Google Git
Sign in
go / crypto / f8560614bab07ea1beea7bfb204cfa9d521d2484
commitf8560614bab07ea1beea7bfb204cfa9d521d2484[log] [tgz]
authorAofei Sheng <aofei@aofeisheng.com>Mon Apr 22 17:01:29 2019 +0000
committerBrad Fitzpatrick <bradfitz@golang.org>Mon Apr 22 17:19:13 2019 +0000
tree7efadffdfbccf9c06be3b67d654420da41d89776
parentaf44ce270edf2f3f6c9e80b84f46bd6dd6f657d0 [diff]
acme/autocert: make host of TLS certificate to be obtained always Punycode

According to the [RFC 5280, section 4.2.1.6](https://tools.ietf.org/html/rfc5280#section-4.2.1.6):

> ...
> When the subjectAltName extension contains a domain name system
> label, the domain name MUST be stored in the dNSName (an IA5String).
> The name MUST be in the "preferred name syntax", as specified by
> Section 3.5 of [RFC1034] and as modified by Section 2.1 of
> [RFC1123].  Note that while uppercase and lowercase letters are
> allowed in domain names, no significance is attached to the case.
> ...

And the [RFC 1034, section 3.5](https://tools.ietf.org/html/rfc1034#section-3.5):

> ...
> Note that while upper and lower case letters are allowed in domain
> names, no significance is attached to the case.  That is, two names with
> the same spelling but different case are to be treated as if identical.
> ...

We should return the same TLS certificate for both `example.com` and `EXAMPLE.COM`. But the `autocert.Manager.GetCertificate` treats the two as totally different, it signs and returns two different TLS certificates.

Moreover, now the `autocert.Manager.GetCertificate` and the `autocert.HostWhitelist` can only handle Punycode IDN. If the client sends a Unicode IDN to `autocert.Manager.GetCertificate` (cURL is doing this), the "Invalid character in DNS name" error will be triggered.

This PR corrects these problems by converting the host of the TLS certificate to be obtained to Punycode via `idna.Lookup.ToASCII`.

Change-Id: I993821b3a6ae532a53772e2db00524479ef111af
GitHub-Last-Rev: 6c12694574b6ac71a920da8a8bdb130c0b6e0272
GitHub-Pull-Request: golang/crypto#85
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/171997
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
4 files changed
tree: 7efadffdfbccf9c06be3b67d654420da41d89776
  1. acme/
  2. argon2/
  3. bcrypt/
  4. blake2b/
  5. blake2s/
  6. blowfish/
  7. bn256/
  8. cast5/
  9. chacha20poly1305/
  10. cryptobyte/
  11. curve25519/
  12. ed25519/
  13. hkdf/
  14. internal/
  15. md4/
  16. nacl/
  17. ocsp/
  18. openpgp/
  19. otr/
  20. pbkdf2/
  21. pkcs12/
  22. poly1305/
  23. ripemd160/
  24. salsa20/
  25. scrypt/
  26. sha3/
  27. ssh/
  28. tea/
  29. twofish/
  30. xtea/
  31. xts/
  32. .gitattributes
  33. .gitignore
  34. AUTHORS
  35. codereview.cfg
  36. CONTRIBUTING.md
  37. CONTRIBUTORS
  38. go.mod
  39. go.sum
  40. LICENSE
  41. PATENTS
  42. README.md
README.md

Go Cryptography

This repository holds supplementary Go cryptography libraries.

Download/Install

The easiest way to install is to run go get -u golang.org/x/crypto/.... You can also manually git clone the repository to $GOPATH/src/golang.org/x/crypto.

Report Issues / Send Patches

This repository uses Gerrit for code changes. To learn how to submit changes to this repository, see https://golang.org/doc/contribute.html.

The main issue tracker for the crypto repository is located at https://github.com/golang/go/issues. Prefix your issue with “x/crypto:” in the subject line, so it is easy to find.

Note that contributions to the cryptography package receive additional scrutiny due to their sensitive nature. Patches may take longer than normal to receive feedback.