Apparently we allow empty dNSName SANs (e.g. a domain name of ""), which
causes the excluded domain name wildcard checking to panic, because we
assume names are always non-empty. RFC 5280 appears to say the empty
string should not be accepted, although confusingly refers to this as
" " (a single space). We should probably not allow that when creating
certificates, and possibly when creating them as well (1.27 I guess).
Thanks to Jakub Ciolek for reporting this issue.
Updates #77953
Fixes #77974
Fixes CVE-2026-27138
Change-Id: I4fb213a5450470969a7436cba09b71fd1755a6af
Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3420
Reviewed-by: Neal Patel <nealpatel@google.com>
Reviewed-by: Nicholas Husin <husin@google.com>
Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3621
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/752083
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
TryBot-Bypass: Gopher Robot <gobot@golang.org>
Auto-Submit: Gopher Robot <gobot@golang.org>
Reviewed-by: Cherry Mui <cherryyz@google.com>
return constraint, true
}
- if !dnc.permitted && s[0] == '*' {
+ if !dnc.permitted && len(s) > 0 && s[0] == '*' {
trimmed := trimFirstLabel(s)
if constraint, found := dnc.parentConstraints[trimmed]; found {
return constraint, true
sans: []string{"email:a@ExAmple.com"},
},
},
+ {
+ name: "excluded constraint, empty DNS san",
+ roots: []constraintsSpec{
+ {
+ bad: []string{"dns:example.com"},
+ },
+ },
+ leaf: leafSpec{
+ sans: []string{"dns:"},
+ },
+ },
}
func makeConstraintsCACert(constraints constraintsSpec, name string, key *ecdsa.PrivateKey, parent *Certificate, parentKey *ecdsa.PrivateKey) (*Certificate, error) {