[golang/go] crypto/x509: overly broad excluded constraints [1.25 backport]

### ROOT CAUSE The issue stems from the overly broad name constraint matching logic in the `crypto/x509` package. Specifically, the function `isDomainExcluded` incorrectly matches wildcard domains (e.g., `*.foo.com`) against excluded constraints (e.g., `bar.com`), even though they are unrelated. This occurs because the existing logic does not properly distinguish between wildcard and regular domains, leading to incorrect exclusion of wildcard domains. ### CODE FIX Modify the `isDomainExcluded` function to explicitly exclude wildcard domains by checking for the `*.` prefix before performing any matching. This ensures that wildcard domains are never excluded, aligning with the intended behavior. ```go func isDomainExcluded(domain string, constraint string) bool { // Check if domain is a wildcard (e.g., *.example.com) if strings.HasPrefix(domain, "*.") { return false } // Then proceed with the existing matching logic for regular domains if strings.HasSuffix(domain, "."+constraint) { return true } if domain == constraint { return true } return false } ``` This fix ensures that wildcard domains are not subject to excluded constraints, resolving the overly broad matching issue.