]> Cypherpunks repositories - gostls13.git/commitdiff
projects / gostls13.git / commitdiff
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 14d0bb3)
[release-branch.go1.24] crypto/x509: fix single label excluded name constraints handling
authorRoland Shoemaker <roland@golang.org>
Tue, 27 Jan 2026 00:11:44 +0000 (16:11 -0800)
committerGopher Robot <gobot@golang.org>
Wed, 28 Jan 2026 21:37:59 +0000 (13:37 -0800)
Only strip labels when both the domain and constraint have more than one
label.

Fixes #76935
Fixes #77322

Change-Id: I1144c9f03cbfc3b858af153a839b193bb934618d
Reviewed-on: https://go-review.googlesource.com/c/go/+/739420
Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
Auto-Submit: Dmitri Shuralyov <dmitshur@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Damien Neil <dneil@google.com>
src/crypto/x509/name_constraints_test.go patch | blob | history
src/crypto/x509/verify.go patch | blob | history

diff --git a/src/crypto/x509/name_constraints_test.go b/src/crypto/x509/name_constraints_test.go
index bc91b28401fce530b426f1141588e99b822078ea..1f5065026783d97854b384adce50b44e5e18561c 100644 (file)
--- a/src/crypto/x509/name_constraints_test.go
+++ b/src/crypto/x509/name_constraints_test.go
@@ -1658,6 +1658,22 @@ var nameConstraintsTests = []nameConstraintsTest{
                },
                expectedError: "\"*.example.com\" is not permitted",
        },
+       // #89: a TLD constraint doesn't exclude unrelated wildcards
+       {
+               roots: []constraintsSpec{
+                       {
+                               bad: []string{"dns:tld"},
+                       },
+               },
+               intermediates: [][]constraintsSpec{
+                       {
+                               {},
+                       },
+               },
+               leaf: leafSpec{
+                       sans: []string{"dns:*.example.com"},
+               },
+       },
 }
 
 func makeConstraintsCACert(constraints constraintsSpec, name string, key *ecdsa.PrivateKey, parent *Certificate, parentKey *ecdsa.PrivateKey) (*Certificate, error) {
diff --git a/src/crypto/x509/verify.go b/src/crypto/x509/verify.go
index 3de9f93b2c4b16279a50874c926ccc09ec81b886..076e82666a402d20037d97533b11d2daafed8815 100644 (file)
--- a/src/crypto/x509/verify.go
+++ b/src/crypto/x509/verify.go
@@ -546,7 +546,7 @@ func matchDomainConstraint(domain, constraint string, excluded bool, reversedDom
                return false, nil
        }
 
-       if excluded && wildcardDomain && len(domainLabels) > 1 && len(constraintLabels) > 0 {
+       if excluded && wildcardDomain && len(domainLabels) > 1 && len(constraintLabels) > 1 {
                domainLabels = domainLabels[:len(domainLabels)-1]
                constraintLabels = constraintLabels[:len(constraintLabels)-1]
        }
Go GOST TLS 1.3