]> Cypherpunks repositories - gostls13.git/commit
projects / gostls13.git / commit
summary | shortlog | log | commit | commitdiff | tree
(parent: 04a9473) | patch
[release-branch.go1.24] crypto/x509: decouple key usage and policy validation
authorRoland Shoemaker <roland@golang.org>
Tue, 6 May 2025 16:27:10 +0000 (09:27 -0700)
committerMichael Knyszek <mknyszek@google.com>
Wed, 28 May 2025 19:34:55 +0000 (12:34 -0700)
commit03811ab1b31525e8d779997db169c6fedab7c505
treee8b54cd51640459ecf2f74551ec4aa6a4ae72ea3tree
parent04a94738475e3fa1ff3c71666b1a35b67481172bcommit | diff
[release-branch.go1.24] crypto/x509: decouple key usage and policy validation

Disabling key usage validation (by passing ExtKeyUsageAny)
unintentionally disabled policy validation. This change decouples these
two checks, preventing the user from unintentionally disabling policy
validation.

Thanks to Krzysztof SkrzÄ™tnicki (@Tener) of Teleport for reporting this
issue.

Updates #73612
Fixes #73700
Fixes CVE-2025-22874

Change-Id: Iec8f080a8879a3dd44cb3da30352fa3e7f539d40
Reviewed-on: https://go-review.googlesource.com/c/go/+/670375
Reviewed-by: Daniel McCarney <daniel@binaryparadox.net>
Reviewed-by: Cherry Mui <cherryyz@google.com>
Reviewed-by: Ian Stapleton Cordasco <graffatcolmingov@gmail.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
(cherry picked from commit 9bba799955e68972041c4f340ee4ea2d267e5c0e)
Reviewed-on: https://go-review.googlesource.com/c/go/+/672316
Reviewed-by: Michael Knyszek <mknyszek@google.com>
src/crypto/x509/verify.go diff | blob | history
src/crypto/x509/verify_test.go diff | blob | history
Go GOST TLS 1.3