• Adam Langley's avatar
    crypto/x509: allow parsing of certificates with unknown critical extensions. · d942737f
    Adam Langley authored
    Previously, unknown critical extensions were a parse error. However, for
    some cases one wishes to parse and use a certificate that may contain
    these extensions. For example, when using a certificate in a TLS server:
    it's the client's concern whether it understands the critical extensions
    but the server still wishes to parse SNI values out of the certificate
    etc.
    
    This change moves the rejection of unknown critical extensions from
    ParseCertificate to Certificate.Verify. The former will now record the
    OIDs of unknown critical extensions in the Certificate and the latter
    will fail to verify certificates with them. If a user of this package
    wishes to handle any unknown critical extensions themselves, they can
    extract the extensions from Certificate.Extensions, process them and
    remove known OIDs from Certificate.UnknownCriticalExtensions.
    
    See discussion at
    https://groups.google.com/forum/#!msg/golang-nuts/IrzoZlwalTQ/qdK1k-ogeHIJ
    and in the linked bug.
    
    Fixes #10459
    
    Change-Id: I762521a44c01160fa0901f990ba2f5d4977d7977
    Reviewed-on: https://go-review.googlesource.com/9390Reviewed-by: 's avatarBrad Fitzpatrick <bradfitz@golang.org>
    d942737f
x509.go 59.1 KB