crypto/x509: make behaviour of absolute DNS names match Chromium.

Previously, we didn't handle absolute DNS names in certificates the same
way as Chromium, and we probably shouldn't diverge from major browsers.

Change-Id: I56a3962ad1002f68b5dbd65ae90991b82c2f5629
Reviewed-on: https://go-review.googlesource.com/5692
Reviewed-by: Andrew Gerrand <adg@golang.org>
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>

diff --git a/src/crypto/x509/verify.go b/src/crypto/x509/verify.go
index 7a7db750232dc4516cd8e963b3bf5711340fabd9..7226d0a8d53eb04b96cd3f953788d2b63c62c2ca 100644 (file)
--- a/src/crypto/x509/verify.go
+++ b/src/crypto/x509/verify.go
@@ -324,6 +324,7 @@ nextIntermediate:
 
 func matchHostnames(pattern, host string) bool {
        host = strings.TrimSuffix(host, ".")
+       pattern = strings.TrimSuffix(pattern, ".")
 
        if len(pattern) == 0 || len(host) == 0 {
                return false

diff --git a/src/crypto/x509/x509_test.go b/src/crypto/x509/x509_test.go
index f3a9f3cdc9497ea31eb9c3a898d0b4a0ef911584..6414488bd7642a60d4990e90e662ce5f830d9e3a 100644 (file)
--- a/src/crypto/x509/x509_test.go
+++ b/src/crypto/x509/x509_test.go
@@ -161,7 +161,6 @@ var matchHostnamesTests = []matchHostnamesTest{
        {"", "b.b.c", false},
        {"a.b.c", "", false},
        {"example.com", "example.com", true},
-       {"example.com", "example.com.", true},
        {"example.com", "www.example.com", false},
        {"*.example.com", "example.com", false},
        {"*.example.com", "www.example.com", true},
@@ -174,6 +173,13 @@ var matchHostnamesTests = []matchHostnamesTest{
        {"", ".", false},
        {".", "", false},
        {".", ".", false},
+       {"example.com", "example.com.", true},
+       {"example.com.", "example.com", true},
+       {"example.com.", "example.com.", true},
+       {"*.com.", "example.com.", true},
+       {"*.com.", "example.com", true},
+       {"*.com", "example.com", true},
+       {"*.com", "example.com.", true},
 }
 
 func TestMatchHostnames(t *testing.T) {