Skip to content

x/crypto/x509roots: apply constraints with CertPool.AddCertWithConstraint #70623

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
FiloSottile opened this issue Dec 1, 2024 · 2 comments
Closed

x/crypto/x509roots: apply constraints with CertPool.AddCertWithConstraint #70623

FiloSottile opened this issue Dec 1, 2024 · 2 comments
Labels
FixPending Issues that have a fix which has not yet been reviewed or submitted. NeedsFix The path to resolution is known, but the work has not been done. Security
Milestone
Unreleased

Comments

@FiloSottile
Copy link
Contributor

Now that #57178 has landed, we should use CertPool.AddCertWithConstraint to apply nss.Constraint values.

In particular, the Entrust root now has a Distrust After of November 30, 2024 that we need to apply.

/cc @golang/security
@gopherbot gopherbot added this to the Unreleased milestone Dec 1, 2024
@gabyhelp
Copy link

gabyhelp commented Dec 1, 2024

Related Issues

(Emoji vote if this was helpful or unhelpful; more detailed feedback welcome in this discussion.)

@mknyszek mknyszek added the NeedsFix The path to resolution is known, but the work has not been done. label Dec 2, 2024
@AGWA AGWA mentioned this issue Dec 11, 2024
Closed
@gopherbot
Copy link
Contributor

Change https://go.dev/cl/652996 mentions this issue: x509roots: support constrained roots

@dmitshur dmitshur added the FixPending Issues that have a fix which has not yet been reviewed or submitted. label Feb 26, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
FixPending Issues that have a fix which has not yet been reviewed or submitted. NeedsFix The path to resolution is known, but the work has not been done. Security
Projects
None yet
Milestone
Unreleased
Development

No branches or pull requests
5 participants
@FiloSottile @mknyszek @dmitshur @gopherbot @gabyhelp