From: Adam Langley Date: Wed, 10 Jan 2018 22:26:33 +0000 (-0800) Subject: crypto/x509: better document Verify's behaviour. X-Git-Tag: go1.10rc1~30 X-Git-Url: http://www.git.cypherpunks.su/?a=commitdiff_plain;h=4dc1c491b04e90a502ce041f0fd757c91915bff4;p=gostls13.git crypto/x509: better document Verify's behaviour. This change expands the documentation for Verify to mention the name constraints and EKU behaviour. Change-Id: Ifc80faa6077c26fcc1d2a261ad1d14c00fd13b23 Reviewed-on: https://go-review.googlesource.com/87300 Reviewed-by: Brad Fitzpatrick --- diff --git a/src/crypto/x509/verify.go b/src/crypto/x509/verify.go index 7a6bd454f2..9477e85b95 100644 --- a/src/crypto/x509/verify.go +++ b/src/crypto/x509/verify.go @@ -781,7 +781,17 @@ func (c *Certificate) isValid(certType int, currentChain []*Certificate, opts *V // If opts.Roots is nil and system roots are unavailable the returned error // will be of type SystemRootsError. // -// WARNING: this doesn't do any revocation checking. +// Name constraints in the intermediates will be applied to all names claimed +// in the chain, not just opts.DNSName. Thus it is invalid for a leaf to claim +// example.com if an intermediate doesn't permit it, even if example.com is not +// the name being validated. Note that DirectoryName constraints are not +// supported. +// +// Extended Key Usage values are enforced down a chain, so an intermediate or +// root that enumerates EKUs prevents a leaf from asserting an EKU not in that +// list. +// +// WARNING: this function doesn't do any revocation checking. func (c *Certificate) Verify(opts VerifyOptions) (chains [][]*Certificate, err error) { // Platform-specific verification needs the ASN.1 contents so // this makes the behavior consistent across platforms.