crypto/x509: allow ":" in Common Name hostnames

At least one popular service puts a hostname which contains a ":"
in the Common Name field. On the other hand, I don't know of any name
constrained certificates that only work if we ignore such CNs.

Updates #24151

Change-Id: I2d813e3e522ebd65ab5ea5cd83390467a869eea3
Reviewed-on: https://go-review.googlesource.com/134076
Run-TryBot: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Adam Langley <agl@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>

diff --git a/src/crypto/x509/verify.go b/src/crypto/x509/verify.go
index 4c2ff7b7c4d3d24bcee61f9cf72d5698e864048b..91be7c05f9a249d476343137194cd7e07588ebd2 100644 (file)
--- a/src/crypto/x509/verify.go
+++ b/src/crypto/x509/verify.go
@@ -894,8 +894,8 @@ func validHostname(host string) bool {
                        if c == '-' && j != 0 {
                                continue
                        }
-                       if c == '_' {
-                               // _ is not a valid character in hostnames, but it's commonly
+                       if c == '_' || c == ':' {
+                               // Not valid characters in hostnames, but commonly
                                // found in deployments outside the WebPKI.
                                continue
                        }

diff --git a/src/crypto/x509/verify_test.go b/src/crypto/x509/verify_test.go
index 768414583962f88ddf53fe64c4d7ea8836ff7469..0e24d3b5da3af3218f8d63992811ef674eba1ba8 100644 (file)
--- a/src/crypto/x509/verify_test.go
+++ b/src/crypto/x509/verify_test.go
@@ -1881,6 +1881,7 @@ func TestValidHostname(t *testing.T) {
                {"foo.*.example.com", false},
                {"exa_mple.com", true},
                {"foo,bar", false},
+               {"project-dev:us-central1:main", true},
        }
        for _, tt := range tests {
                if got := validHostname(tt.host); got != tt.want {