crypto/x509: better document Verify's behaviour.

This change expands the documentation for Verify to mention the name constraints and EKU behaviour. Change-Id: Ifc80faa6077c26fcc1d2a261ad1d14c00fd13b23 Reviewed-on: https://go-review.googlesource.com/87300 Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2024-11-18 00:44:47 -07:00 · 2018-01-10 14:26:33 -08:00 · 2018-01-10 14:26:33 -08:00 · 4dc1c491b0
commit 4dc1c491b0
parent 67fdf587dc
1 changed files with 11 additions and 1 deletions
--- a/src/crypto/x509/verify.go
+++ b/src/crypto/x509/verify.go
@ -781,7 +781,17 @@ func (c *Certificate) isValid(certType int, currentChain []*Certificate, opts *V
 // If opts.Roots is nil and system roots are unavailable the returned error
 // will be of type SystemRootsError.
 //
-// WARNING: this doesn't do any revocation checking.
+// Name constraints in the intermediates will be applied to all names claimed
+// in the chain, not just opts.DNSName. Thus it is invalid for a leaf to claim
+// example.com if an intermediate doesn't permit it, even if example.com is not
+// the name being validated. Note that DirectoryName constraints are not
+// supported.
+//
+// Extended Key Usage values are enforced down a chain, so an intermediate or
+// root that enumerates EKUs prevents a leaf from asserting an EKU not in that
+// list.
+//
+// WARNING: this function doesn't do any revocation checking.
 func (c *Certificate) Verify(opts VerifyOptions) (chains [][]*Certificate, err error) {
 	// Platform-specific verification needs the ASN.1 contents so
 	// this makes the behavior consistent across platforms.