crypto/x509: use case-insensitive hostname matching.

Fixes #2792. R=golang-dev, r CC=golang-dev https://golang.org/cl/5590045
2024-09-25 05:20:13 -06:00 · 2012-01-31 11:00:16 -05:00 · 2012-01-31 11:00:16 -05:00 · 8efb304440
commit 8efb304440
parent 2d64bab1de
2 changed files with 48 additions and 2 deletions
--- a/src/pkg/crypto/x509/verify.go
+++ b/src/pkg/crypto/x509/verify.go
@ -7,6 +7,7 @@ package x509
 import (
 	"strings"
 	"time"
+	"unicode/utf8"
 )

 type InvalidReason int
@ -225,17 +226,51 @@ func matchHostnames(pattern, host string) bool {
 	return true
 }

+// toLowerCaseASCII returns a lower-case version of in. See RFC 6125 6.4.1. We use
+// an explicitly ASCII function to avoid any sharp corners resulting from
+// performing Unicode operations on DNS labels.
+func toLowerCaseASCII(in string) string {
+	// If the string is already lower-case then there's nothing to do.
+	isAlreadyLowerCase := true
+	for _, c := range in {
+		if c == utf8.RuneError {
+			// If we get a UTF-8 error then there might be
+			// upper-case ASCII bytes in the invalid sequence.
+			isAlreadyLowerCase = false
+			break
+		}
+		if 'A' <= c && c <= 'Z' {
+			isAlreadyLowerCase = false
+			break
+		}
+	}
+
+	if isAlreadyLowerCase {
+		return in
+	}
+
+	out := []byte(in)
+	for i, c := range out {
+		if 'A' <= c && c <= 'Z' {
+			out[i] += 'a' - 'A'
+		}
+	}
+	return string(out)
+}
+
 // VerifyHostname returns nil if c is a valid certificate for the named host.
 // Otherwise it returns an error describing the mismatch.
 func (c *Certificate) VerifyHostname(h string) error {
+	lowered := toLowerCaseASCII(h)
+
 	if len(c.DNSNames) > 0 {
 		for _, match := range c.DNSNames {
-			if matchHostnames(match, h) {
+			if matchHostnames(toLowerCaseASCII(match), lowered) {
 				return nil
 			}
 		}
 		// If Subject Alt Name is given, we ignore the common name.
-	} else if matchHostnames(c.Subject.CommonName, h) {
+	} else if matchHostnames(toLowerCaseASCII(c.Subject.CommonName), lowered) {
 		return nil
 	}

--- a/src/pkg/crypto/x509/verify_test.go
+++ b/src/pkg/crypto/x509/verify_test.go
@ -37,6 +37,17 @@ var verifyTests = []verifyTest{
 			{"Google", "Thawte", "VeriSign"},
 		},
 	},
+	{
+		leaf:          googleLeaf,
+		intermediates: []string{thawteIntermediate},
+		roots:         []string{verisignRoot},
+		currentTime:   1302726541,
+		dnsName:       "WwW.GooGLE.coM",
+
+		expectedChains: [][]string{
+			{"Google", "Thawte", "VeriSign"},
+		},
+	},
 	{
 		leaf:          googleLeaf,
 		intermediates: []string{thawteIntermediate},