Crypto/X509

When verifying a certificate chain containing excluded DNS constraints, these constraints are not correctly applied to wildcard DNS SANs which use a different case than the constraint. This only affects validation of otherwise trusted certificate chains, issued by a root CA in the VerifyOptions.Roots CertPool, or in the system certificate pool.

Published: 2026-04-08T01:06:56.546Z
Updated: 2026-04-20T17:23:21.823Z

Validating certificate chains which use policies is unexpectedly inefficient when certificates in the chain contain a very large number of policy mappings, possibly causing denial of service. This only affects validation of otherwise trusted certificate chains, issued by a root CA in the VerifyOptions.Roots CertPool, or in the system certificate pool.

Published: 2026-04-08T01:06:58.354Z
Updated: 2026-04-13T18:19:44.779Z

During chain building, the amount of work that is done is not correctly limited when a large number of intermediate certificates are passed in VerifyOptions.Intermediates, which can lead to a denial of service. This affects both direct users of crypto/x509 and users of crypto/tls.

Published: 2026-04-08T01:06:58.595Z
Updated: 2026-04-08T17:46:47.347Z

(*x509.Certificate).VerifyHostname previously called matchHostnames in a loop over all DNS Subject Alternative Name (SAN) entries. This caused strings.Split(host, ".") to execute repeatedly on the same input hostname. With a large DNS SAN list, verification costs scaled quadratically based on the number of SAN entries multiplied by the hostname's label count. Because x509.Verify validates hostnames before building the certificate chain, this overhead occurred even for untrusted certificates.

Published: 2026-06-02T22:01:36.954Z
Updated: 2026-06-04T12:34:53.136Z

Certificate verification can panic when a certificate in the chain has an empty DNS name and another certificate in the chain has excluded name constraints. This can crash programs that are either directly verifying X.509 certificate chains, or those that use TLS.

Published: 2026-03-06T21:28:14.000Z
Updated: 2026-03-10T13:35:19.784Z

When verifying a certificate chain which contains a certificate containing multiple email address constraints which share common local portions but different domain portions, these constraints will not be properly applied, and only the last constraint will be considered.

Published: 2026-03-06T21:28:13.748Z
Updated: 2026-03-10T13:32:53.202Z

Within HostnameError.Error(), when constructing an error string, there is no limit to the number of hosts that will be printed out. Furthermore, the error string is constructed by repeated string concatenation, leading to quadratic runtime. Therefore, a certificate provided by a malicious actor can result in excessive resource consumption.

Published: 2025-12-02T18:54:10.166Z
Updated: 2025-12-03T19:37:14.903Z

An excluded subdomain constraint in a certificate chain does not restrict the usage of wildcard SANs in the leaf certificate. For example a constraint that excludes the subdomain test.example.com does not prevent a leaf certificate from claiming the SAN *.example.com.

Published: 2025-12-03T19:37:15.054Z
Updated: 2025-12-03T22:06:17.007Z

Validating certificate chains which contain DSA public keys can cause programs to panic, due to a interface cast that assumes they implement the Equal method. This affects programs which validate arbitrary certificate chains.

Published: 2025-10-29T22:10:14.143Z
Updated: 2025-11-04T21:13:38.109Z

Due to the design of the name constraint checking algorithm, the processing time of some inputs scale non-linearly with respect to the size of the certificate. This affects programs which validate arbitrary certificate chains.

Published: 2025-10-29T22:10:12.624Z
Updated: 2025-11-20T22:23:47.179Z

Calling Verify with a VerifyOptions.KeyUsages that contains ExtKeyUsageAny unintentionally disabledpolicy validation. This only affected certificate chains which contain policy graphs, which are rather uncommon.

Published: 2025-06-11T16:42:52.856Z
Updated: 2025-06-16T20:26:53.242Z

Using ParsePKCS1PrivateKey to parse a RSA key that is missing the CRT values would panic when verifying that the key is well formed.

Published: 2025-01-28T01:03:25.121Z
Updated: 2025-01-30T19:14:21.959Z

A certificate with a URI which has a IPv6 address with a zone ID may incorrectly satisfy a URI name constraint that applies to the certificate chain. Certificates containing URIs are not permitted in the web PKI, so this only affects users of private PKIs which make use of URIs.

Published: 2025-01-28T01:03:24.353Z
Updated: 2025-02-21T18:03:33.296Z

Verifying a certificate chain which contains a certificate with an unknown public key algorithm will cause Certificate.Verify to panic. This affects all crypto/tls clients, and servers that set Config.ClientAuth to VerifyClientCertIfGiven or RequireAndVerifyClientCert. The default behavior is for TLS servers to not verify client certificates.

Published: 2024-03-05T22:22:26.647Z
Updated: 2025-02-13T17:40:23.803Z