Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

crypto/x509: CANotAuthorizedForExtKeyUsage is a bogus error [1.10 backport] #25258

gopherbot opened this issue May 4, 2018 · 2 comments


Copy link

@gopherbot gopherbot commented May 4, 2018

@FiloSottile requested issue #24590 to be considered for backport to the next 1.10 minor release.

Based on discussion with @agl, we will go back to only enforcing nesting (and returning CANotAuthorizedForExtKeyUsage) when the EKU is being asserted in Verify.

@gopherbot, please open a tracking issue for backporting to 1.10.

Copy link

@gopherbot gopherbot commented May 21, 2018

Change mentions this issue: [release-branch.go1.10] crypto/x509: check EKUs like 1.9.

Copy link

@gopherbot gopherbot commented May 24, 2018

Closed by merging 09fa131 to release-branch.go1.10.

@gopherbot gopherbot closed this May 24, 2018
gopherbot pushed a commit that referenced this issue May 24, 2018
This change brings back the EKU checking from 1.9. In 1.10, we checked
EKU nesting independent of the requested EKUs so that, after verifying a
certifciate, one could inspect the EKUs in the leaf and trust them.

That, however, was too optimistic. I had misunderstood that the PKI was
/currently/ clean enough to require that, rather than it being
desirable. Go generally does not push the envelope on these sorts of
things and lets the browsers clear the path first.

Fixes #25258

Change-Id: I18c070478e3bbb6468800ae461c207af9e954949
Reviewed-by: Filippo Valsorda <>
(cherry picked from commit 180e0f8a1b149bd1d15df29b6527748266cacad9)
Run-TryBot: Filippo Valsorda <>
TryBot-Result: Gobot Gobot <>
Reviewed-by: Andrew Bonventre <>
@golang golang locked and limited conversation to collaborators May 24, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
2 participants
You can’t perform that action at this time.