From 5ce81d77f5ede0cb855c232196abd6739388af86 Mon Sep 17 00:00:00 2001
From: Rasmus Dahlberg <rasmus@rgdd.se>
Date: Sat, 18 Mar 2023 14:09:32 +0100
Subject: check that sans don't contain new lines

---
 internal/x509/x509.go | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

(limited to 'internal')

diff --git a/internal/x509/x509.go b/internal/x509/x509.go
index 949199d..ce4be0c 100644
--- a/internal/x509/x509.go
+++ b/internal/x509/x509.go
@@ -401,6 +401,7 @@ package x509
 
 import (
 	"fmt"
+	"strings"
 
 	ct "github.com/google/certificate-transparency-go"
 	"github.com/google/certificate-transparency-go/asn1"
@@ -479,8 +480,12 @@ func extract(extSAN pkix.Extension) ([]string, error) {
 		if err != nil {
 			return nil, fmt.Errorf("failed to parse subjectAltName extension item: %v", err)
 		}
-
-		sans = append(sans, string(val.Bytes))
+		san := string(val.Bytes)
+		if strings.Contains(san, "\n") {
+			// new-line would be bad for our data set because it is line-terminated
+			return nil, fmt.Errorf("found SAN that contains new line: %x", val.Bytes)
+		}
+		sans = append(sans, san)
 	}
 	return sans, nil
 }
-- 
cgit v1.2.3