[release-branch.go1.25] crypto/x509: fix single label excluded name constraints handling

Only strip labels when both the domain and constraint have more than one
label.

Fixes #76935
Fixes #77323

Change-Id: Ifdaae2cbe0c57984bb7334a8f08fa33a800e7c27
Reviewed-on: https://go-review.googlesource.com/c/go/+/739400
Auto-Submit: Dmitri Shuralyov <dmitshur@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>

2 files changed, 17 insertions, 1 deletions

diff --git a/src/crypto/x509/name_constraints_test.go b/src/crypto/x509/name_constraints_test.go
index bc91b28401..1f50650267 100644
--- a/src/crypto/x509/name_constraints_test.go
+++ b/src/crypto/x509/name_constraints_test.go
@@ -1658,6 +1658,22 @@ var nameConstraintsTests = []nameConstraintsTest{
 		},
 		expectedError: "\"*.example.com\" is not permitted",
 	},
+	// #89: a TLD constraint doesn't exclude unrelated wildcards
+	{
+		roots: []constraintsSpec{
+			{
+				bad: []string{"dns:tld"},
+			},
+		},
+		intermediates: [][]constraintsSpec{
+			{
+				{},
+			},
+		},
+		leaf: leafSpec{
+			sans: []string{"dns:*.example.com"},
+		},
+	},
 }
 
 func makeConstraintsCACert(constraints constraintsSpec, name string, key *ecdsa.PrivateKey, parent *Certificate, parentKey *ecdsa.PrivateKey) (*Certificate, error) {
diff --git a/src/crypto/x509/verify.go b/src/crypto/x509/verify.go
index 3de9f93b2c..076e82666a 100644
--- a/src/crypto/x509/verify.go
+++ b/src/crypto/x509/verify.go
@@ -546,7 +546,7 @@ func matchDomainConstraint(domain, constraint string, excluded bool, reversedDom
 		return false, nil
 	}
 
-	if excluded && wildcardDomain && len(domainLabels) > 1 && len(constraintLabels) > 0 {
+	if excluded && wildcardDomain && len(domainLabels) > 1 && len(constraintLabels) > 1 {
 		domainLabels = domainLabels[:len(domainLabels)-1]
 		constraintLabels = constraintLabels[:len(constraintLabels)-1]
 	}