]> Cypherpunks repositories - gostls13.git/commit
projects / gostls13.git / commit
summary | shortlog | log | commit | commitdiff | tree
(parent: efbe47b) | patch
crypto/x509: respect VerifyOptions.KeyUsages on Windows
authorFilippo Valsorda <filippo@golang.org>
Fri, 19 Jun 2020 02:45:52 +0000 (22:45 -0400)
committerKatie Hockman <katie@golang.org>
Tue, 14 Jul 2020 17:12:22 +0000 (17:12 +0000)
commit82175e699a2e2cd83d3aa34949e9b922d66d52f5
tree5c2940f0a090c2bcec38b0755c6ca2ed288f3a44tree
parentefbe47b1625422f21bb2f130f916ce040756dbe3commit | diff
crypto/x509: respect VerifyOptions.KeyUsages on Windows

When using the platform verifier on Windows (because Roots is nil) we
were always enforcing server auth EKUs if DNSName was set, and none
otherwise. If an application was setting KeyUsages, they were not being
respected.

Started correctly surfacing IncompatibleUsage errors from the system
verifier, as those are the ones applications will see if they are
affected by this change.

Also refactored verify_test.go to make it easier to add tests for this,
and replaced the EKULeaf chain with a new one that doesn't have a SHA-1
signature.

Thanks to Niall Newman for reporting this.

Fixes #39360
Fixes CVE-2020-14039

Change-Id: If5c00d615f2944f7d57007891aae1307f9571c32
Reviewed-on: https://team-review.git.corp.google.com/c/golang/go-private/+/774414
Reviewed-by: Katie Hockman <katiehockman@google.com>
Reviewed-on: https://go-review.googlesource.com/c/go/+/242597
Run-TryBot: Katie Hockman <katie@golang.org>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
src/crypto/x509/root_windows.go diff | blob | history
src/crypto/x509/verify.go diff | blob | history
src/crypto/x509/verify_test.go diff | blob | history
Go GOST TLS 1.3