[go] crypto/x509: normalize IP name constraints with non-zero host bits

0 views
Skip to first unread message

Gopher Robot (Gerrit)

unread,
Jun 10, 2026, 5:24:00 PM (2 days ago) Jun 10
to p4p3r, goph...@pubsubhelper.golang.org, golang-...@googlegroups.com, Cherry Mui, Michael Matloob, golang...@luci-project-accounts.iam.gserviceaccount.com, Roland Shoemaker, Ian Alexander, golang-co...@googlegroups.com

Gopher Robot submitted the change

Change information

Commit message:
crypto/x509: normalize IP name constraints with non-zero host bits

Name constraint IP subtrees are encoded as a network address followed by
a mask. RFC 5280 permits the network address to carry non-zero host bits
(e.g. 10.10.10.10/16, denoting 10.10.0.0/16), and some CA tooling emits
this verbatim. parseNameConstraintsExtension stores the address exactly
as encoded.

The sub-quadratic constraint matcher added in Go 1.26 (constraints.go)
binary-searches the sorted constraint set using the raw stored IP and
then checks only the nearest lower-bound entry with net.IPNet.Contains.
That relies on the stored IP being the canonical masked network address.
When the address has host bits set, the containing network can sort above
the target while a lower-addressed constraint occupies the neighbor slot,
so the containing network is never tested and search reports no match.

Because this only ever yields false negatives, an excluded constraint
with host bits set could fail to match an address inside its network,
silently accepting a certificate the constraint should have rejected.

Normalize the host bits in newIPNetConstraints, where the matcher builds
its sorted set, instead of in the parser. This restores the matcher's
invariant while leaving the parsed PermittedIPRanges and ExcludedIPRanges
with the address exactly as encoded in the certificate.

Fixes #79833
Change-Id: I7ec6b0452871d32a2f3db2eb9d46802ce64ecd78
Reviewed-by: Cherry Mui <cher...@google.com>
Auto-Submit: Roland Shoemaker <rol...@golang.org>
Reviewed-by: Roland Shoemaker <rol...@golang.org>
Files:
  • M src/crypto/x509/constraints.go
  • M src/crypto/x509/name_constraints_test.go
Change size: M
Delta: 2 files changed, 73 insertions(+), 0 deletions(-)
Branch: refs/heads/master
Submit Requirements:
Open in Gerrit
Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. DiffyGerrit
Gerrit-MessageType: merged
Gerrit-Project: go
Gerrit-Branch: master
Gerrit-Change-Id: I7ec6b0452871d32a2f3db2eb9d46802ce64ecd78
Gerrit-Change-Number: 787220
Gerrit-PatchSet: 3
Gerrit-Owner: p4p3r <kbf...@naver.com>
Gerrit-Reviewer: Cherry Mui <cher...@google.com>
Gerrit-Reviewer: Gopher Robot <go...@golang.org>
Gerrit-Reviewer: Ian Alexander <ji...@google.com>
Gerrit-Reviewer: Michael Matloob <mat...@google.com>
Gerrit-Reviewer: Roland Shoemaker <rol...@golang.org>
open
diffy
satisfied_requirement
Reply all
Reply to author
Forward
0 new messages