crypto/x509: improve domain name verification - go - Fork of Go programming language with my patches.

diff options

author	Neal Patel <nealpatel@google.com>	2025-09-15 16:31:22 -0400
committer	Gopher Robot <gobot@golang.org>	2025-10-07 11:23:16 -0700
commit	3fc4c79fdbb17b9b29ea9f8c29dd780df075d4c4 (patch)
tree	68a2ad685819fe6d5ef18e057123b9342c2c6e1f /src/encoding
parent	6e4007e8cffbb870e6b606307ab7308236ecefb9 (diff)
download	go-3fc4c79fdbb17b9b29ea9f8c29dd780df075d4c4.tar.xz

crypto/x509: improve domain name verification

Don't use domainToReverseLabels to check if domain names are valid, since it is not particularly performant, and can contribute to DoS vectors. Instead just iterate over the name and enforce the properties we care about. This also enforces that DNS names, both in SANs and name constraints, are valid. We previously allowed invalid SANs, because some intermediates had these weird names (see #23995), but there are currently no trusted intermediates that have this property, and since we target the web PKI, supporting this particular case is not a high priority. Thank you to Jakub Ciolek for reporting this issue. Fixes CVE-2025-58187 Fixes #75681 Change-Id: I6ebce847dcbe5fc63ef2f9a74f53f11c4c56d3d1 Reviewed-on: https://go-internal-review.googlesource.com/c/go/+/2820 Reviewed-by: Damien Neil <dneil@google.com> Reviewed-by: Roland Shoemaker <bracewell@google.com> Reviewed-on: https://go-review.googlesource.com/c/go/+/709854 Auto-Submit: Michael Pratt <mpratt@google.com> Reviewed-by: Carlos Amedee <carlos@golang.org> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>

Diffstat (limited to 'src/encoding')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: