Tandem
/
certspotter
mirror of https://github.com/SSLMate/certspotter.git
2
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Ignore IP address SANs with an invalid length

This commit is contained in:
Andrew Ayer 2016-05-01 14:52:19 -07:00
parent ca8f60740a
commit 3ec8a0a3db
1 changed files with 9 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
identifiers.go
View File

@ -3,7 +3,6 @@ package ctwatch
import ( import (
"bytes" "bytes"
"strings" "strings"
"fmt"
"net" "net"
"unicode/utf8" "unicode/utf8"
"golang.org/x/net/idna" "golang.org/x/net/idna"
@ -197,10 +196,16 @@ func (tbs *TBSCertificate) ParseIdentifiers () (*Identifiers, error) {
case sanDNSName: case sanDNSName:
ids.AddDnsSAN(san.Value) ids.AddDnsSAN(san.Value)
case sanIPAddress: case sanIPAddress:
if !(len(san.Value) == 4 || len(san.Value) == 16) { if len(san.Value) == 4 || len(san.Value) == 16 {
return nil, fmt.Errorf("IP Address SAN has bogus length %d", len(san.Value)) ids.AddIPAddress(net.IP(san.Value))
} }
ids.AddIPAddress(net.IP(san.Value)) // TODO: decide what to do with IP addresses with an invalid length.
// The two encoding errors I've observed in CT logs are:
// 1. encoding the IP address as a string
// 2. a value of 0x00000000FFFFFF00 (WTF?)
// IP addresses aren't a high priority so just ignore invalid ones for now.
// Hopefully no clients out there are dumb enough to process IP address
// SANs encoded as strings...
} }
} }