From f0de4b4f03cdde77305b7ae14bd960130a855182 Mon Sep 17 00:00:00 2001 From: Patryk Chelmecki Date: Wed, 17 May 2023 20:48:28 +0000 Subject: crypto/x509: fix certificate validation with FQDN on Windows MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Currently certificate verification on Windows fails if the provided dns name ends with a dot (which means it is a Fully Qualified Domain Name). The certificates according to RFC 6066 (https://www.rfc-editor.org/rfc/rfc6066#section-3) do not contain that ending dot. Go uses CertVerifyCertificateChainPolicy Windows system call with CERT_CHAIN_POLICY_SSL option for verification of the certificates. That call fails if the specified domain name contains the dot at the end. Examples of other open source codebases that use the same system call and trim the trailing dot before executing it: MongoDb - https://github.com/mongodb/mongo/blob/master/src/mongo/util/net/ssl_manager_windows.cpp#L1777 Dot Net - https://github.com/dotnet/runtime/blob/v7.0.5/src/libraries/System.Net.Security/src/System/Net/Security/SslAuthenticationOptions.cs#L52 Change-Id: I5db558eb277cf00f5401ec0ffc96c935023ad100 GitHub-Last-Rev: cc69ab9be35f79a93279bd618912a3fd6aaa9f88 GitHub-Pull-Request: golang/go#59846 Reviewed-on: https://go-review.googlesource.com/c/go/+/489135 Run-TryBot: Roland Shoemaker Reviewed-by: Roland Shoemaker TryBot-Result: Gopher Robot Reviewed-by: Patryk Chełmecki Auto-Submit: Roland Shoemaker --- src/crypto/x509/root_windows.go | 3 ++- src/crypto/x509/root_windows_test.go | 10 ++++++++++ src/crypto/x509/verify_test.go | 12 ++++++++++++ 3 files changed, 24 insertions(+), 1 deletion(-) diff --git a/src/crypto/x509/root_windows.go b/src/crypto/x509/root_windows.go index 76d6e6ac70..11a4257b01 100644 --- a/src/crypto/x509/root_windows.go +++ b/src/crypto/x509/root_windows.go @@ -7,6 +7,7 @@ package x509 import ( "bytes" "errors" + "strings" "syscall" "unsafe" ) @@ -109,7 +110,7 @@ func checkChainTrustStatus(c *Certificate, chainCtx *syscall.CertChainContext) e // checkChainSSLServerPolicy checks that the certificate chain in chainCtx is valid for // use as a certificate chain for a SSL/TLS server. func checkChainSSLServerPolicy(c *Certificate, chainCtx *syscall.CertChainContext, opts *VerifyOptions) error { - servernamep, err := syscall.UTF16PtrFromString(opts.DNSName) + servernamep, err := syscall.UTF16PtrFromString(strings.TrimSuffix(opts.DNSName, ".")) if err != nil { return err } diff --git a/src/crypto/x509/root_windows_test.go b/src/crypto/x509/root_windows_test.go index f6dafe4004..54dbc161dc 100644 --- a/src/crypto/x509/root_windows_test.go +++ b/src/crypto/x509/root_windows_test.go @@ -51,6 +51,16 @@ func TestPlatformVerifier(t *testing.T) { name: "valid chain", host: "google.com", }, + { + name: "valid chain (dns check)", + host: "google.com", + verifyName: "google.com", + }, + { + name: "valid chain (fqdn dns check)", + host: "google.com.", + verifyName: "google.com.", + }, { name: "expired leaf", host: "expired.badssl.com", diff --git a/src/crypto/x509/verify_test.go b/src/crypto/x509/verify_test.go index 164c47fd6d..988b17e15d 100644 --- a/src/crypto/x509/verify_test.go +++ b/src/crypto/x509/verify_test.go @@ -52,6 +52,18 @@ var verifyTests = []verifyTest{ {"www.google.com", "GTS CA 1C3", "GTS Root R1"}, }, }, + { + name: "Valid (fqdn)", + leaf: googleLeaf, + intermediates: []string{gtsIntermediate}, + roots: []string{gtsRoot}, + currentTime: 1677615892, + dnsName: "www.google.com.", + + expectedChains: [][]string{ + {"www.google.com", "GTS CA 1C3", "GTS Root R1"}, + }, + }, { name: "MixedCase", leaf: googleLeaf, -- cgit v1.2.1