From abf8bbb709137c7212704dd0fb777b9c549a5fe1 Mon Sep 17 00:00:00 2001 From: Adam Langley Date: Mon, 23 Feb 2015 15:32:08 -0800 Subject: [PATCH] crypto/x509: make behaviour of absolute DNS names match Chromium. Previously, we didn't handle absolute DNS names in certificates the same way as Chromium, and we probably shouldn't diverge from major browsers. Change-Id: I56a3962ad1002f68b5dbd65ae90991b82c2f5629 Reviewed-on: https://go-review.googlesource.com/5692 Reviewed-by: Andrew Gerrand Reviewed-by: Brad Fitzpatrick --- src/crypto/x509/verify.go | 1 + src/crypto/x509/x509_test.go | 8 +++++++- 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/src/crypto/x509/verify.go b/src/crypto/x509/verify.go index 7a7db75023..7226d0a8d5 100644 --- a/src/crypto/x509/verify.go +++ b/src/crypto/x509/verify.go @@ -324,6 +324,7 @@ nextIntermediate: func matchHostnames(pattern, host string) bool { host = strings.TrimSuffix(host, ".") + pattern = strings.TrimSuffix(pattern, ".") if len(pattern) == 0 || len(host) == 0 { return false diff --git a/src/crypto/x509/x509_test.go b/src/crypto/x509/x509_test.go index f3a9f3cdc9..6414488bd7 100644 --- a/src/crypto/x509/x509_test.go +++ b/src/crypto/x509/x509_test.go @@ -161,7 +161,6 @@ var matchHostnamesTests = []matchHostnamesTest{ {"", "b.b.c", false}, {"a.b.c", "", false}, {"example.com", "example.com", true}, - {"example.com", "example.com.", true}, {"example.com", "www.example.com", false}, {"*.example.com", "example.com", false}, {"*.example.com", "www.example.com", true}, @@ -174,6 +173,13 @@ var matchHostnamesTests = []matchHostnamesTest{ {"", ".", false}, {".", "", false}, {".", ".", false}, + {"example.com", "example.com.", true}, + {"example.com.", "example.com", true}, + {"example.com.", "example.com.", true}, + {"*.com.", "example.com.", true}, + {"*.com.", "example.com", true}, + {"*.com", "example.com", true}, + {"*.com", "example.com.", true}, } func TestMatchHostnames(t *testing.T) {