mirror of
https://github.com/golang/go
synced 2024-11-26 21:21:34 -07:00
crypto/x509: document support for leading periods in DNS constraints
This change adds a comment to the Verify documentation that indicates that you can use URI and email style name constraints with a leading period for DNS names (and explains what they do). This behavior is not standards compliant, but matches the community application of RFC 5280, so it makes sense to document it. Fixes #37535 Change-Id: Ibd6f039e4fa46d40ad7ae1ab48eab86f13cf8eff Reviewed-on: https://go-review.googlesource.com/c/go/+/233525 Reviewed-by: Ryan Sleevi <sleevi@google.com> Reviewed-by: Filippo Valsorda <filippo@golang.org>
This commit is contained in:
parent
e05695ed4d
commit
ed2996bac7
@ -744,6 +744,12 @@ func (c *Certificate) isValid(certType int, currentChain []*Certificate, opts *V
|
||||
// the name being validated. Note that DirectoryName constraints are not
|
||||
// supported.
|
||||
//
|
||||
// Name constraint validation follows the rules from RFC 5280, with the
|
||||
// addition that DNS name constraints may use the leading period format
|
||||
// defined for emails and URIs. When a constraint has a leading period
|
||||
// it indicates that at least one additional label must be prepended to
|
||||
// the constrained name to be considered valid.
|
||||
//
|
||||
// Extended Key Usage values are enforced down a chain, so an intermediate or
|
||||
// root that enumerates EKUs prevents a leaf from asserting an EKU not in that
|
||||
// list.
|
||||
|
Loading…
Reference in New Issue
Block a user