crypto/x509: allow parsing of certificates with unknown critical extensions.
Previously, unknown critical extensions were a parse error. However, for some cases one wishes to parse and use a certificate that may contain these extensions. For example, when using a certificate in a TLS server: it's the client's concern whether it understands the critical extensions but the server still wishes to parse SNI values out of the certificate etc. This change moves the rejection of unknown critical extensions from ParseCertificate to Certificate.Verify. The former will now record the OIDs of unknown critical extensions in the Certificate and the latter will fail to verify certificates with them. If a user of this package wishes to handle any unknown critical extensions themselves, they can extract the extensions from Certificate.Extensions, process them and remove known OIDs from Certificate.UnknownCriticalExtensions. See discussion at https://groups.google.com/forum/#!msg/golang-nuts/IrzoZlwalTQ/qdK1k-ogeHIJ and in the linked bug. Fixes #10459 Change-Id: I762521a44c01160fa0901f990ba2f5d4977d7977 Reviewed-on: https://go-review.googlesource.com/9390Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
Showing
Please register or sign in to comment