Join GitHub today
GitHub is home to over 36 million developers working together to host and review code, manage projects, and build software together.Sign up
crypto/x509: reject UTF-8 names #26362
The restriction is that certain x509 extensions should be encoded as an IA5String, which is a restricted character set(Essentially 0x0-0x80 ASCII). Currently, golang's x509 package performs validation checks on IA5String encoding, but it's not complete. It's still possible to encode several of the Subject Alternative Name extensions ("Domains" "EmailAddresses") as non-IA5Stings. There's also no check on the "URIs" field, but due to
One thing to be aware of, the Common Name on an X509 certificate doesn't actually have an IA5String restriction on encoding. You need to use punycode if you're creating an SSL certificate, but RFC 5280 states that "Standard naming attributes, such as common name, employ the DirectoryString type, which supports internationalized names through a variety of language encodings. Conforming implementations MUST support UTF8String and PrintableString."
As far as comparisons go,
However, a recent change (4f9ec2c#diff-14a36701d822b09a804f852a229dfc23R910), was introduced which will result in the rejection of CommonName's with non-ASCII characters in them - caused by
That being said, if the certificate has a non-ASCII character in the DNSName SAN extension, it will still do the comparison and match. Example below:
Please note that X.509 client certificates contain personal names in the common name (CN) attribute!
Those can be encoded in various ways, one of the more exotic cocktail