From 4dc1c491b04e90a502ce041f0fd757c91915bff4 Mon Sep 17 00:00:00 2001 From: Adam Langley Date: Wed, 10 Jan 2018 14:26:33 -0800 Subject: [PATCH] crypto/x509: better document Verify's behaviour. This change expands the documentation for Verify to mention the name constraints and EKU behaviour. Change-Id: Ifc80faa6077c26fcc1d2a261ad1d14c00fd13b23 Reviewed-on: https://go-review.googlesource.com/87300 Reviewed-by: Brad Fitzpatrick --- src/crypto/x509/verify.go | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/src/crypto/x509/verify.go b/src/crypto/x509/verify.go index 7a6bd454f2..9477e85b95 100644 --- a/src/crypto/x509/verify.go +++ b/src/crypto/x509/verify.go @@ -781,7 +781,17 @@ func (c *Certificate) isValid(certType int, currentChain []*Certificate, opts *V // If opts.Roots is nil and system roots are unavailable the returned error // will be of type SystemRootsError. // -// WARNING: this doesn't do any revocation checking. +// Name constraints in the intermediates will be applied to all names claimed +// in the chain, not just opts.DNSName. Thus it is invalid for a leaf to claim +// example.com if an intermediate doesn't permit it, even if example.com is not +// the name being validated. Note that DirectoryName constraints are not +// supported. +// +// Extended Key Usage values are enforced down a chain, so an intermediate or +// root that enumerates EKUs prevents a leaf from asserting an EKU not in that +// list. +// +// WARNING: this function doesn't do any revocation checking. func (c *Certificate) Verify(opts VerifyOptions) (chains [][]*Certificate, err error) { // Platform-specific verification needs the ASN.1 contents so // this makes the behavior consistent across platforms. -- 2.50.0