)]}'
{
  "commit": "bf6bb3239780390d13b8f768a56d7d44163c1fed",
  "tree": "5bf094114dc2a238e64748490bc0a4e75c1a2af6",
  "parents": [
    "b2478d6da284551bc511ea9a9aae6603b565085f"
  ],
  "author": {
    "name": "David Benjamin",
    "email": "davidben@google.com",
    "time": "Tue Mar 03 16:47:37 2026 -0500"
  },
  "committer": {
    "name": "Boringssl LUCI CQ",
    "email": "boringssl-scoped@luci-project-accounts.iam.gserviceaccount.com",
    "time": "Thu Mar 05 10:42:30 2026 -0800"
  },
  "message": "Check for syntax errors in SANs in X509_check_host\n\nOpenSSL\u0027s X509_get_ext_d2i is very difficult to use correctly and makes\nit easy to mix up missing extension and invalid extension. This happened\nin X509_check_host and caused it to use the common name fallback.\n\nThis does not have any real consequence:\n\nFirst, such certificates have EXFLAG_INVALID set and would actually fail\nto validate in the first place. (Ideally such a state would not exist at\nall, and then this will be moot. See crbug.com/42290243.) This is\ndemostrated by having to update cert verification test expectations.\n\nSecond, even if it were reachable, one would need to somehow convince a\ntrusted CA to misissue a certificate with an unparseable SAN extension\n*and* place a DNS name in the common name that it didn\u0027t intend\nvalidate. An attacker that can do this can no doubt already cause the\nCA to misissue a well-formed, wrong certificate too.\n\nNonetheless, it\u0027s good to handle errors, so do so.\n\nBug: 489032714\nChange-Id: I5cef97e616b9af2e4b65a47d967a2980c46fd1ad\nReviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/90227\nReviewed-by: Lily Chen \u003cchlily@google.com\u003e\nCommit-Queue: David Benjamin \u003cdavidben@google.com\u003e\nAuto-Submit: David Benjamin \u003cdavidben@google.com\u003e\n",
  "tree_diff": [
    {
      "type": "modify",
      "old_id": "5039e588f19d030e291749a0b87f5fd6fd3ba4ab",
      "old_mode": 33188,
      "old_path": "crypto/x509/v3_utl.cc",
      "new_id": "640da8e4d5709886ab52ed9014af2d2f7a3d920b",
      "new_mode": 33188,
      "new_path": "crypto/x509/v3_utl.cc"
    },
    {
      "type": "modify",
      "old_id": "394f3bd3676393e5c05889154cabb844897b64b6",
      "old_mode": 33188,
      "old_path": "crypto/x509/x509_test.cc",
      "new_id": "d0badfb812e5755f6a650dee09736f4be2027689",
      "new_mode": 33188,
      "new_path": "crypto/x509/x509_test.cc"
    }
  ]
}