crypto/x509: make behaviour of absolute DNS names match Chromium.

Previously, we didn't handle absolute DNS names in certificates the same way as Chromium, and we probably shouldn't diverge from major browsers. Change-Id: I56a3962ad1002f68b5dbd65ae90991b82c2f5629 Reviewed-on: https://go-review.googlesource.com/5692 Reviewed-by: Andrew Gerrand <[email protected]> Reviewed-by: Brad Fitzpatrick <[email protected]>
greyhwndz · Feb 24, 2015 · abf8bbb · abf8bbb
1 parent e7fae68
commit abf8bbb
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 1 deletion.
diff --git a/src/crypto/x509/verify.go b/src/crypto/x509/verify.go
@@ -324,6 +324,7 @@ nextIntermediate:
 
 func matchHostnames(pattern, host string) bool {
 	host = strings.TrimSuffix(host, ".")
+	pattern = strings.TrimSuffix(pattern, ".")
 
 	if len(pattern) == 0 || len(host) == 0 {
 		return false

diff --git a/src/crypto/x509/x509_test.go b/src/crypto/x509/x509_test.go
@@ -161,7 +161,6 @@ var matchHostnamesTests = []matchHostnamesTest{
 	{"", "b.b.c", false},
 	{"a.b.c", "", false},
 	{"example.com", "example.com", true},
-	{"example.com", "example.com.", true},
 	{"example.com", "www.example.com", false},
 	{"*.example.com", "example.com", false},
 	{"*.example.com", "www.example.com", true},
@@ -174,6 +173,13 @@ var matchHostnamesTests = []matchHostnamesTest{
 	{"", ".", false},
 	{".", "", false},
 	{".", ".", false},
+	{"example.com", "example.com.", true},
+	{"example.com.", "example.com", true},
+	{"example.com.", "example.com.", true},
+	{"*.com.", "example.com.", true},
+	{"*.com.", "example.com", true},
+	{"*.com", "example.com", true},
+	{"*.com", "example.com.", true},
 }
 
 func TestMatchHostnames(t *testing.T) {