[release-branch.go1.26] crypto/x509: fix name constraint checking panic
Apparently we allow empty dNSName SANs (e.g. a domain name of ""), which
causes the excluded domain name wildcard checking to panic, because we
assume names are always non-empty. RFC 5280 appears to say the empty
string should not be accepted, although confusingly refers to this as
" " (a single space). We should probably not allow that when creating
certificates, and possibly when creating them as well (1.27 I guess).
Thanks to Jakub Ciolek for reporting this issue.
Updates #77953
Fixes #77974
Fixes CVE-2026-27138
Change-Id: I4fb213a5450470969a7436cba09b71fd1755a6af
Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3420 Reviewed-by: Neal Patel <nealpatel@google.com> Reviewed-by: Nicholas Husin <husin@google.com>
Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3621 Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/752083 Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
TryBot-Bypass: Gopher Robot <gobot@golang.org>
Auto-Submit: Gopher Robot <gobot@golang.org> Reviewed-by: Cherry Mui <cherryyz@google.com>