[release-branch.go1.14-security] crypto/x509: respect VerifyOptions.KeyUsages on Windows - go - Fork of Go programming language with my patches.

diff options

author	Filippo Valsorda <filippo@golang.org>	2020-06-18 22:45:52 -0400
committer	Katie Hockman <katiehockman@google.com>	2020-07-14 12:24:21 +0000
commit	9c0a6cec5b8413ae837e8eeb5743ea1de2d819fc (patch)
tree	8ddb46ef10ee35be77a140a254a81f263ce3d509 /src/database/sql/sql_test.go
parent	f3529ca9610be93ac4bb6fedc65429f7984227b6 (diff)
download	go-9c0a6cec5b8413ae837e8eeb5743ea1de2d819fc.tar.xz

[release-branch.go1.14-security] crypto/x509: respect VerifyOptions.KeyUsages on Windows

When using the platform verifier on Windows (because Roots is nil) we were always enforcing server auth EKUs if DNSName was set, and none otherwise. If an application was setting KeyUsages, they were not being respected. Started correctly surfacing IncompatibleUsage errors from the system verifier, as those are the ones applications will see if they are affected by this change. Also refactored verify_test.go to make it easier to add tests for this, and replaced the EKULeaf chain with a new one that doesn't have a SHA-1 signature. Thanks to Niall Newman for reporting this. Fixes #39360 Fixes CVE-2020-14039 Change-Id: If5c00d615f2944f7d57007891aae1307f9571c32 Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/774414 Reviewed-by: Katie Hockman <katiehockman@google.com> Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/793511 Reviewed-by: Filippo Valsorda <valsorda@google.com>

Diffstat (limited to 'src/database/sql/sql_test.go')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: