crypto/x509: enforce EKU nesting at chain-construction time. - go - Fork of Go programming language with my patches.

diff options

author	Adam Langley <agl@golang.org>	2017-10-15 12:21:00 -0700
committer	Adam Langley <agl@golang.org>	2017-11-07 23:14:10 +0000
commit	647648bd475e0635ce644c947b0140fd88eef58e (patch)
tree	57d62b6a46a108347647f24d2f8d77319bdf71d6 /src/crypto/tls/testdata/Client-TLSv12-ClientCert-RSA-RSA
parent	a4c009f5ae65393f28129d6e40dd74a47c056360 (diff)
download	go-647648bd475e0635ce644c947b0140fd88eef58e.tar.xz

crypto/x509: enforce EKU nesting at chain-construction time.

crypto/x509 has always enforced EKUs as a chain property (like CAPI, but unlike the RFC). With this change, EKUs will be checked at chain-building time rather than in a target-specific way. Thus mis-nested EKUs will now cause a failure in Verify, irrespective of the key usages requested in opts. (This mirrors the new behaviour w.r.t. name constraints, where an illegal name in the leaf will cause a Verify failure, even if the verified name is permitted.). Updates #15196 Change-Id: Ib6a15b11a9879a9daf5b1d3638d5ebbbcac506e5 Reviewed-on: https://go-review.googlesource.com/71030 Run-TryBot: Adam Langley <agl@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Russ Cox <rsc@golang.org>

Diffstat (limited to 'src/crypto/tls/testdata/Client-TLSv12-ClientCert-RSA-RSA')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: