mirror of
https://github.com/golang/go.git
synced 2025-05-29 03:11:26 +00:00
e8d9561997
Implement support for parsing the various policy related extensions, and for validating the policy graph for chains. Policy validation is only run if VerifyOptions.CertificatePolicies is set. Policy validation is run after chains are built. If the computed policy graph for a chain is invalid, the chain is removed from the set of returned chains. This implements the RFC 5280 algorithm as updated by RFC 9618 [0]. Fixes #68484 [0] https://www.rfc-editor.org/rfc/rfc9618.html Change-Id: I576432a47ddc404cba966c2b1995365944b8bd26 Reviewed-on: https://go-review.googlesource.com/c/go/+/628616 Auto-Submit: Roland Shoemaker <roland@golang.org> Reviewed-by: Filippo Valsorda <filippo@golang.org> Reviewed-by: Damien Neil <dneil@google.com> Reviewed-by: Daniel McCarney <daniel@binaryparadox.net> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
321 B
321 B
[Certificate.Verify] now supports policy validation, as defined by RFC 5280 and RFC 9618. In order to enable policy validation, [VerifyOptions.CertificatePolicies] must be set to an acceptable set of policy [OIDs]. When enabled, only certificate chains with valid policy graphs will be returned from [Certificate.Verify].