]> Cypherpunks repositories - gostls13.git/commit
projects / gostls13.git / commit
summary | shortlog | log | commit | commitdiff | tree
(parent: e06e29b) | patch
crypto/x509: implement policy validation
authorRoland Shoemaker <roland@golang.org>
Sat, 16 Nov 2024 19:17:54 +0000 (11:17 -0800)
committerGopher Robot <gobot@golang.org>
Fri, 22 Nov 2024 01:28:52 +0000 (01:28 +0000)
commite8d95619978c4602d4446f113b3b69b7a22308fa
tree74114a1d081ffba199b7f9e77729590a014fc866tree
parente06e29b9b4afbb30f5c77551ff8e6bdaafcf8e9bcommit | diff
crypto/x509: implement policy validation

Implement support for parsing the various policy related extensions,
and for validating the policy graph for chains.

Policy validation is only run if VerifyOptions.CertificatePolicies is
set. Policy validation is run after chains are built. If the computed
policy graph for a chain is invalid, the chain is removed from the set
of returned chains.

This implements the RFC 5280 algorithm as updated by
RFC 9618 [0].

Fixes #68484

[0] https://www.rfc-editor.org/rfc/rfc9618.html

Change-Id: I576432a47ddc404cba966c2b1995365944b8bd26
Reviewed-on: https://go-review.googlesource.com/c/go/+/628616
Auto-Submit: Roland Shoemaker <roland@golang.org>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-by: Daniel McCarney <daniel@binaryparadox.net>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
37 files changed:
api/next/68484.txt [new file with mode: 0644] blob
doc/next/6-stdlib/99-minor/crypto/x509/68484.md [new file with mode: 0644] blob
src/crypto/x509/oid_test.go diff | blob | history
src/crypto/x509/parser.go diff | blob | history
src/crypto/x509/parser_test.go diff | blob | history
src/crypto/x509/root_unix_test.go diff | blob | history
src/crypto/x509/testdata/policy_intermediate.pem [new file with mode: 0644] blob
src/crypto/x509/testdata/policy_intermediate_any.pem [new file with mode: 0644] blob
src/crypto/x509/testdata/policy_intermediate_duplicate.pem [new file with mode: 0644] blob
src/crypto/x509/testdata/policy_intermediate_invalid.pem [new file with mode: 0644] blob
src/crypto/x509/testdata/policy_intermediate_mapped.pem [new file with mode: 0644] blob
src/crypto/x509/testdata/policy_intermediate_mapped_any.pem [new file with mode: 0644] blob
src/crypto/x509/testdata/policy_intermediate_mapped_oid3.pem [new file with mode: 0644] blob
src/crypto/x509/testdata/policy_intermediate_require.pem [new file with mode: 0644] blob
src/crypto/x509/testdata/policy_intermediate_require1.pem [new file with mode: 0644] blob
src/crypto/x509/testdata/policy_intermediate_require2.pem [new file with mode: 0644] blob
src/crypto/x509/testdata/policy_intermediate_require_duplicate.pem [new file with mode: 0644] blob
src/crypto/x509/testdata/policy_intermediate_require_no_policies.pem [new file with mode: 0644] blob
src/crypto/x509/testdata/policy_leaf.pem [new file with mode: 0644] blob
src/crypto/x509/testdata/policy_leaf_any.pem [new file with mode: 0644] blob
src/crypto/x509/testdata/policy_leaf_duplicate.pem [new file with mode: 0644] blob
src/crypto/x509/testdata/policy_leaf_invalid.pem [new file with mode: 0644] blob
src/crypto/x509/testdata/policy_leaf_none.pem [new file with mode: 0644] blob
src/crypto/x509/testdata/policy_leaf_oid1.pem [new file with mode: 0644] blob
src/crypto/x509/testdata/policy_leaf_oid2.pem [new file with mode: 0644] blob
src/crypto/x509/testdata/policy_leaf_oid3.pem [new file with mode: 0644] blob
src/crypto/x509/testdata/policy_leaf_oid4.pem [new file with mode: 0644] blob
src/crypto/x509/testdata/policy_leaf_oid5.pem [new file with mode: 0644] blob
src/crypto/x509/testdata/policy_leaf_require.pem [new file with mode: 0644] blob
src/crypto/x509/testdata/policy_leaf_require1.pem [new file with mode: 0644] blob
src/crypto/x509/testdata/policy_root.pem [new file with mode: 0644] blob
src/crypto/x509/testdata/policy_root2.pem [new file with mode: 0644] blob
src/crypto/x509/testdata/policy_root_cross_inhibit_mapping.pem [new file with mode: 0644] blob
src/crypto/x509/verify.go diff | blob | history
src/crypto/x509/verify_test.go diff | blob | history
src/crypto/x509/x509.go diff | blob | history
src/crypto/x509/x509_test.go diff | blob | history
Go GOST TLS 1.3