From ed2996bac77725e891699b22bff3789086ea81e6 Mon Sep 17 00:00:00 2001 From: Roland Shoemaker Date: Tue, 12 May 2020 18:49:34 -0700 Subject: [PATCH] crypto/x509: document support for leading periods in DNS constraints This change adds a comment to the Verify documentation that indicates that you can use URI and email style name constraints with a leading period for DNS names (and explains what they do). This behavior is not standards compliant, but matches the community application of RFC 5280, so it makes sense to document it. Fixes #37535 Change-Id: Ibd6f039e4fa46d40ad7ae1ab48eab86f13cf8eff Reviewed-on: https://go-review.googlesource.com/c/go/+/233525 Reviewed-by: Ryan Sleevi Reviewed-by: Filippo Valsorda --- src/crypto/x509/verify.go | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/crypto/x509/verify.go b/src/crypto/x509/verify.go index a058f349c54..be11e730e52 100644 --- a/src/crypto/x509/verify.go +++ b/src/crypto/x509/verify.go @@ -744,6 +744,12 @@ func (c *Certificate) isValid(certType int, currentChain []*Certificate, opts *V // the name being validated. Note that DirectoryName constraints are not // supported. // +// Name constraint validation follows the rules from RFC 5280, with the +// addition that DNS name constraints may use the leading period format +// defined for emails and URIs. When a constraint has a leading period +// it indicates that at least one additional label must be prepended to +// the constrained name to be considered valid. +// // Extended Key Usage values are enforced down a chain, so an intermediate or // root that enumerates EKUs prevents a leaf from asserting an EKU not in that // list.