[dev.boringcrypto] all: merge master into dev.boringcrypto

[gostls13.git] / src / crypto / x509 / verify.go

diff --git a/src/crypto/x509/verify.go b/src/crypto/x509/verify.go
index a30f64456d711d26a00f6ef73111c25eea30576c..df7aadeeb6faa2c5c88a3fa7cec9fa3e2f7295b0 100644 (file)
--- a/src/crypto/x509/verify.go
+++ b/src/crypto/x509/verify.go
@@ -80,7 +80,7 @@ func (e CertificateInvalidError) Error() string {
        case NotAuthorizedToSign:
                return "x509: certificate is not authorized to sign other certificates"
        case Expired:
-               return "x509: certificate has expired or is not yet valid"
+               return "x509: certificate has expired or is not yet valid: " + e.Detail
        case CANotAuthorizedForThisName:
                return "x509: a root or intermediate certificate is not authorized to sign for this name: " + e.Detail
        case CANotAuthorizedForExtKeyUsage:
@@ -581,8 +581,18 @@ func (c *Certificate) isValid(certType int, currentChain []*Certificate, opts *V
        if now.IsZero() {
                now = time.Now()
        }
-       if now.Before(c.NotBefore) || now.After(c.NotAfter) {
-               return CertificateInvalidError{c, Expired, ""}
+       if now.Before(c.NotBefore) {
+               return CertificateInvalidError{
+                       Cert:   c,
+                       Reason: Expired,
+                       Detail: fmt.Sprintf("current time %s is before %s", now.Format(time.RFC3339), c.NotBefore.Format(time.RFC3339)),
+               }
+       } else if now.After(c.NotAfter) {
+               return CertificateInvalidError{
+                       Cert:   c,
+                       Reason: Expired,
+                       Detail: fmt.Sprintf("current time %s is after %s", now.Format(time.RFC3339), c.NotAfter.Format(time.RFC3339)),
+               }
        }
 
        maxConstraintComparisons := opts.MaxConstraintComparisions