Join GitHub today
GitHub is home to over 50 million developers working together to host and review code, manage projects, and build software together.Sign up
GitHub is where the world builds software
Millions of developers and companies build, ship, and maintain their software on GitHub — the largest and most advanced development platform in the world.
crypto/x509: can set pathlen in certificate when not CA #38216
RFC 5280 prohibits setting path lengths when not a CA.
CAs MUST NOT include the pathLenConstraint field unless the cA
This isn't restricted by the library, and means you can create invalid certificates. These are now failing checks in the latest version of OpenSSL (openssl/openssl#11456)
The relevant code is around
This fixes a bug in CL 228777 which disallowed a MaxPathLen of -1 without IsCA, even though the x509.Certificate documentation indicates that MaxPathLen of -1 is considered "unset". Updates #38216 Change-Id: Ib7240e00408d060f27567be8b820d0eee239256f Reviewed-on: https://go-review.googlesource.com/c/go/+/235280 Run-TryBot: Katie Hockman <firstname.lastname@example.org> TryBot-Result: Gobot Gobot <email@example.com> Reviewed-by: Filippo Valsorda <firstname.lastname@example.org>