]> Cypherpunks.ru repositories - gostls13.git/commitdiff
projects / gostls13.git / commitdiff
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: a1674f3)
crypto/x509: fix certificate validation with FQDN on Windows
authorPatryk Chelmecki <pat.chelmecki@gmail.com>
Wed, 17 May 2023 20:48:28 +0000 (20:48 +0000)
committerGopher Robot <gobot@golang.org>
Wed, 17 May 2023 21:01:16 +0000 (21:01 +0000)
Currently certificate verification on Windows fails if the provided dns name ends with a dot (which means it is a Fully Qualified Domain Name). The certificates according to RFC 6066 (https://www.rfc-editor.org/rfc/rfc6066#section-3) do not contain that ending dot. Go uses CertVerifyCertificateChainPolicy Windows system call with CERT_CHAIN_POLICY_SSL option for verification of the certificates. That call fails if the specified domain name contains the dot at the end.

Examples of other open source codebases that use the same system call and trim the trailing dot before executing it:
MongoDb - https://github.com/mongodb/mongo/blob/master/src/mongo/util/net/ssl_manager_windows.cpp#L1777
Dot Net - https://github.com/dotnet/runtime/blob/v7.0.5/src/libraries/System.Net.Security/src/System/Net/Security/SslAuthenticationOptions.cs#L52

Change-Id: I5db558eb277cf00f5401ec0ffc96c935023ad100
GitHub-Last-Rev: cc69ab9be35f79a93279bd618912a3fd6aaa9f88
GitHub-Pull-Request: golang/go#59846
Reviewed-on: https://go-review.googlesource.com/c/go/+/489135
Run-TryBot: Roland Shoemaker <roland@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Patryk Chełmecki <patchelmecki@google.com>
Auto-Submit: Roland Shoemaker <roland@golang.org>

src/crypto/x509/root_windows.go patch | blob | history
src/crypto/x509/root_windows_test.go patch | blob | history
src/crypto/x509/verify_test.go patch | blob | history

diff --git a/src/crypto/x509/root_windows.go b/src/crypto/x509/root_windows.go
index 76d6e6ac7094dec21f883a114c501c48337a4978..11a4257b017dd2421d6691e78889faa8d089f70b 100644 (file)
--- a/src/crypto/x509/root_windows.go
+++ b/src/crypto/x509/root_windows.go
@@ -7,6 +7,7 @@ package x509
 import (
        "bytes"
        "errors"
+       "strings"
        "syscall"
        "unsafe"
 )
@@ -109,7 +110,7 @@ func checkChainTrustStatus(c *Certificate, chainCtx *syscall.CertChainContext) e
 // checkChainSSLServerPolicy checks that the certificate chain in chainCtx is valid for
 // use as a certificate chain for a SSL/TLS server.
 func checkChainSSLServerPolicy(c *Certificate, chainCtx *syscall.CertChainContext, opts *VerifyOptions) error {
-       servernamep, err := syscall.UTF16PtrFromString(opts.DNSName)
+       servernamep, err := syscall.UTF16PtrFromString(strings.TrimSuffix(opts.DNSName, "."))
        if err != nil {
                return err
        }
diff --git a/src/crypto/x509/root_windows_test.go b/src/crypto/x509/root_windows_test.go
index f6dafe400447987930ba6810c781204e6acb63da..54dbc161dceb0bdb3ac2d1e134fa5fd0604a945e 100644 (file)
--- a/src/crypto/x509/root_windows_test.go
+++ b/src/crypto/x509/root_windows_test.go
@@ -51,6 +51,16 @@ func TestPlatformVerifier(t *testing.T) {
                        name: "valid chain",
                        host: "google.com",
                },
+               {
+                       name:       "valid chain (dns check)",
+                       host:       "google.com",
+                       verifyName: "google.com",
+               },
+               {
+                       name:       "valid chain (fqdn dns check)",
+                       host:       "google.com.",
+                       verifyName: "google.com.",
+               },
                {
                        name:        "expired leaf",
                        host:        "expired.badssl.com",
diff --git a/src/crypto/x509/verify_test.go b/src/crypto/x509/verify_test.go
index 164c47fd6d5512d236a0bb7b67bee8f997dd6d0b..988b17e15d4ac7a0674fc0d2b78c12f67917f55b 100644 (file)
--- a/src/crypto/x509/verify_test.go
+++ b/src/crypto/x509/verify_test.go
@@ -52,6 +52,18 @@ var verifyTests = []verifyTest{
                        {"www.google.com", "GTS CA 1C3", "GTS Root R1"},
                },
        },
+       {
+               name:          "Valid (fqdn)",
+               leaf:          googleLeaf,
+               intermediates: []string{gtsIntermediate},
+               roots:         []string{gtsRoot},
+               currentTime:   1677615892,
+               dnsName:       "www.google.com.",
+
+               expectedChains: [][]string{
+                       {"www.google.com", "GTS CA 1C3", "GTS Root R1"},
+               },
+       },
        {
                name:          "MixedCase",
                leaf:          googleLeaf,
Go GOST TLS 1.3