git » chasquid » commit fcf2cae

test: Make generate_cert use IDNA for certificate fields

author Alberto Bertogli
2017-12-08 14:07:42 UTC
committer Alberto Bertogli
2017-12-08 14:07:42 UTC
parent f7a4fa895c4168f672706e3d531abac845f2ae65
test: Make generate_cert use IDNA for certificate fields

In Go 1.10 the TLS library will start to reject DNS SANs which are not
properly formed; and in particular, if they're not IDNA-encoded. See:
 - https://github.com/golang/go/issues/15196
 - https://github.com/golang/go/commit/9e76ce70701ceef8fbccfb953b33a2ae7fe0367c

The generate_cert utility will write non-IDNA DNS SANs, which the TLS
library does not like, causing our idna tests to fail.

This patch fixes this incompatibility by making generate_cert IDNA-encode
the host names when adding them to the certificate.
test/util/generate_cert.go +9 -1 
diff --git a/test/util/generate_cert.go b/test/util/generate_cert.go
index 87554d6..b7e9547 100644
--- a/test/util/generate_cert.go
+++ b/test/util/generate_cert.go
@@ -25,6 +25,8 @@ import (
 	"os"
 	"strings"
 	"time"
+
+	"golang.org/x/net/idna"
 )
 
 var (
@@ -128,7 +130,13 @@ func main() {
 		if ip := net.ParseIP(h); ip != nil {
 			template.IPAddresses = append(template.IPAddresses, ip)
 		} else {
-			template.DNSNames = append(template.DNSNames, h)
+			// We use IDNA-encoded DNS names, otherwise the TLS library won't
+			// load the certificates.
+			ih, err := idna.ToASCII(h)
+			if err != nil {
+				log.Fatalf("host %q cannot be IDNA-encoded: %v", h, err)
+			}
+			template.DNSNames = append(template.DNSNames, ih)
 		}
 	}