in certificate/constraints_v29.go [128:141]
func excludesAllIPRanges(cert *x509.Certificate) bool {
// For iPAddresses in excludedSubtrees, both IPv4 and IPv6 must be present and the constraints must cover the entire range (0.0.0.0/0 for IPv4 and ::0/0 for IPv6).
var excludesIPv4, excludesIPv6 bool
for _, cidr := range cert.ExcludedIPRanges {
if cidr.IP.Equal(net.IPv4zero) && isBufferAllZeros(cidr.Mask, net.IPv4len) {
excludesIPv4 = true
}
if cidr.IP.Equal(net.IPv6zero) && isBufferAllZeros(cidr.Mask, net.IPv6len) {
excludesIPv6 = true
}
}
return excludesIPv4 && excludesIPv6
}