[go/release-branch.go1.24] [release-branch.go1.24] crypto/x509: improve domain name verification
1 view
Skip to first unread message
Gopher Robot (Gerrit)
Oct 7, 2025, 2:00:52 PM (18 hours ago) Oct 7
to Michael Pratt, Neal Patel, goph...@pubsubhelper.golang.org, golang-...@googlegroups.com, Carlos Amedee, Go LUCI, golang-co...@googlegroups.com
Gopher Robot submitted the change![]( "Open in Gerrit")
Change information
Commit message:
[release-branch.go1.24] crypto/x509: improve domain name verification
Don't use domainToReverseLabels to check if domain names are valid,
since it is not particularly performant, and can contribute to DoS
vectors. Instead just iterate over the name and enforce the properties
we care about.
This also enforces that DNS names, both in SANs and name constraints,
are valid. We previously allowed invalid SANs, because some
intermediates had these weird names (see #23995), but there are
currently no trusted intermediates that have this property, and since we
target the web PKI, supporting this particular case is not a high
priority.
Thank you to Jakub Ciolek for reporting this issue.
Fixes CVE-2025-58187
For #75681
Fixes #75714
Change-Id: I6ebce847dcbe5fc63ef2f9a74f53f11c4c56d3d1
Reviewed-by: Damien Neil <dn...@google.com>
Reviewed-by: Roland Shoemaker <brac...@google.com>
Reviewed-by: Nicholas Husin <hu...@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/709839
Auto-Submit: Michael Pratt <mpr...@google.com>
Reviewed-by: Carlos Amedee <car...@golang.org>
TryBot-Bypass: Michael Pratt <mpr...@google.com>
Files:
- M src/crypto/x509/name_constraints_test.go
- M src/crypto/x509/parser.go
- M src/crypto/x509/parser_test.go
- M src/crypto/x509/verify.go
Change size: M
Delta: 4 files changed, 96 insertions(+), 100 deletions(-)
Branch: refs/heads/release-branch.go1.24
Submit Requirements:
Code-Review: +2 by Carlos Amedee
TryBots-Pass: TryBot-Bypass+1 by Michael Pratt
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Gopher Robot (Gerrit)
Oct 7, 2025, 2:02:34 PM (18 hours ago) Oct 7
to Michael Pratt, Neal Patel, goph...@pubsubhelper.golang.org, golang-...@googlegroups.com, Carlos Amedee, golang-co...@googlegroups.com
Gopher Robot submitted the change![]( "Open in Gerrit")
Change information
Commit message:
[release-branch.go1.25] crypto/x509: improve domain name verification
Don't use domainToReverseLabels to check if domain names are valid,
since it is not particularly performant, and can contribute to DoS
vectors. Instead just iterate over the name and enforce the properties
we care about.
This also enforces that DNS names, both in SANs and name constraints,
are valid. We previously allowed invalid SANs, because some
intermediates had these weird names (see #23995), but there are
currently no trusted intermediates that have this property, and since we
target the web PKI, supporting this particular case is not a high
priority.
Thank you to Jakub Ciolek for reporting this issue.
Fixes CVE-2025-58187
For #75681
Fixes #75715
Change-Id: I6ebce847dcbe5fc63ef2f9a74f53f11c4c56d3d1
Reviewed-by: Damien Neil <dn...@google.com>
Reviewed-by: Roland Shoemaker <brac...@google.com>
Commit-Queue: Roland Shoemaker <brac...@google.com>
Reviewed-by: Nicholas Husin <hu...@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/709848
Auto-Submit: Michael Pratt <mpr...@google.com>
TryBot-Bypass: Michael Pratt <mpr...@google.com>
Reviewed-by: Carlos Amedee <car...@golang.org>
Files:
- M src/crypto/x509/name_constraints_test.go
- M src/crypto/x509/parser.go
- M src/crypto/x509/parser_test.go
- M src/crypto/x509/verify.go
Change size: M
Delta: 4 files changed, 96 insertions(+), 100 deletions(-)
Branch: refs/heads/release-branch.go1.25
Submit Requirements:
Code-Review: +2 by Carlos Amedee
TryBots-Pass: TryBot-Bypass+1 by Michael Pratt
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Gopher Robot (Gerrit)
Oct 7, 2025, 2:23:21 PM (18 hours ago) Oct 7
to Michael Pratt, Neal Patel, goph...@pubsubhelper.golang.org, golang-...@googlegroups.com, Go LUCI, Carlos Amedee, golang-co...@googlegroups.com
Gopher Robot submitted the change![]( "Open in Gerrit")
Change information
Commit message:
crypto/x509: improve domain name verification
Don't use domainToReverseLabels to check if domain names are valid,
since it is not particularly performant, and can contribute to DoS
vectors. Instead just iterate over the name and enforce the properties
we care about.
This also enforces that DNS names, both in SANs and name constraints,
are valid. We previously allowed invalid SANs, because some
intermediates had these weird names (see #23995), but there are
currently no trusted intermediates that have this property, and since we
target the web PKI, supporting this particular case is not a high
priority.
Thank you to Jakub Ciolek for reporting this issue.
Fixes CVE-2025-58187
Fixes #75681
Change-Id: I6ebce847dcbe5fc63ef2f9a74f53f11c4c56d3d1
Reviewed-by: Damien Neil <dn...@google.com>
Reviewed-by: Roland Shoemaker <brac...@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/709854
Auto-Submit: Michael Pratt <mpr...@google.com>
Reviewed-by: Carlos Amedee <car...@golang.org>
LUCI-TryBot-Result: Go LUCI <golang...@luci-project-accounts.iam.gserviceaccount.com>
Files:
- M src/crypto/x509/name_constraints_test.go
- M src/crypto/x509/parser.go
- M src/crypto/x509/parser_test.go
- M src/crypto/x509/verify.go
Change size: M
Delta: 4 files changed, 96 insertions(+), 100 deletions(-)
Branch: refs/heads/master
Submit Requirements:
Code-Review: +2 by Carlos Amedee
TryBots-Pass: LUCI-TryBot-Result+1 by Go LUCI
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Reply all
Reply to author
Forward
0 new messages