1
0
mirror of https://github.com/golang/go synced 2024-11-15 00:20:30 -07:00

crypto/x509: don't match bare wildcard

When verifying the name "test", a SAN with a bare wildcard ("*") should
not constitute a match.

Updates #65085

Change-Id: I02151761e2f29f3e358708a3f723af32b0d79288
Reviewed-on: https://go-review.googlesource.com/c/go/+/585076
Reviewed-by: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Damien Neil <dneil@google.com>
Auto-Submit: Roland Shoemaker <roland@golang.org>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
This commit is contained in:
Roland Shoemaker 2024-05-13 13:20:37 -07:00 committed by Gopher Robot
parent cf06b1f1db
commit 375031d8dc
2 changed files with 31 additions and 0 deletions

View File

@ -984,6 +984,11 @@ func validHostname(host string, isPattern bool) bool {
if len(host) == 0 {
return false
}
if host == "*" {
// Bare wildcards are not allowed, they are not valid DNS names,
// nor are they allowed per RFC 6125.
return false
}
for i, part := range strings.Split(host, ".") {
if part == "" {

View File

@ -2811,3 +2811,29 @@ func TestVerifyNilPubKey(t *testing.T) {
t.Fatalf("buildChains returned unexpected error, got: %v, want %v", err, UnknownAuthorityError{})
}
}
func TestVerifyBareWildcard(t *testing.T) {
k, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
if err != nil {
t.Fatalf("failed to generate key: %s", err)
}
tmpl := &Certificate{
SerialNumber: big.NewInt(1),
Subject: pkix.Name{CommonName: "test"},
NotBefore: time.Now().Add(-time.Hour),
NotAfter: time.Now().Add(time.Hour),
DNSNames: []string{"*"},
}
cDER, err := CreateCertificate(rand.Reader, tmpl, tmpl, k.Public(), k)
if err != nil {
t.Fatalf("failed to create certificate: %s", err)
}
c, err := ParseCertificate(cDER)
if err != nil {
t.Fatalf("failed to parse certificate: %s", err)
}
if err := c.VerifyHostname("label"); err == nil {
t.Fatalf("VerifyHostname unexpected success with bare wildcard SAN")
}
}