1
0
mirror of https://github.com/golang/go synced 2024-11-17 16:34:43 -07:00

crypto/x509: reject empty name constraints extension

Change-Id: Idcda0fc1607157cb5bbf0521fbdc0c77f043ca3a
Reviewed-on: https://go-review.googlesource.com/62691
Run-TryBot: Adam Langley <agl@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: David Crawshaw <crawshaw@golang.org>
This commit is contained in:
Adam Langley 2017-09-09 16:28:32 -07:00
parent 93f1aac246
commit 3079b0ad89
2 changed files with 41 additions and 0 deletions

View File

@ -1210,6 +1210,14 @@ func parseCertificate(in *certificate) (*Certificate, error) {
return nil, errors.New("x509: trailing data after X.509 NameConstraints") return nil, errors.New("x509: trailing data after X.509 NameConstraints")
} }
if len(constraints.Permitted) == 0 && len(constraints.Excluded) == 0 {
// https://tools.ietf.org/html/rfc5280#section-4.2.1.10:
// “either the permittedSubtrees field
// or the excludedSubtrees MUST be
// present”
return nil, errors.New("x509: empty name constraints extension")
}
getDNSNames := func(subtrees []generalSubtree, isCritical bool) (dnsNames []string, err error) { getDNSNames := func(subtrees []generalSubtree, isCritical bool) (dnsNames []string, err error) {
for _, subtree := range subtrees { for _, subtree := range subtrees {
if len(subtree.Name) == 0 { if len(subtree.Name) == 0 {

View File

@ -1512,3 +1512,36 @@ func TestSystemCertPool(t *testing.T) {
t.Fatal(err) t.Fatal(err)
} }
} }
const emptyNameConstraintsPEM = `
-----BEGIN CERTIFICATE-----
MIIC1jCCAb6gAwIBAgICEjQwDQYJKoZIhvcNAQELBQAwKDEmMCQGA1UEAxMdRW1w
dHkgbmFtZSBjb25zdHJhaW50cyBpc3N1ZXIwHhcNMTMwMjAxMDAwMDAwWhcNMjAw
NTMwMTA0ODM4WjAhMR8wHQYDVQQDExZFbXB0eSBuYW1lIGNvbnN0cmFpbnRzMIIB
IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwriElUIt3LCqmJObs+yDoWPD
F5IqgWk6moIobYjPfextZiYU6I3EfvAwoNxPDkN2WowcocUZMJbEeEq5ebBksFnx
f12gBxlIViIYwZAzu7aFvhDMyPKQI3C8CG0ZSC9ABZ1E3umdA3CEueNOmP/TChNq
Cl23+BG1Qb/PJkpAO+GfpWSVhTcV53Mf/cKvFHcjGNrxzdSoq9fyW7a6gfcGEQY0
LVkmwFWUfJ0wT8kaeLr0E0tozkIfo01KNWNzv6NcYP80QOBRDlApWu9ODmEVJHPD
blx4jzTQ3JLa+4DvBNOjVUOp+mgRmjiW0rLdrxwOxIqIOwNjweMCp/hgxX/hTQID
AQABoxEwDzANBgNVHR4EBjAEoAChADANBgkqhkiG9w0BAQsFAAOCAQEAWG+/zUMH
QhP8uNCtgSHyim/vh7wminwAvWgMKxlkLBFns6nZeQqsOV1lABY7U0Zuoqa1Z5nb
6L+iJa4ElREJOi/erLc9uLwBdDCAR0hUTKD7a6i4ooS39DTle87cUnj0MW1CUa6H
v5SsvpYW+1XleYJk/axQOOTcy4Es53dvnZsjXH0EA/QHnn7UV+JmlE3rtVxcYp6M
LYPmRhTioROA/drghicRkiu9hxdPyxkYS16M5g3Zj30jdm+k/6C6PeNtN9YmOOga
nCOSyFYfGhqOANYzpmuV+oIedAsPpIbfIzN8njYUs1zio+1IoI4o8ddM9sCbtPU8
o+WoY6IsCKXV/g==
-----END CERTIFICATE-----`
func TestEmptyNameConstraints(t *testing.T) {
block, _ := pem.Decode([]byte(emptyNameConstraintsPEM))
_, err := ParseCertificate(block.Bytes)
if err == nil {
t.Fatal("unexpected success")
}
const expected = "empty name constraints"
if str := err.Error(); !strings.Contains(str, expected) {
t.Errorf("expected %q in error but got %q", expected, str)
}
}