aboutsummaryrefslogtreecommitdiff
path: root/libgo/go/crypto/x509/verify.go
diff options
context:
space:
mode:
Diffstat (limited to 'libgo/go/crypto/x509/verify.go')
-rw-r--r--libgo/go/crypto/x509/verify.go12
1 files changed, 11 insertions, 1 deletions
diff --git a/libgo/go/crypto/x509/verify.go b/libgo/go/crypto/x509/verify.go
index 7a6bd45..9477e85 100644
--- a/libgo/go/crypto/x509/verify.go
+++ b/libgo/go/crypto/x509/verify.go
@@ -781,7 +781,17 @@ func (c *Certificate) isValid(certType int, currentChain []*Certificate, opts *V
// If opts.Roots is nil and system roots are unavailable the returned error
// will be of type SystemRootsError.
//
-// WARNING: this doesn't do any revocation checking.
+// Name constraints in the intermediates will be applied to all names claimed
+// in the chain, not just opts.DNSName. Thus it is invalid for a leaf to claim
+// example.com if an intermediate doesn't permit it, even if example.com is not
+// the name being validated. Note that DirectoryName constraints are not
+// supported.
+//
+// Extended Key Usage values are enforced down a chain, so an intermediate or
+// root that enumerates EKUs prevents a leaf from asserting an EKU not in that
+// list.
+//
+// WARNING: this function doesn't do any revocation checking.
func (c *Certificate) Verify(opts VerifyOptions) (chains [][]*Certificate, err error) {
// Platform-specific verification needs the ASN.1 contents so
// this makes the behavior consistent across platforms.
generated by cgit v1.1 at 2024-10-20 06:46:52 +0000