Ignore IP address SANs with an invalid length

This commit is contained in:
Andrew Ayer 2016-05-01 14:52:19 -07:00
parent ca8f60740a
commit 3ec8a0a3db
1 changed files with 9 additions and 4 deletions

View File

@ -3,7 +3,6 @@ package ctwatch
import ( import (
"bytes" "bytes"
"strings" "strings"
"fmt"
"net" "net"
"unicode/utf8" "unicode/utf8"
"golang.org/x/net/idna" "golang.org/x/net/idna"
@ -197,11 +196,17 @@ func (tbs *TBSCertificate) ParseIdentifiers () (*Identifiers, error) {
case sanDNSName: case sanDNSName:
ids.AddDnsSAN(san.Value) ids.AddDnsSAN(san.Value)
case sanIPAddress: case sanIPAddress:
if !(len(san.Value) == 4 || len(san.Value) == 16) { if len(san.Value) == 4 || len(san.Value) == 16 {
return nil, fmt.Errorf("IP Address SAN has bogus length %d", len(san.Value))
}
ids.AddIPAddress(net.IP(san.Value)) ids.AddIPAddress(net.IP(san.Value))
} }
// TODO: decide what to do with IP addresses with an invalid length.
// The two encoding errors I've observed in CT logs are:
// 1. encoding the IP address as a string
// 2. a value of 0x00000000FFFFFF00 (WTF?)
// IP addresses aren't a high priority so just ignore invalid ones for now.
// Hopefully no clients out there are dumb enough to process IP address
// SANs encoded as strings...
}
} }
return ids, nil return ids, nil