Commit 7d9acff7 authored by Adam Langley's avatar Adam Langley

crypto/x509: name constraints should be a disjunction.

The code was requiring that all constraints be met, but it should be
satisfied by meeting *any* of them.

R=golang-dev, bradfitz, r
CC=golang-dev
https://golang.org/cl/15570044
parent efed6f99
...@@ -154,14 +154,18 @@ func (c *Certificate) isValid(certType int, currentChain []*Certificate, opts *V ...@@ -154,14 +154,18 @@ func (c *Certificate) isValid(certType int, currentChain []*Certificate, opts *V
} }
if len(c.PermittedDNSDomains) > 0 { if len(c.PermittedDNSDomains) > 0 {
ok := false
for _, domain := range c.PermittedDNSDomains { for _, domain := range c.PermittedDNSDomains {
if opts.DNSName == domain || if opts.DNSName == domain ||
(strings.HasSuffix(opts.DNSName, domain) && (strings.HasSuffix(opts.DNSName, domain) &&
len(opts.DNSName) >= 1+len(domain) && len(opts.DNSName) >= 1+len(domain) &&
opts.DNSName[len(opts.DNSName)-len(domain)-1] == '.') { opts.DNSName[len(opts.DNSName)-len(domain)-1] == '.') {
continue ok = true
break
} }
}
if !ok {
return CertificateInvalidError{c, CANotAuthorizedForThisName} return CertificateInvalidError{c, CANotAuthorizedForThisName}
} }
} }
......
This diff is collapsed.
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment