d14-31 / %d127
+		// qcontent = qtext / quoted-pair
+		// qtext = non-whitespace-control /
+		//         %d33 / %d35-91 / %d93-126
+		// quoted-pair = ("\" text) / obs-qp
+		// text = %d1-9 / %d11 / %d12 / %d14-127 / obs-text
+		//
+		// (Names beginning with “obs-” are the obsolete syntax from RFC 2822,
+		// Section 4. Since it has been 16 years, we no longer accept that.)
+		in = in[1:]
+	QuotedString:
+		for {
+			if in == "" {
+				return mailbox, false
+			}
+			c := in[0]
+			in = in[1:]
+
+			switch {
+			case c == '"':
+				break QuotedString
+
+			case c == '\\':
+				// quoted-pair
+				if in == "" {
+					return mailbox, false
+				}
+				if in[0] == 11 ||
+					in[0] == 12 ||
+					(1 <= in[0] && in[0] <= 9) ||
+					(14 <= in[0] && in[0] <= 127) {
+					localPartBytes = append(localPartBytes, in[0])
+					in = in[1:]
+				} else {
+					return mailbox, false
+				}
+
+			case c == 11 ||
+				c == 12 ||
+				// Space (char 32) is not allowed based on the
+				// BNF, but RFC 3696 gives an example that
+				// assumes that it is. Several “verified”
+				// errata continue to argue about this point.
+				// We choose to accept it.
+				c == 32 ||
+				c == 33 ||
+				c == 127 ||
+				(1 <= c && c <= 8) ||
+				(14 <= c && c <= 31) ||
+				(35 <= c && c <= 91) ||
+				(93 <= c && c <= 126):
+				// qtext
+				localPartBytes = append(localPartBytes, c)
+
+			default:
+				return mailbox, false
+			}
+		}
+	} else {
+		// Atom ("." Atom)*
+	NextChar:
+		for len(in) > 0 {
+			// atext from RFC 2822, Section 3.2.4
+			c := in[0]
+
+			switch {
+			case c == '\\':
+				// Examples given in RFC 3696 suggest that
+				// escaped characters can appear outside of a
+				// quoted string. Several “verified” errata
+				// continue to argue the point. We choose to
+				// accept it.
+				in = in[1:]
+				if in == "" {
+					return mailbox, false
+				}
+				fallthrough
+
+			case ('0' <= c && c <= '9') ||
+				('a' <= c && c <= 'z') ||
+				('A' <= c && c <= 'Z') ||
+				c == '!' || c == '#' || c == '$' || c == '%' ||
+				c == '&' || c == '\'' || c == '*' || c == '+' ||
+				c == '-' || c == '/' || c == '=' || c == '?' ||
+				c == '^' || c == '_' || c == '`' || c == '{' ||
+				c == '|' || c == '}' || c == '~' || c == '.':
+				localPartBytes = append(localPartBytes, in[0])
+				in = in[1:]
+
+			default:
+				break NextChar
+			}
+		}
+
+		if len(localPartBytes) == 0 {
+			return mailbox, false
+		}
+
+		// From RFC 3696, Section 3:
+		// “period (".") may also appear, but may not be used to start
+		// or end the local part, nor may two or more consecutive
+		// periods appear.”
+		twoDots := []byte{'.', '.'}
+		if localPartBytes[0] == '.' ||
+			localPartBytes[len(localPartBytes)-1] == '.' ||
+			bytes.Contains(localPartBytes, twoDots) {
+			return mailbox, false
+		}
+	}
+
+	if in == "" || in[0] != '@' {
+		return mailbox, false
+	}
+	in = in[1:]
+
+	// The RFC species a format for domains, but that's known to be
+	// violated in practice so we accept that anything after an '@' is the
+	// domain part.
+	if _, ok := domainToReverseLabels(in); !ok {
+		return mailbox, false
+	}
+
+	mailbox.local = string(localPartBytes)
+	mailbox.domain = in
+	return mailbox, true
+}
--- a/authority/options.go
+++ b/authority/options.go
@ -151,16 +151,23 @@ func WithKeyManager(k kms.KeyManager) Option {

 // WithX509Signer defines the signer used to sign X509 certificates.
 func WithX509Signer(crt *x509.Certificate, s crypto.Signer) Option {
+	return WithX509SignerChain([]*x509.Certificate{crt}, s)
+}
+
+// WithX509SignerChain defines the signer used to sign X509 certificates. This
+// option is similar to WithX509Signer but it supports a chain of intermediates.
+func WithX509SignerChain(issuerChain []*x509.Certificate, s crypto.Signer) Option {
 	return func(a *Authority) error {
 		srv, err := cas.New(context.Background(), casapi.Options{
 			Type:             casapi.SoftCAS,
 			Signer:           s,
-			CertificateChain: []*x509.Certificate{crt},
+			CertificateChain: issuerChain,
 		})
 		if err != nil {
 			return err
 		}
 		a.x509CAService = srv
+		a.intermediateX509Certs = append(a.intermediateX509Certs, issuerChain...)
 		return nil
 	}
 }
@ -233,6 +240,25 @@ func WithX509FederatedCerts(certs ...*x509.Certificate) Option {
 	}
 }

+// WithX509IntermediateCerts is an option that allows to define the list of
+// intermediate certificates that the CA will be using. This option will replace
+// any intermediate certificate defined before.
+//
+// Note that these certificates will not be bundled with the certificates signed
+// by the CA, because the CAS service will take care of that. They should match,
+// but that's not guaranteed. These certificates will be mainly used for name
+// constraint validation before a certificate is issued.
+//
+// This option should only be used on specific configurations, for example when
+// WithX509SignerFunc is used, as we don't know the list of intermediates in
+// advance.
+func WithX509IntermediateCerts(intermediateCerts ...*x509.Certificate) Option {
+	return func(a *Authority) error {
+		a.intermediateX509Certs = intermediateCerts
+		return nil
+	}
+}
+
 // WithX509RootBundle is an option that allows to define the list of root
 // certificates. This option will replace any root certificate defined before.
 func WithX509RootBundle(pemCerts []byte) Option {
--- a/authority/ssh.go
+++ b/authority/ssh.go
@ -6,7 +6,6 @@ import (
 	"crypto/x509"
 	"encoding/binary"
 	"errors"
-	"fmt"
 	"net/http"
 	"strings"
 	"time"
@ -20,7 +19,6 @@ import (
 	"github.com/smallstep/certificates/authority/provisioner"
 	"github.com/smallstep/certificates/db"
 	"github.com/smallstep/certificates/errs"
-	policy "github.com/smallstep/certificates/policy"
 	"github.com/smallstep/certificates/templates"
 )

@ -255,15 +253,9 @@ func (a *Authority) SignSSH(ctx context.Context, key ssh.PublicKey, opts provisi

 	// Check if authority is allowed to sign the certificate
 	if err := a.isAllowedToSignSSHCertificate(certTpl); err != nil {
-		var pe *policy.NamePolicyError
-		if errors.As(err, &pe) && pe.Reason == policy.NotAllowed {
-			return nil, &errs.Error{
-				// NOTE: custom forbidden error, so that denied name is sent to client
-				// as well as shown in the logs.
-				Status: http.StatusForbidden,
-				Err:    fmt.Errorf("authority not allowed to sign: %w", err),
-				Msg:    fmt.Sprintf("The request was forbidden by the certificate authority: %s", err.Error()),
-			}
+		var ee *errs.Error
+		if errors.As(err, &ee) {
+			return nil, ee
 		}
 		return nil, errs.InternalServerErr(err,
 			errs.WithMessage("authority.SignSSH: error creating ssh certificate"),
--- a/authority/tls.go
+++ b/authority/tls.go
@ -28,7 +28,6 @@ import (
 	casapi "github.com/smallstep/certificates/cas/apiv1"
 	"github.com/smallstep/certificates/db"
 	"github.com/smallstep/certificates/errs"
-	"github.com/smallstep/certificates/policy"
 )

 // GetTLSOptions returns the tls options configured.
@ -213,15 +212,9 @@ func (a *Authority) Sign(csr *x509.CertificateRequest, signOpts provisioner.Sign

 	// Check if authority is allowed to sign the certificate
 	if err := a.isAllowedToSignX509Certificate(leaf); err != nil {
-		var pe *policy.NamePolicyError
-		if errors.As(err, &pe) && pe.Reason == policy.NotAllowed {
-			return nil, errs.ApplyOptions(&errs.Error{
-				// NOTE: custom forbidden error, so that denied name is sent to client
-				// as well as shown in the logs.
-				Status: http.StatusForbidden,
-				Err:    fmt.Errorf("authority not allowed to sign: %w", err),
-				Msg:    fmt.Sprintf("The request was forbidden by the certificate authority: %s", err.Error()),
-			}, opts...)
+		var ee *errs.Error
+		if errors.As(err, &ee) {
+			return nil, errs.ApplyOptions(ee, opts...)
 		}
 		return nil, errs.InternalServerErr(err,
 			errs.WithKeyVal("csr", csr),
@ -257,6 +250,9 @@ func (a *Authority) Sign(csr *x509.CertificateRequest, signOpts provisioner.Sign
 // isAllowedToSignX509Certificate checks if the Authority is allowed
 // to sign the X.509 certificate.
 func (a *Authority) isAllowedToSignX509Certificate(cert *x509.Certificate) error {
+	if err := a.constraintsEngine.ValidateCertificate(cert); err != nil {
+		return err
+	}
 	return a.policyEngine.IsX509CertificateAllowed(cert)
 }

@ -352,6 +348,22 @@ func (a *Authority) Rekey(oldCert *x509.Certificate, pk crypto.PublicKey) ([]*x5
 		newCert.ExtraExtensions = append(newCert.ExtraExtensions, ext)
 	}

+	// Check if the certificate is allowed to be renewed, name constraints might
+	// change over time.
+	//
+	// TODO(hslatman,maraino): consider adding policies too and consider if
+	// RenewSSH should check policies.
+	if err := a.constraintsEngine.ValidateCertificate(newCert); err != nil {
+		var ee *errs.Error
+		if errors.As(err, &ee) {
+			return nil, errs.ApplyOptions(ee, opts...)
+		}
+		return nil, errs.InternalServerErr(err,
+			errs.WithKeyVal("serialNumber", oldCert.SerialNumber.String()),
+			errs.WithMessage("error renewing certificate"),
+		)
+	}
+
 	resp, err := a.x509CAService.RenewCertificate(&casapi.RenewCertificateRequest{
 		Template: newCert,
 		Lifetime: lifetime,
@ -621,6 +633,18 @@ func (a *Authority) GetTLSCertificate() (*tls.Certificate, error) {
 	certTpl.NotBefore = now.Add(-1 * time.Minute)
 	certTpl.NotAfter = now.Add(24 * time.Hour)

+	// Policy and constraints require this fields to be set. At this moment they
+	// are only present in the extra extension.
+	certTpl.DNSNames = cr.DNSNames
+	certTpl.IPAddresses = cr.IPAddresses
+	certTpl.EmailAddresses = cr.EmailAddresses
+	certTpl.URIs = cr.URIs
+
+	// Fail if name constraints do not allow the server names.
+	if err := a.constraintsEngine.ValidateCertificate(certTpl); err != nil {
+		return fatal(err)
+	}
+
 	resp, err := a.x509CAService.CreateCertificate(&casapi.CreateCertificateRequest{
 		Template:       certTpl,
 		CSR:            cr,
--- a/authority/tls_test.go
+++ b/authority/tls_test.go
@ -22,6 +22,7 @@ import (

 	"go.step.sm/crypto/jose"
 	"go.step.sm/crypto/keyutil"
+	"go.step.sm/crypto/minica"
 	"go.step.sm/crypto/pemutil"
 	"go.step.sm/crypto/x509util"

@ -542,7 +543,7 @@ ZYtQ9Ot36qc=
 				notBefore:       signOpts.NotBefore.Time().Truncate(time.Second),
 				notAfter:        signOpts.NotAfter.Time().Truncate(time.Second),
 				extensionsCount: 6,
-				err:             errors.New("authority not allowed to sign"),
+				err:             errors.New("dns name \"test.smallstep.com\" not allowed"),
 				code:            http.StatusForbidden,
 			}
 		},
@ -1589,3 +1590,86 @@ func TestAuthority_Revoke(t *testing.T) {
 		})
 	}
 }
+
+func TestAuthority_constraints(t *testing.T) {
+	ca, err := minica.New(
+		minica.WithIntermediateTemplate(`{
+				"subject": {{ toJson .Subject }},
+				"keyUsage": ["certSign", "crlSign"],
+				"basicConstraints": {
+					"isCA": true,
+					"maxPathLen": 0
+				},
+				"nameConstraints": {
+					"critical": true,
+					"permittedDNSDomains": ["internal.example.org"],
+					"excludedDNSDomains": ["internal.example.com"],
+					"permittedIPRanges": ["192.168.1.0/24", "192.168.2.1/32"],
+					"excludedIPRanges": ["192.168.3.0/24", "192.168.4.0/28"],
+					"permittedEmailAddresses": ["root@example.org", "example.org", ".acme.org"],
+					"excludedEmailAddresses": ["root@example.com", "example.com", ".acme.com"],
+					"permittedURIDomains": ["uuid.example.org", ".acme.org"],
+					"excludedURIDomains": ["uuid.example.com", ".acme.com"]
+				}
+			}`),
+	)
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	auth, err := NewEmbedded(WithX509RootCerts(ca.Root), WithX509Signer(ca.Intermediate, ca.Signer))
+	if err != nil {
+		t.Fatal(err)
+	}
+	signer, err := keyutil.GenerateDefaultSigner()
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	tests := []struct {
+		name    string
+		sans    []string
+		wantErr bool
+	}{
+		{"ok dns", []string{"internal.example.org", "host.internal.example.org"}, false},
+		{"ok ip", []string{"192.168.1.10", "192.168.2.1"}, false},
+		{"ok email", []string{"root@example.org", "info@example.org", "info@www.acme.org"}, false},
+		{"ok uri", []string{"https://uuid.example.org/b908d973-5167-4a62-abe3-6beda358d82a", "https://uuid.acme.org/1724aae1-1bb3-44fb-83c3-9a1a18df67c8"}, false},
+		{"fail permitted dns", []string{"internal.acme.org"}, true},
+		{"fail excluded dns", []string{"internal.example.com"}, true},
+		{"fail permitted ips", []string{"192.168.2.10"}, true},
+		{"fail excluded ips", []string{"192.168.3.1"}, true},
+		{"fail permitted emails", []string{"root@acme.org"}, true},
+		{"fail excluded emails", []string{"root@example.com"}, true},
+		{"fail permitted uris", []string{"https://acme.org/uuid/7848819c-9d0b-4e12-bbff-cd66079a3444"}, true},
+		{"fail excluded uris", []string{"https://uuid.example.com/d325eda7-6356-4d60-b8f6-3d64724afeb3"}, true},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			csr, err := x509util.CreateCertificateRequest(tt.sans[0], tt.sans, signer)
+			if err != nil {
+				t.Fatal(err)
+			}
+			cert, err := ca.SignCSR(csr)
+			if err != nil {
+				t.Fatal(err)
+			}
+
+			data := x509util.CreateTemplateData(tt.sans[0], tt.sans)
+			templateOption, err := provisioner.TemplateOptions(nil, data)
+			if err != nil {
+				t.Fatal(err)
+			}
+
+			_, err = auth.Sign(csr, provisioner.SignOptions{}, templateOption)
+			if (err != nil) != tt.wantErr {
+				t.Errorf("Authority.Sign() error = %v, wantErr %v", err, tt.wantErr)
+			}
+
+			_, err = auth.Renew(cert)
+			if (err != nil) != tt.wantErr {
+				t.Errorf("Authority.Renew() error = %v, wantErr %v", err, tt.wantErr)
+			}
+		})
+	}
+}
--- a/policy/engine.go
+++ b/policy/engine.go
@ -4,11 +4,13 @@ import (
 	"crypto/x509"
 	"fmt"
 	"net"
+	"net/http"
 	"net/url"

+	"go.step.sm/crypto/x509util"
 	"golang.org/x/crypto/ssh"

-	"go.step.sm/crypto/x509util"
+	"github.com/smallstep/certificates/errs"
 )

 type NamePolicyReason int
@ -62,6 +64,22 @@ func (e *NamePolicyError) Error() string {
 	}
 }

+// As implements the As(any) bool interface and allows to use "errors.As()" to
+// convert a NotAllowed NamePolicyError to an errs.Error.
+func (e *NamePolicyError) As(v any) bool {
+	if e.Reason == NotAllowed {
+		if err, ok := v.(**errs.Error); ok {
+			*err = &errs.Error{
+				Status: http.StatusForbidden,
+				Msg:    fmt.Sprintf("The request was forbidden by the certificate authority: %s", e.Error()),
+				Err:    e,
+			}
+			return true
+		}
+	}
+	return false
+}
+
 func (e *NamePolicyError) Detail() string {
 	return e.detail
 }