crypto/x509: fix behaviour of KeyUsageAny.

(Reporter wasn't able to provide a certificate chain that uses this
feature for testing.)

Fixes #6831

R=golang-dev, bradfitz, r
CC=golang-dev
https://golang.org/cl/40340043

diff --git a/src/pkg/crypto/x509/verify.go b/src/pkg/crypto/x509/verify.go
index 8327463ca867aa6ea17e072d3d9f1ee1bbbe7ca4..5fd8e371747d85dc6fb2fb838b8e8e3b17f763b7 100644 (file)
--- a/src/pkg/crypto/x509/verify.go
+++ b/src/pkg/crypto/x509/verify.go
@@ -425,6 +425,7 @@ func checkChainForKeyUsage(chain []*Certificate, keyUsages []ExtKeyUsage) bool {
        // by each certificate. If we cross out all the usages, then the chain
        // is unacceptable.
 
+NextCert:
        for i := len(chain) - 1; i >= 0; i-- {
                cert := chain[i]
                if len(cert.ExtKeyUsage) == 0 && len(cert.UnknownExtKeyUsage) == 0 {
@@ -435,7 +436,7 @@ func checkChainForKeyUsage(chain []*Certificate, keyUsages []ExtKeyUsage) bool {
                for _, usage := range cert.ExtKeyUsage {
                        if usage == ExtKeyUsageAny {
                                // The certificate is explicitly good for any usage.
-                               continue
+                               continue NextCert
                        }
                }