aboutsummaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/crypto/x509/constraints.go2
-rw-r--r--src/crypto/x509/name_constraints_test.go11
2 files changed, 12 insertions, 1 deletions
diff --git a/src/crypto/x509/constraints.go b/src/crypto/x509/constraints.go
index 3c260a9b96..83bfbcb2ef 100644
--- a/src/crypto/x509/constraints.go
+++ b/src/crypto/x509/constraints.go
@@ -375,7 +375,7 @@ func (dnc *dnsConstraints) query(s string) (string, bool) {
return constraint, true
}
- if !dnc.permitted && s[0] == '*' {
+ if !dnc.permitted && len(s) > 0 && s[0] == '*' {
trimmed := trimFirstLabel(s)
if constraint, found := dnc.parentConstraints[trimmed]; found {
return constraint, true
diff --git a/src/crypto/x509/name_constraints_test.go b/src/crypto/x509/name_constraints_test.go
index b325c8edb9..3e205e5caf 100644
--- a/src/crypto/x509/name_constraints_test.go
+++ b/src/crypto/x509/name_constraints_test.go
@@ -1645,6 +1645,17 @@ var nameConstraintsTests = []nameConstraintsTest{
sans: []string{"email:a@ExAmple.com"},
},
},
+ {
+ name: "excluded constraint, empty DNS san",
+ roots: []constraintsSpec{
+ {
+ bad: []string{"dns:example.com"},
+ },
+ },
+ leaf: leafSpec{
+ sans: []string{"dns:"},
+ },
+ },
}
func makeConstraintsCACert(constraints constraintsSpec, name string, key *ecdsa.PrivateKey, parent *Certificate, parentKey *ecdsa.PrivateKey) (*Certificate, error) {
generated by cgit v1.3 (git 2.53.0) at 2026-04-15 05:40:51 +0000