src/crypto/x509 · 506386fd370cd627c7f2475979860f8cb8cdbe65 · go / golang

crypto/x509: enforce EKU nesting at chain-construction time. · 647648bd

Adam Langley authored Oct 15, 2017

crypto/x509 has always enforced EKUs as a chain property (like CAPI, but
unlike the RFC). With this change, EKUs will be checked at
chain-building time rather than in a target-specific way.

Thus mis-nested EKUs will now cause a failure in Verify, irrespective of
the key usages requested in opts. (This mirrors the new behaviour w.r.t.
name constraints, where an illegal name in the leaf will cause a Verify
failure, even if the verified name is permitted.).

Updates #15196

Change-Id: Ib6a15b11a9879a9daf5b1d3638d5ebbbcac506e5
Reviewed-on: https://go-review.googlesource.com/71030
Run-TryBot: Adam Langley <agl@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Russ Cox <rsc@golang.org>

647648bd

Name	Last commit	Last update
..
pkix		Loading commit data...
testdata		Loading commit data...
cert_pool.go		Loading commit data...
example_test.go		Loading commit data...
name_constraints_test.go		Loading commit data...
pem_decrypt.go		Loading commit data...
pem_decrypt_test.go		Loading commit data...
pkcs1.go		Loading commit data...
pkcs8.go		Loading commit data...
pkcs8_test.go		Loading commit data...
root.go		Loading commit data...
root_bsd.go		Loading commit data...
root_cgo_darwin.go		Loading commit data...
root_darwin.go		Loading commit data...
root_darwin_arm_gen.go		Loading commit data...
root_darwin_armx.go		Loading commit data...
root_darwin_test.go		Loading commit data...
root_linux.go		Loading commit data...
root_nacl.go		Loading commit data...
root_nocgo_darwin.go		Loading commit data...
root_plan9.go		Loading commit data...
root_solaris.go		Loading commit data...
root_unix.go		Loading commit data...
root_unix_test.go		Loading commit data...
root_windows.go		Loading commit data...
sec1.go		Loading commit data...
sec1_test.go		Loading commit data...
sha2_windows_test.go		Loading commit data...
test-file.crt		Loading commit data...
verify.go		Loading commit data...
verify_test.go		Loading commit data...
x509.go		Loading commit data...
x509_test.go		Loading commit data...
x509_test_import.go		Loading commit data...