crypto/x509: document support for leading periods in DNS constraints
This change adds a comment to the Verify documentation that indicates
that you can use URI and email style name constraints with a leading
period for DNS names (and explains what they do). This behavior is
not standards compliant, but matches the community application of
RFC 5280, so it makes sense to document it.
Fixes #37535
Change-Id: Ibd6f039e4fa46d40ad7ae1ab48eab86f13cf8eff
Reviewed-on: https://go-review.googlesource.com/c/go/+/233525
Reviewed-by: Ryan Sleevi <sleevi@google.com>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
diff --git a/src/crypto/x509/verify.go b/src/crypto/x509/verify.go
index a058f34..be11e730 100644
--- a/src/crypto/x509/verify.go
+++ b/src/crypto/x509/verify.go
@@ -744,6 +744,12 @@
// the name being validated. Note that DirectoryName constraints are not
// supported.
//
+// Name constraint validation follows the rules from RFC 5280, with the
+// addition that DNS name constraints may use the leading period format
+// defined for emails and URIs. When a constraint has a leading period
+// it indicates that at least one additional label must be prepended to
+// the constrained name to be considered valid.
+//
// Extended Key Usage values are enforced down a chain, so an intermediate or
// root that enumerates EKUs prevents a leaf from asserting an EKU not in that
// list.
