Reject URIs containing '@' in name constraint checking (#3202)

nhatnghiho · web-flow · commit 84765631496b · 2026-05-07T17:47:10.000-04:00
### Issues:
Addresses P422947832

### Description of changes: 
`nc_uri()` extracts the host from a URI by scanning for `:` (port) then
`/` (path start). It does not account for the `@` delimiter that
separates optional userinfo from the host in RFC 3986 §3.2 (authority =
`[userinfo "@"] host [":" port]`). Since `:` is permitted inside
userinfo, a URI like `spiffe://x.team-a.corp:x@team-b.corp/admin` causes
nc_uri() to extract x`.team-a.corp` as the host instead of the actual
host `team-b.corp`
This change makes three improvements to nc_uri():
1. Reject `@` in authority — URIs containing userinfo are rejected with
`X509_V_ERR_UNSUPPORTED_NAME_SYNTAX`. Certificate SAN URIs have no
standards-defined use for userinfo, so rejecting is the correct
fail-closed behavior — consistent with the IPv6 literal rejection added
in `fed51c342`. The @ scan stops at /, ?, or # (the characters that
terminate the authority per RFC 3986), so @ appearing in the path (e.g.,
`foo://example.com/@user`) is not affected.
2. Trailing dot normalization — Strip trailing dots from both the host
and constraint before comparison, so `team-a.corp.` and `team-a.corp`
are treated as the same FQDN (RFC 1034 §3.1). This matches the existing
normalization in nc_dns().
3. FQDN validation — Validate that the extracted host contains only
characters valid in a DNS name (`a-zA-Z0-9-.`) per RFC 1034 §3.5. RFC
5280 §4.2.1.10 requires the host to be a fully qualified domain name, so
any host containing percent-encoding, `?`, `#`, or other non-FQDN
characters is rejected. This prevents equivalence bypasses (e.g.,
`b%61d.com` evading an exclusion for .bad.com).

### Call-outs:
This intentionally rejects rather than normalizes percent-encoded hosts.
RFC 5280 requires the host to be a FQDN, and `%` is not a valid FQDN
character — a conformant CA should never issue such a cert. Rejecting is
stricter than the RFC 3986 §6.2.2.2 SHOULD-level normalization guidance,
but avoids being more permissive than the standard.

### Testing:
Nine new cases in `X509Test.NameConstraints`:
- Basic `user@host` rejection
- Colon-in-userinfo bypass
(`spiffe://x.team-a.corp:x@team-b.corp/admin`) tested against both the
fake and real host constraints
- Userinfo with path, query, and fragment variants
- `@` in path (after `/`) is correctly not rejected
  
All 102 existing X509 tests pass.

By submitting this pull request, I confirm that my contribution is made
under the terms of the Apache 2.0 license and the ISC license.
diff --git a/crypto/x509/v3_ncons.c b/crypto/x509/v3_ncons.c
@@ -686,6 +686,21 @@ static int nc_uri(const ASN1_IA5STRING *uri, const ASN1_IA5STRING *base) {
     return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX;
   }
 
+  // RFC 3986 §3.2 defines authority = [userinfo "@"] host [":" port].
+  // Certificate SAN URIs have no standards-defined use for userinfo. If present,
+  // the '@' delimiter would cause the host extraction below to parse the
+  // userinfo as the host, matching against attacker-chosen bytes instead of
+  // the URI's actual host.
+  for (size_t i = 0; i < CBS_len(&uri_cbs); i++) {
+    uint8_t c = CBS_data(&uri_cbs)[i];
+    if (c == '/' || c == '?' || c == '#') {
+      break;
+    }
+    if (c == '@') {
+      return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX;
+    }
+  }
+
   // Look for a port indicator as end of hostname first. Otherwise look for
   // trailing slash, or the end of the string.
   CBS host;
@@ -698,6 +713,35 @@ static int nc_uri(const ASN1_IA5STRING *uri, const ASN1_IA5STRING *base) {
     return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX;
   }
 
+  // Normalize absolute DNS names by removing the trailing dot, if any.
+  // RFC 1034 §3.1 defines that a trailing dot denotes the DNS root; names with
+  // and without it refer to the same host. This matches the normalization in
+  // nc_dns().
+  if (ends_with_byte(&host, '.')) {
+    uint8_t unused;
+    CBS_get_last_u8(&host, &unused);
+  }
+  if (ends_with_byte(&base_cbs, '.')) {
+    uint8_t unused;
+    CBS_get_last_u8(&base_cbs, &unused);
+  }
+
+  // RFC 5280 §4.2.1.10 requires the host to be a fully qualified domain name.
+  // Validate that the host contains only characters valid in a DNS name
+  // (RFC 1034 §3.5): letters, digits, hyphens, and dots. This rejects
+  // percent-encoded hosts and any other non-FQDN syntax, preventing
+  // equivalence bypasses (e.g., "b%61d.com" evading ".bad.com").
+  if (CBS_len(&host) == 0) {
+    return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX;
+  }
+  for (size_t i = 0; i < CBS_len(&host); i++) {
+    uint8_t c = CBS_data(&host)[i];
+    if (!((c >= 'a' && c <= 'z') || (c >= 'A' && c <= 'Z') ||
+          (c >= '0' && c <= '9') || c == '-' || c == '.')) {
+      return X509_V_ERR_UNSUPPORTED_NAME_SYNTAX;
+    }
+  }
+
   // Special case: initial '.' is RHS match
   if (starts_with(&base_cbs, '.')) {
     if (has_suffix_case(&host, &base_cbs)) {
diff --git a/crypto/x509/x509_test.cc b/crypto/x509/x509_test.cc
@@ -2640,6 +2640,68 @@ TEST(X509Test, NameConstraints) {
       // An incomplete IPv6 literal is also rejected.
       {GEN_URI, "foo://[2001:db8::1", "[2001:db8::1]",
        X509_V_ERR_UNSUPPORTED_NAME_SYNTAX, X509_V_ERR_UNSUPPORTED_NAME_SYNTAX},
+
+      // RFC 3986 §3.2 defines authority = [userinfo "@"] host [":" port].
+      // URIs with userinfo are rejected to prevent host confusion: without
+      // this, "spiffe://x.team-a.corp:x@team-b.corp/admin" would be matched
+      // against "x.team-a.corp" instead of the actual host "team-b.corp",
+      // bypassing permittedSubtrees or evading excludedSubtrees.
+      //
+      // Basic userinfo before host.
+      {GEN_URI, "foo://user@example.com", "example.com",
+       X509_V_ERR_UNSUPPORTED_NAME_SYNTAX, X509_V_ERR_UNSUPPORTED_NAME_SYNTAX},
+      // Userinfo with colon (user:password style) — the colon in userinfo
+      // would previously be mistaken for a port delimiter, extracting the
+      // userinfo prefix as the host.
+      {GEN_URI, "spiffe://x.team-a.corp:x@team-b.corp/admin", "team-a.corp",
+       X509_V_ERR_UNSUPPORTED_NAME_SYNTAX, X509_V_ERR_UNSUPPORTED_NAME_SYNTAX},
+      {GEN_URI, "spiffe://x.team-a.corp:x@team-b.corp/admin", "team-b.corp",
+       X509_V_ERR_UNSUPPORTED_NAME_SYNTAX, X509_V_ERR_UNSUPPORTED_NAME_SYNTAX},
+      // Userinfo with path, query, and fragment components.
+      {GEN_URI, "foo://user@example.com/path", "example.com",
+       X509_V_ERR_UNSUPPORTED_NAME_SYNTAX, X509_V_ERR_UNSUPPORTED_NAME_SYNTAX},
+      {GEN_URI, "foo://user@example.com?query", "example.com",
+       X509_V_ERR_UNSUPPORTED_NAME_SYNTAX, X509_V_ERR_UNSUPPORTED_NAME_SYNTAX},
+      {GEN_URI, "foo://user@example.com#fragment", "example.com",
+       X509_V_ERR_UNSUPPORTED_NAME_SYNTAX, X509_V_ERR_UNSUPPORTED_NAME_SYNTAX},
+      // '@' in path (after '/') is not userinfo and should not be rejected.
+      {GEN_URI, "foo://example.com/@user", "example.com", X509_V_OK,
+       X509_V_ERR_EXCLUDED_VIOLATION},
+      {GEN_URI, "foo://example.com/path@thing", ".example.com",
+       X509_V_ERR_PERMITTED_VIOLATION, X509_V_OK},
+      // '@' after '?' or '#' is not in the authority and is not rejected.
+      // However, since the host parser doesn't treat '?' or '#' as authority
+      // terminators, the extracted host contains invalid FQDN characters and
+      // is rejected by FQDN validation.
+      {GEN_URI, "foo://example.com?x@y", "example.com",
+       X509_V_ERR_UNSUPPORTED_NAME_SYNTAX, X509_V_ERR_UNSUPPORTED_NAME_SYNTAX},
+      {GEN_URI, "foo://example.com#x@y", "example.com",
+       X509_V_ERR_UNSUPPORTED_NAME_SYNTAX, X509_V_ERR_UNSUPPORTED_NAME_SYNTAX},
+      // Empty userinfo and user:pass userinfo are both rejected.
+      {GEN_URI, "foo://@example.com", "example.com",
+       X509_V_ERR_UNSUPPORTED_NAME_SYNTAX, X509_V_ERR_UNSUPPORTED_NAME_SYNTAX},
+      {GEN_URI, "foo://user:pass@example.com", "example.com",
+       X509_V_ERR_UNSUPPORTED_NAME_SYNTAX, X509_V_ERR_UNSUPPORTED_NAME_SYNTAX},
+
+      // Trailing dot normalization: "host." and "host" are the same FQDN.
+      // This matches the normalization in nc_dns().
+      {GEN_URI, "spiffe://admin.team-a.corp./admin", ".team-a.corp",
+       X509_V_OK, X509_V_ERR_EXCLUDED_VIOLATION},
+      {GEN_URI, "spiffe://admin.team-a.corp/admin", ".team-a.corp.",
+       X509_V_OK, X509_V_ERR_EXCLUDED_VIOLATION},
+      {GEN_URI, "spiffe://team-a.corp./admin", "team-a.corp",
+       X509_V_OK, X509_V_ERR_EXCLUDED_VIOLATION},
+
+      // FQDN validation: hosts must contain only a-z, A-Z, 0-9, '-', '.'.
+      // Percent-encoded hosts are rejected, preventing equivalence bypasses
+      // (e.g., "b%61d.com" should not evade an exclusion for ".bad.com").
+      {GEN_URI, "spiffe://evil.b%61d.com/resource", ".bad.com",
+       X509_V_ERR_UNSUPPORTED_NAME_SYNTAX, X509_V_ERR_UNSUPPORTED_NAME_SYNTAX},
+      {GEN_URI, "foo://ex%61mple.com/path", "example.com",
+       X509_V_ERR_UNSUPPORTED_NAME_SYNTAX, X509_V_ERR_UNSUPPORTED_NAME_SYNTAX},
+      // Underscores are not valid in FQDNs.
+      {GEN_URI, "foo://my_host.example.com/path", ".example.com",
+       X509_V_ERR_UNSUPPORTED_NAME_SYNTAX, X509_V_ERR_UNSUPPORTED_NAME_SYNTAX},
   };
   for (const auto &t : kTests) {
     SCOPED_TRACE(t.type);
