crypto/x509: properly reject invalid DNS names when checking constraints

A DNS name prefixed with an empty label should be considered invalid
when checking constraints (i.e. ".example.com" does not satisfy a
constraint of "example.com").

Updates #65085

Change-Id: I42919dc06abedc0e242ff36b2a42b583b14857b1
Reviewed-on: https://go-review.googlesource.com/c/go/+/561615
Reviewed-by: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Damien Neil <dneil@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>

diff --git a/src/crypto/x509/name_constraints_test.go b/src/crypto/x509/name_constraints_test.go
index 4c22c4cd8e367a8c1fd6a2acf67f4c789f758dc0..008c7028f4e4c44acc8dd3d6afa5b43dad736d7e 100644 (file)
--- a/src/crypto/x509/name_constraints_test.go
+++ b/src/crypto/x509/name_constraints_test.go
@@ -1599,6 +1599,14 @@ var nameConstraintsTests = []nameConstraintsTest{
                        cn:   "foo.bar",
                },
        },
+
+       // #85: .example.com is an invalid DNS name, it should not match the
+       // constraint example.com.
+       {
+               roots:         []constraintsSpec{{ok: []string{"dns:example.com"}}},
+               leaf:          leafSpec{sans: []string{"dns:.example.com"}},
+               expectedError: "cannot parse dnsName \".example.com\"",
+       },
 }
 
 func makeConstraintsCACert(constraints constraintsSpec, name string, key *ecdsa.PrivateKey, parent *Certificate, parentKey *ecdsa.PrivateKey) (*Certificate, error) {

diff --git a/src/crypto/x509/verify.go b/src/crypto/x509/verify.go
index 6efbff28bf7b6e997988c46a8197b6f7b1430c5d..ba972ae244f04b825c476ba1c38e44df12cbdaa4 100644 (file)
--- a/src/crypto/x509/verify.go
+++ b/src/crypto/x509/verify.go
@@ -366,6 +366,11 @@ func domainToReverseLabels(domain string) (reverseLabels []string, ok bool) {
                } else {
                        reverseLabels = append(reverseLabels, domain[i+1:])
                        domain = domain[:i]
+                       if i == 0 { // domain == ""
+                               // domain is prefixed with an empty label, append an empty
+                               // string to reverseLabels to indicate this.
+                               reverseLabels = append(reverseLabels, "")
+                       }
                }
        }