From: Mikkel Krautz <mikkel@krautz.dk>
Date: Sat, 18 Aug 2012 22:50:33 +0000 (-0700)
Subject: crypto/tls: explicitly require ExtKeyUsageClientAuth for client certs
X-Git-Tag: go1.1rc2~2628
X-Git-Url: http://www.git.cypherpunks.su/?a=commitdiff_plain;h=67924c1b602c170239eec821c3aea67b6ab682c7;p=gostls13.git

crypto/tls: explicitly require ExtKeyUsageClientAuth for client certs

If we aren't explicit about the KeyUsages, the verifier
will treat the certificate as a server certificate and require
it to have a ExtKeyUsageServerAuth key usage.

R=golang-dev
CC=golang-dev
https://golang.org/cl/6453148
---

diff --git a/src/pkg/crypto/tls/handshake_server.go b/src/pkg/crypto/tls/handshake_server.go
index 76adc540c7..e5049a2f0d 100644
--- a/src/pkg/crypto/tls/handshake_server.go
+++ b/src/pkg/crypto/tls/handshake_server.go
@@ -211,6 +211,7 @@ FindCipherSuite:
 				Roots:         c.config.ClientCAs,
 				CurrentTime:   c.config.time(),
 				Intermediates: x509.NewCertPool(),
+				KeyUsages:     []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth},
 			}
 
 			for i, cert := range certs {