Google Git
Sign in
go / crypto / 6575f7ea326e67d12b77872ff66f5ea15f8aefad
commit6575f7ea326e67d12b77872ff66f5ea15f8aefad[log] [tgz]
authorAlex Vaghin <ddos@google.com>Wed Aug 10 16:19:56 2016 +0200
committerAlex Vaghin <ddos@google.com>Mon Aug 15 19:30:22 2016 +0000
tree29336ec02dabeea82e705cc77f61191be80bca70
parenta548aac93ed489257b9d959b40fe1e8c1e20778c [diff]
acme: build up full chain certs when requested

The latest ACME spec (v3) changed the wording to:

    ... the server MUST send one or more link relation header
    fields [RFC5988] with relation "up", each indicating a single
    certificate resource for the issuer of this certificate.  The server
    MAY also include the "up" links from these resources to enable the
    client to build a full certificate chain.

See https://tools.ietf.org/html/draft-ietf-acme-acme-03#section-6.3.1.

Before this change, Client was fetching only the first "up" link, but never
checked to follow the chain further. To my knowledge, Let's Encrypt never
provided a chain longer than 1, this is just to make the Client future proof.

Also fixes google/acme#26.

Change-Id: I35cf5f1997b21a0b2a2d0a732043a7e04b7f1c45
Reviewed-on: https://go-review.googlesource.com/26693
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2 files changed
tree: 29336ec02dabeea82e705cc77f61191be80bca70
  1. acme/
  2. bcrypt/
  3. blowfish/
  4. bn256/
  5. cast5/
  6. curve25519/
  7. ed25519/
  8. hkdf/
  9. md4/
  10. nacl/
  11. ocsp/
  12. openpgp/
  13. otr/
  14. pbkdf2/
  15. pkcs12/
  16. poly1305/
  17. ripemd160/
  18. salsa20/
  19. scrypt/
  20. sha3/
  21. ssh/
  22. tea/
  23. twofish/
  24. xtea/
  25. xts/
  26. .gitattributes
  27. .gitignore
  28. AUTHORS
  29. codereview.cfg
  30. CONTRIBUTING.md
  31. CONTRIBUTORS
  32. LICENSE
  33. PATENTS
  34. README