crypto/x509: stricter email parsing

Reject parsing certificates which contain multiple unescaped @s. Change-Id: I68460cc2f763aaf5b7953fee3c55b0680d3ff937 Reviewed-on: https://go-review.googlesource.com/c/go/+/769160 Reviewed-by: Damien Neil <dneil@google.com> LUCI-TryBot-Result: golang-scoped@luci-project-accounts.iam.gserviceaccount.com <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
2026-06-28 03:40:37 +00:00 · 2026-04-20 12:45:03 -07:00 · 2026-04-20 12:45:03 -07:00 · 62caa6db3d
commit 62caa6db3d
parent 122eb7d035
2 changed files with 7 additions and 1 deletions
--- a/src/crypto/x509/name_constraints_test.go
+++ b/src/crypto/x509/name_constraints_test.go
@ -2299,6 +2299,7 @@ var rfc2821Tests = []struct {
 	{".foo.bar@example.com", "", ""},
 	{"foo.bar.@example.com", "", ""},
 	{"|{}?'@example.com", "|{}?'", "example.com"},
+	{"a@b@c.com", "", ""},

 	// Examples from RFC 3696
 	{"Abc\\@def@example.com", "Abc@def", "example.com"},
--- a/src/crypto/x509/verify.go
+++ b/src/crypto/x509/verify.go
@ -388,7 +388,12 @@ func parseRFC2821Mailbox(in string) (mailbox rfc2821Mailbox, ok bool) {
 	// The RFC species a format for domains, but that's known to be
 	// violated in practice so we accept that anything after an '@' is the
 	// domain part.
-	if _, ok := domainToReverseLabels(in); !ok {
+	if !domainNameValid(in, false) {
+		return mailbox, false
+	}
+
+	// Reject domain names containing @.
+	if strings.ContainsRune(in, '@') {
 		return mailbox, false
 	}