x509: sync with sdk #223

smx509/name_constraints_test.go

@@ -1599,6 +1599,14 @@ var nameConstraintsTests = []nameConstraintsTest{
 			cn:   "foo.bar",
 		},
 	},
+
+	// #85: .example.com is an invalid DNS name, it should not match the
+	// constraint example.com.
+	{
+		roots:         []constraintsSpec{{ok: []string{"dns:example.com"}}},
+		leaf:          leafSpec{sans: []string{"dns:.example.com"}},
+		expectedError: "cannot parse dnsName \".example.com\"",
+	},
 }
 
 func makeConstraintsCACert(constraints constraintsSpec, name string, key *ecdsa.PrivateKey, parent *Certificate, parentKey *ecdsa.PrivateKey) (*Certificate, error) {

smx509/parser.go

@@ -765,6 +765,10 @@ func processExtensions(out *Certificate) error {
 
 			case 35:
 				// RFC 5280, 4.2.1.1
+				if e.Critical {
+					// Conforming CAs MUST mark this extension as non-critical
+					return errors.New("x509: authority key identifier incorrectly marked critical")
+				}				
 				val := cryptobyte.String(e.Value)
 				var akid cryptobyte.String
 				if !val.ReadASN1(&akid, cryptobyte_asn1.SEQUENCE) {
@@ -783,6 +787,10 @@ func processExtensions(out *Certificate) error {
 				}
 			case 14:
 				// RFC 5280, 4.2.1.2
+				if e.Critical {
+					// Conforming CAs MUST mark this extension as non-critical
+					return errors.New("x509: subject key identifier incorrectly marked critical")
+				}				
 				val := cryptobyte.String(e.Value)
 				var skid cryptobyte.String
 				if !val.ReadASN1(&skid, cryptobyte_asn1.OCTET_STRING) {
@@ -800,6 +808,10 @@ func processExtensions(out *Certificate) error {
 			}
 		} else if e.Id.Equal(oidExtensionAuthorityInfoAccess) {
 			// RFC 5280 4.2.2.1: Authority Information Access
+			if e.Critical {
+				// Conforming CAs MUST mark this extension as non-critical
+				return errors.New("x509: authority info access incorrectly marked critical")
+			}			
 			val := cryptobyte.String(e.Value)
 			if !val.ReadASN1(&val, cryptobyte_asn1.SEQUENCE) {
 				return errors.New("x509: invalid authority info access")

smx509/verify.go

@@ -256,6 +256,11 @@ func domainToReverseLabels(domain string) (reverseLabels []string, ok bool) {
 		} else {
 			reverseLabels = append(reverseLabels, domain[i+1:])
 			domain = domain[:i]
+			if i == 0 { // domain == ""
+				// domain is prefixed with an empty label, append an empty
+				// string to reverseLabels to indicate this.
+				reverseLabels = append(reverseLabels, "")
+			}			
 		}
 	}
 
@@ -860,6 +865,11 @@ func validHostname(host string, isPattern bool) bool {
 	if len(host) == 0 {
 		return false
 	}
+	if host == "*" {
+		// Bare wildcards are not allowed, they are not valid DNS names,
+		// nor are they allowed per RFC 6125.
+		return false
+	}
 
 	for i, part := range strings.Split(host, ".") {
 		if part == "" {

smx509/verify_test.go

@@ -2783,3 +2783,29 @@ func TestVerifyNilPubKey(t *testing.T) {
 		t.Fatalf("buildChains returned unexpected error, got: %v, want %v", err, UnknownAuthorityError{})
 	}
 }
+
+func TestVerifyBareWildcard(t *testing.T) {
+	k, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	if err != nil {
+		t.Fatalf("failed to generate key: %s", err)
+	}
+	tmpl := &Certificate{
+		SerialNumber: big.NewInt(1),
+		Subject:      pkix.Name{CommonName: "test"},
+		NotBefore:    time.Now().Add(-time.Hour),
+		NotAfter:     time.Now().Add(time.Hour),
+		DNSNames:     []string{"*"},
+	}
+	cDER, err := CreateCertificate(rand.Reader, tmpl, tmpl, k.Public(), k)
+	if err != nil {
+		t.Fatalf("failed to create certificate: %s", err)
+	}
+	c, err := ParseCertificate(cDER)
+	if err != nil {
+		t.Fatalf("failed to parse certificate: %s", err)
+	}
+
+	if err := c.VerifyHostname("label"); err == nil {
+		t.Fatalf("VerifyHostname unexpected success with bare wildcard SAN")
+	}
+}