[release-branch.go1.24] crypto/x509: fix single label excluded name constraints handling

Only strip labels when both the domain and constraint have more than one label. Fixes #76935 Fixes #77322 Change-Id: I1144c9f03cbfc3b858af153a839b193bb934618d Reviewed-on: https://go-review.googlesource.com/c/go/+/739420 Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org> Auto-Submit: Dmitri Shuralyov <dmitshur@google.com> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Damien Neil <dneil@google.com>
2026-01-29 07:02:05 +03:00 · 2026-01-26 16:11:44 -08:00
parent 14d0bb39c1
commit 2c4733c609
2 changed files with 17 additions and 1 deletions
--- a/src/crypto/x509/name_constraints_test.go
+++ b/src/crypto/x509/name_constraints_test.go
@@ -1658,6 +1658,22 @@ var nameConstraintsTests = []nameConstraintsTest{
 		},
 		expectedError: "\"*.example.com\" is not permitted",
 	},
+	// #89: a TLD constraint doesn't exclude unrelated wildcards
+	{
+		roots: []constraintsSpec{
+			{
+				bad: []string{"dns:tld"},
+			},
+		},
+		intermediates: [][]constraintsSpec{
+			{
+				{},
+			},
+		},
+		leaf: leafSpec{
+			sans: []string{"dns:*.example.com"},
+		},
+	},
 }

 func makeConstraintsCACert(constraints constraintsSpec, name string, key *ecdsa.PrivateKey, parent *Certificate, parentKey *ecdsa.PrivateKey) (*Certificate, error) {
--- a/src/crypto/x509/verify.go
+++ b/src/crypto/x509/verify.go
@@ -546,7 +546,7 @@ func matchDomainConstraint(domain, constraint string, excluded bool, reversedDom
 		return false, nil
 	}

-	if excluded && wildcardDomain && len(domainLabels) > 1 && len(constraintLabels) > 0 {
+	if excluded && wildcardDomain && len(domainLabels) > 1 && len(constraintLabels) > 1 {
 		domainLabels = domainLabels[:len(domainLabels)-1]
 		constraintLabels = constraintLabels[:len(constraintLabels)-1]
 	}