Cypherpunks repositories - gostls13.git/commit

author	Roland Shoemaker <bracewell@google.com>
	Mon, 24 Nov 2025 16:46:08 +0000 (08:46 -0800)
committer	Cherry Mui <cherryyz@google.com>
	Tue, 25 Nov 2025 20:14:08 +0000 (12:14 -0800)
commit	287017acebd27203aa3218abbd11ed65c2280cf8
tree	87034c796b8ed224ad079b21565183887a687ea8	tree
parent	e1ce1bfa7f0d44e864d8ea6d6cec62c09668ad66	commit \| diff

[release-branch.go1.25] crypto/x509: excluded subdomain constraints preclude wildcard SANs

When evaluating name constraints in a certificate chain, the presence of
an excluded subdomain constraint (e.g., excluding "test.example.com")
should preclude the use of a wildcard SAN (e.g., "*.example.com").

Fixes #76442
Fixes #76464
Fixes CVE-2025-61727

Change-Id: I42a0da010cb36d2ec9d1239ae3f61cf25eb78bba
Reviewed-on: https://go-review.googlesource.com/c/go/+/724400
Reviewed-by: Nicholas Husin <nsh@golang.org>
Reviewed-by: Nicholas Husin <husin@google.com>
Reviewed-by: Daniel McCarney <daniel@binaryparadox.net>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Neal Patel <nealpatel@google.com>

src/crypto/x509/name_constraints_test.go		diff \| blob \| history
src/crypto/x509/verify.go		diff \| blob \| history
src/crypto/x509/verify_test.go		diff \| blob \| history