Tandem
/
certspotter
mirror of https://github.com/SSLMate/certspotter.git
2
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Allow DNS SANs to contain UTF-8 

There are too many certs in the wild which have UTF-8 in their DNS SANs.
This commit is contained in:
Andrew Ayer 2016-04-26 14:14:08 -07:00
parent 2426817cd5
commit 19c5f86d23
1 changed files with 5 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
x509.go
View File

@ -5,6 +5,7 @@ import (
"bytes" "bytes"
"errors" "errors"
"encoding/asn1" "encoding/asn1"
"unicode/utf8"
"math/big" "math/big"
"time" "time"
) )
@ -279,16 +280,6 @@ func (cert *Certificate) ParseTBSCertificate () (*TBSCertificate, error) {
return ParseTBSCertificate(cert.GetRawTBSCertificate()) return ParseTBSCertificate(cert.GetRawTBSCertificate())
} }
func isAscii (bytes []byte) bool {
for _, b := range bytes {
if b > 127 {
return false
}
}
return true
}
func parseSANExtension (value []byte) ([]string, error) { func parseSANExtension (value []byte) ([]string, error) {
var dnsNames []string var dnsNames []string
var seq asn1.RawValue var seq asn1.RawValue
@ -315,8 +306,10 @@ func parseSANExtension (value []byte) ([]string, error) {
} }
switch val.Tag { switch val.Tag {
case 2: case 2:
if !isAscii(val.Bytes) { // This should be an IA5String (i.e. ASCII) with IDNs encoded in Punycode, but there are
return nil, errors.New("failed to parse subjectAltName: DNS name contains non-ASCII characters") // too many certs in the wild which have UTF-8 in their DNS SANs.
if !utf8.Valid(val.Bytes) {
return nil, errors.New("failed to parse subjectAltName: DNS name contains invalid UTF-8")
} }
dnsNames = append(dnsNames, string(val.Bytes)) dnsNames = append(dnsNames, string(val.Bytes))
} }