[dev.boringcrypto] all: merge master (nearly Go 1.10 beta 1) into dev.boringcrypto

[gostls13.git] / src / crypto / x509 / verify.go

diff --git a/src/crypto/x509/verify.go b/src/crypto/x509/verify.go
index 7a6bd454f201d5fc818469555188203b4599b6f9..d27ee3e249f15976ae815bc9ae8105fbc4cee435 100644 (file)
--- a/src/crypto/x509/verify.go
+++ b/src/crypto/x509/verify.go
@@ -174,6 +174,11 @@ var errNotParsed = errors.New("x509: missing ASN.1 contents; use ParseCertificat
 // VerifyOptions contains parameters for Certificate.Verify. It's a structure
 // because other PKIX verification APIs have ended up needing many options.
 type VerifyOptions struct {
+       // IsBoring is a validity check for BoringCrypto.
+       // If not nil, it will be called to check whether a given certificate
+       // can be used for constructing verification chains.
+       IsBoring func(*Certificate) bool
+
        DNSName       string
        Intermediates *CertPool
        Roots         *CertPool // if nil, the system roots are used
@@ -770,6 +775,13 @@ func (c *Certificate) isValid(certType int, currentChain []*Certificate, opts *V
                }
        }
 
+       if opts.IsBoring != nil && !opts.IsBoring(c) {
+               // IncompatibleUsage is not quite right here,
+               // but it's also the "no chains found" error
+               // and is close enough.
+               return CertificateInvalidError{c, IncompatibleUsage, ""}
+       }
+
        return nil
 }