CANotAuthorizedForExtKeyUsage
)

// CertificateInvalidError results when an odd error occurs. Users of this
// library probably want to handle all these errors uniformly.
type CertificateInvalidError struct {
	Cert   *Certificate
	Reason InvalidReason
	Detail string
}

func (e CertificateInvalidError) Error() string {
	switch e.Reason {
	case NotAuthorizedToSign:

	// using TLS or OCSP for that.

	if ret, err := macOS.SecTrustEvaluateWithError(trustObj); err != nil {
		switch ret {
		case macOS.ErrSecCertificateExpired:
			return nil, CertificateInvalidError{c, Expired, err.Error()}
		case macOS.ErrSecHostNameMismatch:
			return nil, HostnameError{c, opts.DNSName}
		case macOS.ErrSecNotTrusted:
			return nil, UnknownAuthorityError{Cert: c}
		default:

		status := chainCtx.TrustStatus.ErrorStatus
		switch status {
		case syscall.CERT_TRUST_IS_NOT_TIME_VALID:
			return CertificateInvalidError{c, Expired, ""}
		case syscall.CERT_TRUST_IS_NOT_VALID_FOR_USAGE:
			return CertificateInvalidError{c, IncompatibleUsage, ""}
		// TODO(filippo): surface more error statuses.
		default:
			return UnknownAuthorityError{c, nil, nil}
		}
	}
	return nil

		}
	}
}

func expectExpired(t *testing.T, err error) {
	if inval, ok := err.(CertificateInvalidError); !ok || inval.Reason != Expired {
		t.Fatalf("error was not Expired: %v", err)
	}
}

func expectUsageError(t *testing.T, err error) {
	if inval, ok := err.(CertificateInvalidError); !ok || inval.Reason != IncompatibleUsage {
		t.Fatalf("error was not IncompatibleUsage: %v", err)
	}
}

		}

		for _, cert := range certs[1:] {
			opts.Intermediates.AddCert(cert)
		}

		chains, err := certs[0].Verify(opts)
		if err != nil {
			var errCertificateInvalid x509.CertificateInvalidError
			if errors.As(err, &x509.UnknownAuthorityError{}) {
				c.sendAlert(alertUnknownCA)
			} else if errors.As(err, &errCertificateInvalid) && errCertificateInvalid.Reason == x509.Expired {

pkg crypto/x509, type Certificate struct, PermittedIPRanges []*net.IPNet
pkg crypto/x509, type Certificate struct, PermittedURIDomains []string
pkg crypto/x509, type Certificate struct, URIs []*url.URL
pkg crypto/x509, type CertificateInvalidError struct, Detail string
pkg crypto/x509, type CertificateRequest struct, URIs []*url.URL
pkg crypto/x509, type VerifyOptions struct, MaxConstraintComparisions int
pkg crypto/x509/pkix, method (Name) String() string

		{"Certificate.UnknownExtKeyUsage", Field, 0},
		{"Certificate.Version", Field, 0},
		{"CertificateInvalidError", Type, 0},
		{"CertificateInvalidError.Cert", Field, 0},
		{"CertificateInvalidError.Detail", Field, 10},
		{"CertificateInvalidError.Reason", Field, 0},
		{"CertificateRequest", Type, 3},
		{"CertificateRequest.Attributes", Field, 3},

pkg crypto/x509, type Certificate struct, UnknownExtKeyUsage []asn1.ObjectIdentifier
pkg crypto/x509, type Certificate struct, Version int
pkg crypto/x509, type CertificateInvalidError struct
pkg crypto/x509, type CertificateInvalidError struct, Cert *Certificate
pkg crypto/x509, type CertificateInvalidError struct, Reason InvalidReason
pkg crypto/x509, type ConstraintViolationError struct
pkg crypto/x509, type ExtKeyUsage int