diff options
| author | Roland Shoemaker <bracewell@google.com> | 2026-03-23 10:22:34 -0700 |
|---|---|---|
| committer | Gopher Robot <gobot@golang.org> | 2026-04-07 12:14:00 -0700 |
| commit | ceb4da6626ce94d75b2aefd0f24c6d0fd74f45f9 (patch) | |
| tree | a4a2034d39288fbb35445bf51c75278545d30f8f | |
| parent | babb1c32c2e7ee7a1147e7e587d35c553fb693ad (diff) | |
| download | go-ceb4da6626ce94d75b2aefd0f24c6d0fd74f45f9.tar.xz | |
[release-branch.go1.26] crypto/x509: fix wildcard constraint map case sensitivity
When applying excluded constraints to wildcard DNS SANs, the constraint
checking implementation did not normalize the case of the constraint nor
the SAN, which could lead to incorrect constraint checking results. This
change lowercases both the constraint and the SAN before checking for
matches, ensuring that constraint checking is case-insensitive as
intended.
Thanks to Riyas from Saintgits College of Engineering for reporting this
issue.
Fixes #78332
Fixes CVE-2026-33810
Change-Id: Id27792c8ed4c40f2810bad8dbd8d5d520cb465bb
Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3860
Reviewed-by: Neal Patel <nealpatel@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/3984
Commit-Queue: Damien Neil <dneil@google.com>
Reviewed-by: Nicholas Husin <husin@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/763544
Auto-Submit: Gopher Robot <gobot@golang.org>
Reviewed-by: David Chase <drchase@google.com>
Reviewed-by: Junyang Shao <shaojunyang@google.com>
TryBot-Bypass: Gopher Robot <gobot@golang.org>
| -rw-r--r-- | src/crypto/x509/constraints.go | 2 | ||||
| -rw-r--r-- | src/crypto/x509/name_constraints_test.go | 22 |
2 files changed, 24 insertions, 0 deletions
diff --git a/src/crypto/x509/constraints.go b/src/crypto/x509/constraints.go index 83bfbcb2ef..b7eb1e0f57 100644 --- a/src/crypto/x509/constraints.go +++ b/src/crypto/x509/constraints.go @@ -351,6 +351,7 @@ func newDNSConstraints(l []string, permitted bool) interface{ query(string) (str if !permitted { parentConstraints := map[string]string{} for _, name := range nc.constraints.set { + name = strings.ToLower(name) trimmedName := trimFirstLabel(name) if trimmedName == "" { continue @@ -376,6 +377,7 @@ func (dnc *dnsConstraints) query(s string) (string, bool) { } if !dnc.permitted && len(s) > 0 && s[0] == '*' { + s = strings.ToLower(s) trimmed := trimFirstLabel(s) if constraint, found := dnc.parentConstraints[trimmed]; found { return constraint, true diff --git a/src/crypto/x509/name_constraints_test.go b/src/crypto/x509/name_constraints_test.go index 3e205e5caf..97a2420a7f 100644 --- a/src/crypto/x509/name_constraints_test.go +++ b/src/crypto/x509/name_constraints_test.go @@ -1656,6 +1656,28 @@ var nameConstraintsTests = []nameConstraintsTest{ sans: []string{"dns:"}, }, }, + { + name: "subdomain exclusion blocks uppercase wildcard", + roots: []constraintsSpec{{ + bad: []string{"dns:sub.example.com"}, + }}, + intermediates: [][]constraintsSpec{{{}}}, + leaf: leafSpec{ + sans: []string{"dns:*.EXAMPLE.COM"}, + }, + expectedError: "\"*.EXAMPLE.COM\" is excluded by constraint \"sub.example.com\"", + }, + { + name: "uppercase subdomain exclusion blocks lowercase wildcard", + roots: []constraintsSpec{{ + bad: []string{"dns:SUB.EXAMPLE.COM"}, + }}, + intermediates: [][]constraintsSpec{{{}}}, + leaf: leafSpec{ + sans: []string{"dns:*.example.com"}, + }, + expectedError: "\"*.example.com\" is excluded by constraint \"sub.example.com\"", + }, } func makeConstraintsCACert(constraints constraintsSpec, name string, key *ecdsa.PrivateKey, parent *Certificate, parentKey *ecdsa.PrivateKey) (*Certificate, error) { |