Ignore IP address SANs with an invalid length
This commit is contained in:
parent
ca8f60740a
commit
3ec8a0a3db
|
@ -3,7 +3,6 @@ package ctwatch
|
||||||
import (
|
import (
|
||||||
"bytes"
|
"bytes"
|
||||||
"strings"
|
"strings"
|
||||||
"fmt"
|
|
||||||
"net"
|
"net"
|
||||||
"unicode/utf8"
|
"unicode/utf8"
|
||||||
"golang.org/x/net/idna"
|
"golang.org/x/net/idna"
|
||||||
|
@ -197,11 +196,17 @@ func (tbs *TBSCertificate) ParseIdentifiers () (*Identifiers, error) {
|
||||||
case sanDNSName:
|
case sanDNSName:
|
||||||
ids.AddDnsSAN(san.Value)
|
ids.AddDnsSAN(san.Value)
|
||||||
case sanIPAddress:
|
case sanIPAddress:
|
||||||
if !(len(san.Value) == 4 || len(san.Value) == 16) {
|
if len(san.Value) == 4 || len(san.Value) == 16 {
|
||||||
return nil, fmt.Errorf("IP Address SAN has bogus length %d", len(san.Value))
|
|
||||||
}
|
|
||||||
ids.AddIPAddress(net.IP(san.Value))
|
ids.AddIPAddress(net.IP(san.Value))
|
||||||
}
|
}
|
||||||
|
// TODO: decide what to do with IP addresses with an invalid length.
|
||||||
|
// The two encoding errors I've observed in CT logs are:
|
||||||
|
// 1. encoding the IP address as a string
|
||||||
|
// 2. a value of 0x00000000FFFFFF00 (WTF?)
|
||||||
|
// IP addresses aren't a high priority so just ignore invalid ones for now.
|
||||||
|
// Hopefully no clients out there are dumb enough to process IP address
|
||||||
|
// SANs encoded as strings...
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
return ids, nil
|
return ids, nil
|
||||||
|
|
Loading…
Reference in New Issue