Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

crypto/x509: Partial wildcards are not supported #27629

Closed
agunnerson-ibm opened this issue Sep 11, 2018 · 3 comments
Closed

crypto/x509: Partial wildcards are not supported #27629

agunnerson-ibm opened this issue Sep 11, 2018 · 3 comments
Labels
FrozenDueToAge

Comments

@agunnerson-ibm
Copy link

agunnerson-ibm commented Sep 11, 2018
edited

What version of Go are you using (go version)?

go version go1.11 linux/amd64

Does this issue reproduce with the latest release?

Yes

What operating system and processor architecture are you using (go env)?

GOARCH="amd64"
GOBIN=""
GOCACHE="/home/chenxiaolong/.cache/go-build"
GOEXE=""
GOFLAGS=""
GOHOSTARCH="amd64"
GOHOSTOS="linux"
GOOS="linux"
GOPATH="/home/chenxiaolong/go"
GOPROXY=""
GORACE=""
GOROOT="/usr/lib/go"
GOTMPDIR=""
GOTOOLDIR="/usr/lib/go/pkg/tool/linux_amd64"
GCCGO="gccgo"
CC="gcc"
CXX="g++"
CGO_ENABLED="1"
GOMOD=""
CGO_CFLAGS="-g -O2"
CGO_CPPFLAGS=""
CGO_CXXFLAGS="-g -O2"
CGO_FFLAGS="-g -O2"
CGO_LDFLAGS="-g -O2"
PKG_CONFIG="pkg-config"
GOGCCFLAGS="-fPIC -m64 -pthread -fmessage-length=0 -fdebug-prefix-map=/tmp/go-build053678865=/tmp/go-build -gno-record-gcc-switches"

What did you do?

Tried validating a certificate that uses partial wildcards (eg. foo*.example.com) against a hostname (eg. foobar.example.com).

What did you expect to see?

The hostname/SubjectAltName validation should succeed.

What did you see instead?

The validation fails because the optional RFC 6125, section 6.4.3, rule 3 is not implemented.
@gopherbot
Copy link

Change https://golang.org/cl/134715 mentions this issue: crypto/x509: Add support for partial wildcard matching (RFC6125 6.4.3)

@agunnerson-ibm
Copy link
Author

I submitted a PR to implement this since we're looking to use certificates with partial wildcards and it seems that other common tools/libraries implement this too. For example:

@agunnerson-ibm
Copy link
Author

Closing per @agl's explanation in the Gerrit PR:

Thank you for the effort, but this isn't something that we would want to support I'm afraid.

We (being the wider PKI community) have worked hard to define and constrain wildcards, which were fairly wild (excuse the pun) for a long time, because differences in interpretations of wildcards between systems is dangerous.

Now wildcards are defined in the Baseline[1] as "A Domain Name consisting of a single asterisk character followed by a single full stop character (“*.”) followed by a Fully-Qualified Domain Name.". That's the complete definition that clients should support.

[1] https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.6.0.pdf

@golang golang locked and limited conversation to collaborators Sep 11, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
FrozenDueToAge
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@gopherbot @agunnerson-ibm