crypto/x509: consider parents by Subject if AKID has no match
If a certificate somehow has an AKID, it should still chain successfully to a parent without a SKID, even if the latter is invalid according to RFC 5280, because only the Subject is authoritative. This reverts to the behavior before #29233 was fixed in 77013065. Roots with the right subject will still be shadowed by roots with the right SKID and the wrong subject, but that's been the case for a long time, and is left for a more complete fix in Go 1.13. Updates #30079 Change-Id: If8ab0179aca86cb74caa926d1ef93fb5e416b4bb Reviewed-on: https://go-review.googlesource.com/c/161097Reviewed-by: Adam Langley <agl@golang.org>
Showing
Please register or sign in to comment