]> Cypherpunks repositories - gostls13.git/commit
projects / gostls13.git / commit
summary | shortlog | log | commit | commitdiff | tree
(parent: ae329ab) | patch
crypto/x509: enforce SAN IA5String encoding restrictions
authorRoland Shoemaker <rolandshoemaker@gmail.com>
Sat, 23 May 2020 17:15:46 +0000 (10:15 -0700)
committerRoland Shoemaker <roland@golang.org>
Wed, 30 Sep 2020 17:51:05 +0000 (17:51 +0000)
commit1eeaff75f9e02c65d29d9910c1884c6c0ecc1430
treefe5c66425e613d2c8211ea8b81cdb8063c84c6adtree
parentae329abec0f78743ab2fbf30ef5b488376fe3c85commit | diff
crypto/x509: enforce SAN IA5String encoding restrictions

Extends the IA5String encoding restrictions that are currently applied
to name constraints to dNSName, rfc822Name, and
uniformResourceIdentifier elements of the SAN. The utility function
isIA5String is updated to use unicode.MaxASCII rather than utf8.RuneSelf
as it is somewhat more readable.

Certificates that include these badly encoded names do exist, but are
exceedingly rare. zlint and other linters enforce this encoding and
searching censys.io reveals only three currently trusted certificates
with this particular encoding issue.

Fixes #26362

Change-Id: I7a4f3e165a1754e5b4bfaeabc03e01eb7367f3c9
Reviewed-on: https://go-review.googlesource.com/c/go/+/235078
Run-TryBot: Roland Shoemaker <roland@golang.org>
TryBot-Result: Go Bot <gobot@golang.org>
Trust: Roland Shoemaker <roland@golang.org>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
doc/go1.16.html diff | blob | history
src/crypto/x509/x509.go diff | blob | history
src/crypto/x509/x509_test.go diff | blob | history
Go GOST TLS 1.3