Cypherpunks repositories - gostls13.git/commit

author	Filippo Valsorda <filippo@golang.org>
	Fri, 19 Jun 2020 02:45:52 +0000 (22:45 -0400)
committer	Katie Hockman <katiehockman@google.com>
	Tue, 14 Jul 2020 12:23:08 +0000 (12:23 +0000)
commit	4a4c8d3d971fa77e4346d2874220ff736047f13c
tree	a3c8bc4df18940c998decbb32c595410a4278800	tree
parent	e434185ec16b3783629bcb364b9a350706df7c1e	commit \| diff

[release-branch.go1.13-security] crypto/x509: respect VerifyOptions.KeyUsages on Windows

When using the platform verifier on Windows (because Roots is nil) we
were always enforcing server auth EKUs if DNSName was set, and none
otherwise. If an application was setting KeyUsages, they were not being
respected.

Started correctly surfacing IncompatibleUsage errors from the system
verifier, as those are the ones applications will see if they are
affected by this change.

Also refactored verify_test.go to make it easier to add tests for this,
and replaced the EKULeaf chain with a new one that doesn't have a SHA-1
signature.

Thanks to Niall Newman for reporting this.

Fixes #39360
Fixes CVE-2020-14039

Change-Id: If5c00d615f2944f7d57007891aae1307f9571c32
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/774414
Reviewed-by: Katie Hockman <katiehockman@google.com>
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/793509
Reviewed-by: Filippo Valsorda <valsorda@google.com>

src/crypto/x509/root_windows.go		diff \| blob \| history
src/crypto/x509/verify.go		diff \| blob \| history
src/crypto/x509/verify_test.go		diff \| blob \| history