qbit/go
1
0
Fork 0
mirror of https://github.com/golang/go synced 2024-11-18 08:14:41 -07:00
Code Releases Activity

crypto/x509: allow setting MaxPathLen to -1 without IsCA

Browse Source 
This fixes a bug in CL 228777 which disallowed
a MaxPathLen of -1 without IsCA, even though the
x509.Certificate documentation indicates that
MaxPathLen of -1 is considered "unset".

Updates #38216

Change-Id: Ib7240e00408d060f27567be8b820d0eee239256f
Reviewed-on: https://go-review.googlesource.com/c/go/+/235280
Run-TryBot: Katie Hockman <katie@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
This commit is contained in:
Katie Hockman 2020-05-26 15:36:58 -04:00
parent e5a6a94aeb
commit b5bf2f0682
2 changed files with 8 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/crypto/x509/x509.go
View File

@ -2100,7 +2100,7 @@ func CreateCertificate(rand io.Reader, template, parent *Certificate, pub, priv
return nil, errors.New("x509: no SerialNumber given") return nil, errors.New("x509: no SerialNumber given")
} }
if template.BasicConstraintsValid && !template.IsCA && (template.MaxPathLen != 0 || template.MaxPathLenZero) { if template.BasicConstraintsValid && !template.IsCA && template.MaxPathLen != -1 && (template.MaxPathLen != 0 || template.MaxPathLenZero) {
return nil, errors.New("x509: only CAs are allowed to specify MaxPathLen") return nil, errors.New("x509: only CAs are allowed to specify MaxPathLen")
} }

11
src/crypto/x509/x509_test.go
View File

@ -1674,11 +1674,15 @@ func TestMaxPathLenNotCA(t *testing.T) {
BasicConstraintsValid: true, BasicConstraintsValid: true,
IsCA: false, IsCA: false,
} }
cert := serialiseAndParse(t, template) if m := serialiseAndParse(t, template).MaxPathLen; m != -1 {
if m := cert.MaxPathLen; m != -1 {
t.Errorf("MaxPathLen should be -1 when IsCa is false, got %d", m) t.Errorf("MaxPathLen should be -1 when IsCa is false, got %d", m)
} }
template.MaxPathLen = -1
if m := serialiseAndParse(t, template).MaxPathLen; m != -1 {
t.Errorf("MaxPathLen should be -1 when IsCa is false and MaxPathLen set to -1, got %d", m)
}
template.MaxPathLen = 5 template.MaxPathLen = 5
if _, err := CreateCertificate(rand.Reader, template, template, &testPrivateKey.PublicKey, testPrivateKey); err == nil { if _, err := CreateCertificate(rand.Reader, template, template, &testPrivateKey.PublicKey, testPrivateKey); err == nil {
t.Error("specifying a MaxPathLen when IsCA is false should fail") t.Error("specifying a MaxPathLen when IsCA is false should fail")
@ -1691,8 +1695,7 @@ func TestMaxPathLenNotCA(t *testing.T) {
} }
template.BasicConstraintsValid = false template.BasicConstraintsValid = false
cert2 := serialiseAndParse(t, template) if m := serialiseAndParse(t, template).MaxPathLen; m != 0 {
if m := cert2.MaxPathLen; m != 0 {
t.Errorf("Bad MaxPathLen should be ignored if BasicConstraintsValid is false, got %d", m) t.Errorf("Bad MaxPathLen should be ignored if BasicConstraintsValid is false, got %d", m)
} }
} }