From fcf2cae120c76f98b492c7500e3c99bc738410a5 Mon Sep 17 00:00:00 2001
From: Alberto Bertogli <albertito@blitiri.com.ar>
Date: Fri, 8 Dec 2017 14:07:42 +0000
Subject: [PATCH] test: Make generate_cert use IDNA for certificate fields

In Go 1.10 the TLS library will start to reject DNS SANs which are not
properly formed; and in particular, if they're not IDNA-encoded. See:
 - https://github.com/golang/go/issues/15196
 - https://github.com/golang/go/commit/9e76ce70701ceef8fbccfb953b33a2ae7fe0367c

The generate_cert utility will write non-IDNA DNS SANs, which the TLS
library does not like, causing our idna tests to fail.

This patch fixes this incompatibility by making generate_cert IDNA-encode
the host names when adding them to the certificate.
---
 test/util/generate_cert.go | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/test/util/generate_cert.go b/test/util/generate_cert.go
index 87554d6..b7e9547 100644
--- a/test/util/generate_cert.go
+++ b/test/util/generate_cert.go
@@ -25,6 +25,8 @@ import (
 	"os"
 	"strings"
 	"time"
+
+	"golang.org/x/net/idna"
 )
 
 var (
@@ -128,7 +130,13 @@ func main() {
 		if ip := net.ParseIP(h); ip != nil {
 			template.IPAddresses = append(template.IPAddresses, ip)
 		} else {
-			template.DNSNames = append(template.DNSNames, h)
+			// We use IDNA-encoded DNS names, otherwise the TLS library won't
+			// load the certificates.
+			ih, err := idna.ToASCII(h)
+			if err != nil {
+				log.Fatalf("host %q cannot be IDNA-encoded: %v", h, err)
+			}
+			template.DNSNames = append(template.DNSNames, ih)
 		}
 	}