Cypherpunks.ru repositories - gostls13.git/commit

author	Filippo Valsorda <filippo@golang.org>
	Wed, 11 Jul 2018 19:59:56 +0000 (15:59 -0400)
committer	Filippo Valsorda <filippo@golang.org>
	Mon, 16 Jul 2018 19:30:08 +0000 (19:30 +0000)
commit	4f9ec2c7568fce3db51cee0bf151ccf8534868aa
tree	1774323169418b76ddad263405d1a89460b96e8b	tree
parent	baebc7f9939b8030d89d3b96d7bc6879452c9495	commit \| diff

crypto/x509: ignore Common Name when it does not parse as a hostname

The Common Name is used as a hostname when there are no Subject
Alternative Names, but it is not restricted by name constraints. To
protect against a name constraints bypass, we used to require SANs for
constrained chains. See the NameConstraintsWithoutSANs error.

This change ignores the CN when it does not look like a hostname, so we
can avoid returning NameConstraintsWithoutSANs.

This makes it possible to validate certificates with non-hostname CN
against chains that use name constraints to disallow all names, like the
Estonian IDs.

Updates #24151

Change-Id: I798d797990720a01ad9b5a13336756cc472ebf44
Reviewed-on: https://go-review.googlesource.com/123355
Reviewed-by: Adam Langley <agl@golang.org>

src/crypto/x509/name_constraints_test.go		diff \| blob \| history
src/crypto/x509/verify.go		diff \| blob \| history
src/crypto/x509/verify_test.go		diff \| blob \| history
src/crypto/x509/x509.go		diff \| blob \| history