From 19c5f86d235e989aa704a723c1add608f31ba794 Mon Sep 17 00:00:00 2001
From: Andrew Ayer <agwa@andrewayer.name>
Date: Tue, 26 Apr 2016 14:14:08 -0700
Subject: [PATCH] Allow DNS SANs to contain UTF-8

There are too many certs in the wild which have UTF-8 in their DNS SANs.
---
 x509.go | 17 +++++------------
 1 file changed, 5 insertions(+), 12 deletions(-)

diff --git a/x509.go b/x509.go
index ec4060d..b01da32 100644
--- a/x509.go
+++ b/x509.go
@@ -5,6 +5,7 @@ import (
 	"bytes"
 	"errors"
 	"encoding/asn1"
+	"unicode/utf8"
 	"math/big"
 	"time"
 )
@@ -279,16 +280,6 @@ func (cert *Certificate) ParseTBSCertificate () (*TBSCertificate, error) {
 	return ParseTBSCertificate(cert.GetRawTBSCertificate())
 }
 
-
-func isAscii (bytes []byte) bool {
-	for _, b := range bytes {
-		if b > 127 {
-			return false
-		}
-	}
-	return true
-}
-
 func parseSANExtension (value []byte) ([]string, error) {
 	var dnsNames []string
 	var seq asn1.RawValue
@@ -315,8 +306,10 @@ func parseSANExtension (value []byte) ([]string, error) {
 		}
 		switch val.Tag {
 		case 2:
-			if !isAscii(val.Bytes) {
-				return nil, errors.New("failed to parse subjectAltName: DNS name contains non-ASCII characters")
+			// This should be an IA5String (i.e. ASCII) with IDNs encoded in Punycode, but there are
+			// too many certs in the wild which have UTF-8 in their DNS SANs.
+			if !utf8.Valid(val.Bytes) {
+				return nil, errors.New("failed to parse subjectAltName: DNS name contains invalid UTF-8")
 			}
 			dnsNames = append(dnsNames, string(val.Bytes))
 		}