8311546: Certificate name constraints improperly validated with leading period

Reviewed-by: mullan
2025-08-28 23:34:52 +02:00 · 2023-11-01 16:49:50 +00:00 · 2023-11-01 16:49:50 +00:00 · bfaf5704e7
commit bfaf5704e7
parent d354141aa1
8 changed files with 303 additions and 9 deletions
--- a/src/java.base/share/classes/sun/security/x509/DNSName.java
+++ b/src/java.base/share/classes/sun/security/x509/DNSName.java
@ -200,18 +200,12 @@ public class DNSName implements GeneralNameInterface {
     * </ul>.  These results are used in checking NameConstraints during
     * certification path verification.
     * <p>
-     * RFC5280: DNS name restrictions are expressed as host.example.com.
+     * RFC5280: For DNS names, restrictions MUST use the DNSName syntax in Section 4.2.1.6.
     * Any DNS name that can be constructed by simply adding zero or more
     * labels to the left-hand side of the name satisfies the name constraint.
     * For example, www.host.example.com would satisfy the constraint but
     * host1.example.com would not.
     * <p>
-     * RFC 5280:  DNSName restrictions are expressed as foo.bar.com.
-     * Any DNSName that
-     * can be constructed by simply adding to the left-hand side of the name
-     * satisfies the name constraint. For example, www.foo.bar.com would
-     * satisfy the constraint but foo1.bar.com would not.
-     * <p>
     * RFC1034: By convention, domain names can be stored with arbitrary case, but
     * domain name comparisons for all present domain functions are done in a
     * case-insensitive manner, assuming an ASCII character set, and a high
@ -236,13 +230,13 @@ public class DNSName implements GeneralNameInterface {
                constraintType = NAME_MATCH;
            else if (thisName.endsWith(inName)) {
                int inNdx = thisName.lastIndexOf(inName);
-                if (thisName.charAt(inNdx-1) == '.' )
+                if (thisName.charAt(inNdx-1) == '.' ^ inName.charAt(0) == '.')
                    constraintType = NAME_WIDENS;
                else
                    constraintType = NAME_SAME_TYPE;
            } else if (inName.endsWith(thisName)) {
                int ndx = inName.lastIndexOf(thisName);
-                if (inName.charAt(ndx-1) == '.' )
+                if (inName.charAt(ndx-1) == '.' ^ thisName.charAt(0) == '.')
                    constraintType = NAME_NARROWS;
                else
                    constraintType = NAME_SAME_TYPE;