[dev.boringcrypto] all: merge master into dev.boringcrypto

[gostls13.git] / src / crypto / x509 / verify.go

diff --git a/src/crypto/x509/verify.go b/src/crypto/x509/verify.go
index a739956cfe070f94db01652295b56380b48ad7c3..a44f5d6326afb921195d61ed6cfd2c3e9a18f00f 100644 (file)
--- a/src/crypto/x509/verify.go
+++ b/src/crypto/x509/verify.go
@@ -174,6 +174,11 @@ var errNotParsed = errors.New("x509: missing ASN.1 contents; use ParseCertificat
 
 // VerifyOptions contains parameters for Certificate.Verify.
 type VerifyOptions struct {
+       // IsBoring is a validity check for BoringCrypto.
+       // If not nil, it will be called to check whether a given certificate
+       // can be used for constructing verification chains.
+       IsBoring func(*Certificate) bool
+
        // DNSName, if set, is checked against the leaf certificate with
        // Certificate.VerifyHostname or the platform verifier.
        DNSName string
@@ -725,6 +730,13 @@ func (c *Certificate) isValid(certType int, currentChain []*Certificate, opts *V
                }
        }
 
+       if opts.IsBoring != nil && !opts.IsBoring(c) {
+               // IncompatibleUsage is not quite right here,
+               // but it's also the "no chains found" error
+               // and is close enough.
+               return CertificateInvalidError{c, IncompatibleUsage, ""}
+       }
+
        return nil
 }