crypto/x509: better document Verify's behaviour.

author Adam Langley <agl@golang.org>

Wed, 10 Jan 2018 22:26:33 +0000 (14:26 -0800)

committer Russ Cox <rsc@golang.org>

Thu, 18 Jan 2018 14:43:29 +0000 (14:43 +0000)
author Adam Langley <agl@golang.org>
Wed, 10 Jan 2018 22:26:33 +0000 (14:26 -0800)
committer Russ Cox <rsc@golang.org>
Thu, 18 Jan 2018 14:43:29 +0000 (14:43 +0000)
diff --git a/src/crypto/x509/verify.go b/src/crypto/x509/verify.go

index 7a6bd454f201d5fc818469555188203b4599b6f9..9477e85b95167a8b9d2d1a7b3bd9797f023860cd 100644 (file)
--- a/src/crypto/x509/verify.go
+++ b/src/crypto/x509/verify.go
@@ -781,7 +781,17 @@ func (c *Certificate) isValid(certType int, currentChain []*Certificate, opts *V
  // If opts.Roots is nil and system roots are unavailable the returned error
  // will be of type SystemRootsError.
  //
-// WARNING: this doesn't do any revocation checking.
+// Name constraints in the intermediates will be applied to all names claimed
+// in the chain, not just opts.DNSName. Thus it is invalid for a leaf to claim
+// example.com if an intermediate doesn't permit it, even if example.com is not
+// the name being validated. Note that DirectoryName constraints are not
+// supported.
+//
+// Extended Key Usage values are enforced down a chain, so an intermediate or
+// root that enumerates EKUs prevents a leaf from asserting an EKU not in that
+// list.
+//
+// WARNING: this function doesn't do any revocation checking.
  func (c *Certificate) Verify(opts VerifyOptions) (chains [][]*Certificate, err error) {
         // Platform-specific verification needs the ASN.1 contents so
         // this makes the behavior consistent across platforms.
author	Adam Langley <agl@golang.org>
	Wed, 10 Jan 2018 22:26:33 +0000 (14:26 -0800)
committer	Russ Cox <rsc@golang.org>
	Thu, 18 Jan 2018 14:43:29 +0000 (14:43 +0000)