diff options
Diffstat (limited to 'src/crypto/x509/verify.go')
| -rw-r--r-- | src/crypto/x509/verify.go | 12 |
1 files changed, 12 insertions, 0 deletions
diff --git a/src/crypto/x509/verify.go b/src/crypto/x509/verify.go index 9ef11466a4..1f9636a550 100644 --- a/src/crypto/x509/verify.go +++ b/src/crypto/x509/verify.go @@ -172,6 +172,11 @@ var errNotParsed = errors.New("x509: missing ASN.1 contents; use ParseCertificat // VerifyOptions contains parameters for Certificate.Verify. type VerifyOptions struct { + // IsBoring is a validity check for BoringCrypto. + // If not nil, it will be called to check whether a given certificate + // can be used for constructing verification chains. + IsBoring func(*Certificate) bool + // DNSName, if set, is checked against the leaf certificate with // Certificate.VerifyHostname or the platform verifier. DNSName string @@ -695,6 +700,13 @@ func (c *Certificate) isValid(certType int, currentChain []*Certificate, opts *V } } + if opts.IsBoring != nil && !opts.IsBoring(c) { + // IncompatibleUsage is not quite right here, + // but it's also the "no chains found" error + // and is close enough. + return CertificateInvalidError{c, IncompatibleUsage, ""} + } + return nil } |