• Adam Langley's avatar
    crypto/x509: allow parsing of certificates with unknown critical extensions. · d942737f
    Adam Langley authored
    Previously, unknown critical extensions were a parse error. However, for
    some cases one wishes to parse and use a certificate that may contain
    these extensions. For example, when using a certificate in a TLS server:
    it's the client's concern whether it understands the critical extensions
    but the server still wishes to parse SNI values out of the certificate
    etc.
    
    This change moves the rejection of unknown critical extensions from
    ParseCertificate to Certificate.Verify. The former will now record the
    OIDs of unknown critical extensions in the Certificate and the latter
    will fail to verify certificates with them. If a user of this package
    wishes to handle any unknown critical extensions themselves, they can
    extract the extensions from Certificate.Extensions, process them and
    remove known OIDs from Certificate.UnknownCriticalExtensions.
    
    See discussion at
    https://groups.google.com/forum/#!msg/golang-nuts/IrzoZlwalTQ/qdK1k-ogeHIJ
    and in the linked bug.
    
    Fixes #10459
    
    Change-Id: I762521a44c01160fa0901f990ba2f5d4977d7977
    Reviewed-on: https://go-review.googlesource.com/9390Reviewed-by: 's avatarBrad Fitzpatrick <bradfitz@golang.org>
    d942737f
Name
Last commit
Last update
..
aes Loading commit data...
cipher Loading commit data...
des Loading commit data...
dsa Loading commit data...
ecdsa Loading commit data...
elliptic Loading commit data...
hmac Loading commit data...
md5 Loading commit data...
rand Loading commit data...
rc4 Loading commit data...
rsa Loading commit data...
sha1 Loading commit data...
sha256 Loading commit data...
sha512 Loading commit data...
subtle Loading commit data...
tls Loading commit data...
x509 Loading commit data...
crypto.go Loading commit data...