Cypherpunks repositories - gostls13.git/commit

author	Roland Shoemaker <bracewell@google.com>
	Mon, 24 Nov 2025 16:46:08 +0000 (08:46 -0800)
committer	Cherry Mui <cherryyz@google.com>
	Tue, 25 Nov 2025 20:14:29 +0000 (12:14 -0800)
commit	04db77a423cac75bb82cc9a6859991ae9c016344
tree	281305e5ca2a5f1b635eeec7fec5f3da127cf91a	tree
parent	23743a8d2b1347eaf6279f401f743eeafab399a2	commit \| diff

[release-branch.go1.24] crypto/x509: excluded subdomain constraints preclude wildcard SANs

When evaluating name constraints in a certificate chain, the presence of
an excluded subdomain constraint (e.g., excluding "test.example.com")
should preclude the use of a wildcard SAN (e.g., "*.example.com").

Fixes #76442
Fixes #76463
Fixes CVE-2025-61727

Change-Id: I42a0da010cb36d2ec9d1239ae3f61cf25eb78bba
Reviewed-on: https://go-review.googlesource.com/c/go/+/724401
Reviewed-by: Nicholas Husin <husin@google.com>
Reviewed-by: Daniel McCarney <daniel@binaryparadox.net>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Nicholas Husin <nsh@golang.org>
Reviewed-by: Neal Patel <nealpatel@google.com>

src/crypto/x509/name_constraints_test.go		diff \| blob \| history
src/crypto/x509/verify.go		diff \| blob \| history
src/crypto/x509/verify_test.go		diff \| blob \| history