src/crypto · 4f765b18f82ae022f681806f04674d3b175881a4 · go / golang

crypto/x509: check EKUs like 1.9. · 7d61ad25

Adam Langley authored May 16, 2018

This change brings back the EKU checking from 1.9. In 1.10, we checked
EKU nesting independent of the requested EKUs so that, after verifying a
certifciate, one could inspect the EKUs in the leaf and trust them.

That, however, was too optimistic. I had misunderstood that the PKI was
/currently/ clean enough to require that, rather than it being
desirable. Go generally does not push the envelope on these sorts of
things and lets the browsers clear the path first.

Fixes #24590

Change-Id: I18c070478e3bbb6468800ae461c207af9e954949
Reviewed-on: https://go-review.googlesource.com/113475Reviewed-by: Filippo Valsorda <filippo@golang.org>

7d61ad25

Name	Last commit	Last update
..
aes		Loading commit data...
cipher		Loading commit data...
des		Loading commit data...
dsa		Loading commit data...
ecdsa		Loading commit data...
elliptic		Loading commit data...
hmac		Loading commit data...
internal/cipherhw		Loading commit data...
md5		Loading commit data...
rand		Loading commit data...
rc4		Loading commit data...
rsa		Loading commit data...
sha1		Loading commit data...
sha256		Loading commit data...
sha512		Loading commit data...
subtle		Loading commit data...
tls		Loading commit data...
x509		Loading commit data...
crypto.go		Loading commit data...
issue21104_test.go		Loading commit data...