crypto/x509: return better error when a certificate contains no names.

Currently, if a certificate contains no names (that we parsed), verification will return the confusing error: x509: certificate is valid for , not example.com. This change improves the error for that situation. Fixes #16834. Change-Id: I2ed9ed08298d7d50df758e503bdb55277449bf55 Reviewed-on: https://go-review.googlesource.com/30152Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> Run-TryBot: Adam Langley <agl@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org>

crypto/x509: return better error when a certificate contains no names.
Currently, if a certificate contains no names (that we parsed), verification will return the confusing error: x509: certificate is valid for , not example.com. This change improves the error for that situation. Fixes #16834. Change-Id: I2ed9ed08298d7d50df758e503bdb55277449bf55 Reviewed-on: https://go-review.googlesource.com/30152Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org> Run-TryBot: Adam Langley <agl@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org>
49aa1d79 · Adam Langley · e4dafa32 · 49aa1d79
Commit 49aa1d79 authored Sep 30, 2016 by Adam Langley
Hide whitespace changes
Inline Side-by-side

Showing with 4 additions and 0 deletions

verify.go src/crypto/x509/verify.go +4 -0

No files found.
--- a/src/crypto/x509/verify.go
+++ b/src/crypto/x509/verify.go
@@ -87,6 +87,10 @@ func (h HostnameError) Error() string {
 			valid = c.Subject.CommonName
 		}
 	}
+
+	if len(valid) == 0 {
+		return "x509: certificate is not valid for any names, but wanted to match " + h.Host
+	}
 	return "x509: certificate is valid for " + valid + ", not " + h.Host
 }