github/golang.go
2
0
Fork 0
mirror of https://github.com/golang/go.git synced 2026-04-01 17:07:17 +09:00
Code Issues Packages Projects Releases Wiki Activity

[release-branch.go1.26] crypto/x509: fix name constraint checking panic

Browse Source 
Apparently we allow empty dNSName SANs (e.g. a domain name of ""), which
causes the excluded domain name wildcard checking to panic, because we
assume names are always non-empty. RFC 5280 appears to say the empty
string should not be accepted, although confusingly refers to this as
" " (a single space). We should probably not allow that when creating
certificates, and possibly when creating them as well (1.27 I guess).

Thanks to Jakub Ciolek for reporting this issue.

Updates #77953
Fixes #77974
Fixes CVE-2026-27138

Change-Id: I4fb213a5450470969a7436cba09b71fd1755a6af
Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3420
Reviewed-by: Neal Patel <nealpatel@google.com>
Reviewed-by: Nicholas Husin <husin@google.com>
Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3621
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/752083
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
TryBot-Bypass: Gopher Robot <gobot@golang.org>
Auto-Submit: Gopher Robot <gobot@golang.org>
Reviewed-by: Cherry Mui <cherryyz@google.com>
This commit is contained in:
Roland Shoemaker
2026-02-11 14:49:13 -08:00
committed by Gopher Robot
parent a761c9ff70
commit e792d6aa95
2 changed files with 12 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
src/crypto/x509/constraints.go
View File

@@ -375,7 +375,7 @@ func (dnc *dnsConstraints) query(s string) (string, bool) {
return constraint, true
}
if !dnc.permitted && s[0] == '*' {
if !dnc.permitted && len(s) > 0 && s[0] == '*' {
trimmed := trimFirstLabel(s)
if constraint, found := dnc.parentConstraints[trimmed]; found {
return constraint, true

11
src/crypto/x509/name_constraints_test.go
View File

@@ -1645,6 +1645,17 @@ var nameConstraintsTests = []nameConstraintsTest{
sans: []string{"email:a@ExAmple.com"},
},
},
{
name: "excluded constraint, empty DNS san",
roots: []constraintsSpec{
{
bad: []string{"dns:example.com"},
},
},
leaf: leafSpec{
sans: []string{"dns:"},
},
},
}
func makeConstraintsCACert(constraints constraintsSpec, name string, key *ecdsa.PrivateKey, parent *Certificate, parentKey *ecdsa.PrivateKey) (*Certificate, error) {