Cypherpunks repositories - gostls13.git/commit

author	Adam Langley <agl@golang.org>
	Sun, 15 Oct 2017 19:21:00 +0000 (12:21 -0700)
committer	Adam Langley <agl@golang.org>
	Tue, 7 Nov 2017 23:14:10 +0000 (23:14 +0000)
commit	647648bd475e0635ce644c947b0140fd88eef58e
tree	57d62b6a46a108347647f24d2f8d77319bdf71d6	tree
parent	a4c009f5ae65393f28129d6e40dd74a47c056360	commit \| diff

crypto/x509: enforce EKU nesting at chain-construction time.

crypto/x509 has always enforced EKUs as a chain property (like CAPI, but
unlike the RFC). With this change, EKUs will be checked at
chain-building time rather than in a target-specific way.

Thus mis-nested EKUs will now cause a failure in Verify, irrespective of
the key usages requested in opts. (This mirrors the new behaviour w.r.t.
name constraints, where an illegal name in the leaf will cause a Verify
failure, even if the verified name is permitted.).

Updates #15196

Change-Id: Ib6a15b11a9879a9daf5b1d3638d5ebbbcac506e5
Reviewed-on: https://go-review.googlesource.com/71030
Run-TryBot: Adam Langley <agl@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Russ Cox <rsc@golang.org>

src/crypto/x509/name_constraints_test.go		diff \| blob \| history
src/crypto/x509/verify.go		diff \| blob \| history