crypto/x509: fix certificate validation with FQDN on Windows

Currently certificate verification on Windows fails if the provided dns name ends with a dot (which means it is a Fully Qualified Domain Name). The certificates according to RFC 6066 (https://www.rfc-editor.org/rfc/rfc6066#section-3) do not contain that ending dot. Go uses CertVerifyCertificateChainPolicy Windows system call with CERT_CHAIN_POLICY_SSL option for verification of the certificates. That call fails if the specified domain name contains the dot at the end. Examples of other open source codebases that use the same system call and trim the trailing dot before executing it: MongoDb - https://github.com/mongodb/mongo/blob/master/src/mongo/util/net/ssl_manager_windows.cpp#L1777 Dot Net - https://github.com/dotnet/runtime/blob/v7.0.5/src/libraries/System.Net.Security/src/System/Net/Security/SslAuthenticationOptions.cs#L52 Change-Id: I5db558eb277cf00f5401ec0ffc96c935023ad100 GitHub-Last-Rev: cc69ab9 GitHub-Pull-Request: #59846 Reviewed-on: https://go-review.googlesource.com/c/go/+/489135 Run-TryBot: Roland Shoemaker <roland@golang.org> Reviewed-by: Roland Shoemaker <roland@golang.org> TryBot-Result: Gopher Robot <gobot@golang.org> Reviewed-by: Patryk Chełmecki <patchelmecki@google.com> Auto-Submit: Roland Shoemaker <roland@golang.org>
golang · May 17, 2023 · f0de4b4 · f0de4b4
1 parent a1674f3
commit f0de4b4
Show file tree

Hide file tree

Showing 3 changed files with 24 additions and 1 deletion.
diff --git a/src/crypto/x509/root_windows.go b/src/crypto/x509/root_windows.go
@@ -7,6 +7,7 @@ package x509
 import (
 	"bytes"
 	"errors"
+	"strings"
 	"syscall"
 	"unsafe"
 )
@@ -109,7 +110,7 @@ func checkChainTrustStatus(c *Certificate, chainCtx *syscall.CertChainContext) e
 // checkChainSSLServerPolicy checks that the certificate chain in chainCtx is valid for
 // use as a certificate chain for a SSL/TLS server.
 func checkChainSSLServerPolicy(c *Certificate, chainCtx *syscall.CertChainContext, opts *VerifyOptions) error {
-	servernamep, err := syscall.UTF16PtrFromString(opts.DNSName)
+	servernamep, err := syscall.UTF16PtrFromString(strings.TrimSuffix(opts.DNSName, "."))
 	if err != nil {
 		return err
 	}

diff --git a/src/crypto/x509/root_windows_test.go b/src/crypto/x509/root_windows_test.go
@@ -51,6 +51,16 @@ func TestPlatformVerifier(t *testing.T) {
 			name: "valid chain",
 			host: "google.com",
 		},
+		{
+			name:       "valid chain (dns check)",
+			host:       "google.com",
+			verifyName: "google.com",
+		},
+		{
+			name:       "valid chain (fqdn dns check)",
+			host:       "google.com.",
+			verifyName: "google.com.",
+		},
 		{
 			name:        "expired leaf",
 			host:        "expired.badssl.com",

diff --git a/src/crypto/x509/verify_test.go b/src/crypto/x509/verify_test.go
@@ -52,6 +52,18 @@ var verifyTests = []verifyTest{
 			{"www.google.com", "GTS CA 1C3", "GTS Root R1"},
 		},
 	},
+	{
+		name:          "Valid (fqdn)",
+		leaf:          googleLeaf,
+		intermediates: []string{gtsIntermediate},
+		roots:         []string{gtsRoot},
+		currentTime:   1677615892,
+		dnsName:       "www.google.com.",
+
+		expectedChains: [][]string{
+			{"www.google.com", "GTS CA 1C3", "GTS Root R1"},
+		},
+	},
 	{
 		name:          "MixedCase",
 		leaf:          googleLeaf,