From e26feb874f24391db54645078c01f928e69334e5 Mon Sep 17 00:00:00 2001
From: William Woodruff <william@trailofbits.com>
Date: Sat, 25 Nov 2023 21:06:39 -0500
Subject: [PATCH] validation: document BC handling

Signed-off-by: William Woodruff <william@trailofbits.com>
---
 src/rust/cryptography-x509-validation/src/policy/mod.rs | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/src/rust/cryptography-x509-validation/src/policy/mod.rs b/src/rust/cryptography-x509-validation/src/policy/mod.rs
index b0614584ea34..ec67f1b3d046 100644
--- a/src/rust/cryptography-x509-validation/src/policy/mod.rs
+++ b/src/rust/cryptography-x509-validation/src/policy/mod.rs
@@ -464,6 +464,9 @@ impl<'a, B: CryptoOps> Policy<'a, B> {
         // to test here. It's also conceptually an extension policy, but
         // requires a bit of extra external state (`current_depth`) that isn't
         // presently convenient to push into that layer.
+        //
+        // NOTE: BasicConstraints is required via `ca_extension_policies`,
+        // so we always take this branch.
         if let Some(bc) = extensions.get_extension(&BASIC_CONSTRAINTS_OID) {
             let bc: BasicConstraints = bc.value()?;