Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

crypto/x509: invalid implementation of Permitted DNS Names #14833

Closed
ayufan opened this issue Mar 15, 2016 · 5 comments
Closed

crypto/x509: invalid implementation of Permitted DNS Names #14833

ayufan opened this issue Mar 15, 2016 · 5 comments
Assignees
Milestone

Comments

@ayufan
Copy link

@ayufan ayufan commented Mar 15, 2016

  1. What version of Go are you using (go version)?

    1.4.3

  2. What operating system and processor architecture are you using (go env)?

    GOARCH="amd64"
    GOOS="darwin"
    
  3. What did you do?

    We received a report that someone is having problem connecting from GitLab Runner to GitLab server. The GitLab Runner is application written in Go. The user when tries to connect sees the x509: a root or intermediate certificate is not authorized to sign in this domain.

    We asked for full certificate chain of problematic server.
    We saw that the CA certificate uses X509v3 Name Constraints with Permitted DNS limitation set.
    The DNS specified in certificate are of format: .domain.com (leading .).

    This is excerpt from RFC 5280 describing the expected implementation of name constraints:

    For URIs, the constraint applies to the host part of the name.  The
    constraint MUST be specified as a fully qualified domain name and MAY
    specify a host or a domain.  Examples would be "host.example.com" and
    ".example.com".  When the constraint begins with a period, it MAY be
    expanded with one or more labels.  That is, the constraint
    ".example.com" is satisfied by both host.example.com and
    my.host.example.com.  However, the constraint ".example.com" is not
    satisfied by "example.com".  When the constraint does not begin with
    a period, it specifies a host.  If a constraint is applied to the
    uniformResourceIdentifier name form and a subsequent certificate
    includes a subjectAltName extension with a uniformResourceIdentifier
    that does not include an authority component with a host name
    specified as a fully qualified domain name (e.g., if the URI either
    does not include an authority component or includes an authority
    component in which the host name is specified as an IP address), then
    the application MUST reject the certificate.
    

    According to implementation checked here: https://golang.org/src/crypto/x509/verify.go#L160 the leading . is not correctly handled by Go crypto library. The constraint .domain.com should be satisfied by host.domain.com and my.host.domain.com.

    Here's the example app: https://play.golang.org/p/tIa1m313_M

  4. What did you expect to see?

    We expected to see a trusted connect to server, signed by the CA with Name Constraints set. The implementation should support DNS constraints that starts with .

  5. What did you see instead?

    The error when connecting the server: x509: a root or intermediate certificate is not authorized to sign in this domain.

@ayufan
Copy link
Author

@ayufan ayufan commented Mar 15, 2016

@ianlancetaylor
Copy link
Contributor

@ianlancetaylor ianlancetaylor commented Mar 16, 2016

CC @agl

@ianlancetaylor ianlancetaylor added this to the Go1.7 milestone Mar 16, 2016
@vanbroup
Copy link
Contributor

@vanbroup vanbroup commented Apr 8, 2016

#15196 should solve this issue

@rsc rsc modified the milestones: Go1.8, Go1.7 May 18, 2016
@agl agl self-assigned this Aug 19, 2016
@gopherbot
Copy link

@gopherbot gopherbot commented Oct 1, 2016

CL https://golang.org/cl/30155 mentions this issue.

@gopherbot gopherbot closed this in e4dafa3 Oct 2, 2016
@ayufan
Copy link
Author

@ayufan ayufan commented Oct 2, 2016

Thanks everyone :)

@golang golang locked and limited conversation to collaborators Oct 2, 2017
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
6 participants
You can’t perform that action at this time.