crypto/x509: check Certificate.isValid on CertPool.Add #66166
Assignees
Labels
NeedsInvestigation
Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Comments
|
Would that not be a breaking change wrt |
|
I see there is a behavioral change here (i.e. Subjects will return the subject of a cert, but will likely not actually use it during chain building), but I don't really see how its breaking? (also side note, CertPool.Subjects is already deprecated, further changing its behavior seems fine). |
|
If I call |
seankhliao
added
the
NeedsInvestigation
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
We shouldn't be adding certificates to the pool which we cannot reasonably later use during chain building. CertPool.Add doesn't have an error return, so we should just silently discard the certificate when isValid returns a non-nil error.
The text was updated successfully, but these errors were encountered: