diff options
| author | Patryk Chelmecki <pat.chelmecki@gmail.com> | 2023-05-17 20:48:28 +0000 |
|---|---|---|
| committer | Gopher Robot <gobot@golang.org> | 2023-05-17 21:01:16 +0000 |
| commit | f0de4b4f03cdde77305b7ae14bd960130a855182 (patch) | |
| tree | 4735e38aa848478047ace389f6b62b29d2518551 | |
| parent | a1674f3ee30bf46d22fcac115529ce830f8c9ac9 (diff) | |
| download | go-git-f0de4b4f03cdde77305b7ae14bd960130a855182.tar.gz | |
crypto/x509: fix certificate validation with FQDN on Windows
Currently certificate verification on Windows fails if the provided dns name ends with a dot (which means it is a Fully Qualified Domain Name). The certificates according to RFC 6066 (https://www.rfc-editor.org/rfc/rfc6066#section-3) do not contain that ending dot. Go uses CertVerifyCertificateChainPolicy Windows system call with CERT_CHAIN_POLICY_SSL option for verification of the certificates. That call fails if the specified domain name contains the dot at the end.
Examples of other open source codebases that use the same system call and trim the trailing dot before executing it:
MongoDb - https://github.com/mongodb/mongo/blob/master/src/mongo/util/net/ssl_manager_windows.cpp#L1777
Dot Net - https://github.com/dotnet/runtime/blob/v7.0.5/src/libraries/System.Net.Security/src/System/Net/Security/SslAuthenticationOptions.cs#L52
Change-Id: I5db558eb277cf00f5401ec0ffc96c935023ad100
GitHub-Last-Rev: cc69ab9be35f79a93279bd618912a3fd6aaa9f88
GitHub-Pull-Request: golang/go#59846
Reviewed-on: https://go-review.googlesource.com/c/go/+/489135
Run-TryBot: Roland Shoemaker <roland@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Patryk Chełmecki <patchelmecki@google.com>
Auto-Submit: Roland Shoemaker <roland@golang.org>
| -rw-r--r-- | src/crypto/x509/root_windows.go | 3 | ||||
| -rw-r--r-- | src/crypto/x509/root_windows_test.go | 10 | ||||
| -rw-r--r-- | src/crypto/x509/verify_test.go | 12 |
3 files changed, 24 insertions, 1 deletions
diff --git a/src/crypto/x509/root_windows.go b/src/crypto/x509/root_windows.go index 76d6e6ac70..11a4257b01 100644 --- a/src/crypto/x509/root_windows.go +++ b/src/crypto/x509/root_windows.go @@ -7,6 +7,7 @@ package x509 import ( "bytes" "errors" + "strings" "syscall" "unsafe" ) @@ -109,7 +110,7 @@ func checkChainTrustStatus(c *Certificate, chainCtx *syscall.CertChainContext) e // checkChainSSLServerPolicy checks that the certificate chain in chainCtx is valid for // use as a certificate chain for a SSL/TLS server. func checkChainSSLServerPolicy(c *Certificate, chainCtx *syscall.CertChainContext, opts *VerifyOptions) error { - servernamep, err := syscall.UTF16PtrFromString(opts.DNSName) + servernamep, err := syscall.UTF16PtrFromString(strings.TrimSuffix(opts.DNSName, ".")) if err != nil { return err } diff --git a/src/crypto/x509/root_windows_test.go b/src/crypto/x509/root_windows_test.go index f6dafe4004..54dbc161dc 100644 --- a/src/crypto/x509/root_windows_test.go +++ b/src/crypto/x509/root_windows_test.go @@ -52,6 +52,16 @@ func TestPlatformVerifier(t *testing.T) { host: "google.com", }, { + name: "valid chain (dns check)", + host: "google.com", + verifyName: "google.com", + }, + { + name: "valid chain (fqdn dns check)", + host: "google.com.", + verifyName: "google.com.", + }, + { name: "expired leaf", host: "expired.badssl.com", expectedErr: "x509: certificate has expired or is not yet valid: ", diff --git a/src/crypto/x509/verify_test.go b/src/crypto/x509/verify_test.go index 164c47fd6d..988b17e15d 100644 --- a/src/crypto/x509/verify_test.go +++ b/src/crypto/x509/verify_test.go @@ -53,6 +53,18 @@ var verifyTests = []verifyTest{ }, }, { + name: "Valid (fqdn)", + leaf: googleLeaf, + intermediates: []string{gtsIntermediate}, + roots: []string{gtsRoot}, + currentTime: 1677615892, + dnsName: "www.google.com.", + + expectedChains: [][]string{ + {"www.google.com", "GTS CA 1C3", "GTS Root R1"}, + }, + }, + { name: "MixedCase", leaf: googleLeaf, intermediates: []string{gtsIntermediate}, |