kris/boringssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Extract certificate message processing in Go.

Browse Source 
TLS 1.2 and 1.3 will both need to call it at different points.

Change-Id: Id62ec289213aa6c06ebe5fe65a57ca6c2b53d538
Reviewed-on: https://boringssl-review.googlesource.com/8600
Reviewed-by: David Benjamin <davidben@google.com>
This commit is contained in:
David Benjamin 2016-07-01 18:58:51 -04:00
parent a6f82637da
commit 7505144558
1 changed files with 56 additions and 41 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

97
ssl/test/runner/handshake_client.go
View File

@ -392,53 +392,16 @@ func (hs *clientHandshakeState) doFullHandshake() error {
} }
certMsg, ok := msg.(*certificateMsg) certMsg, ok := msg.(*certificateMsg)
if !ok || len(certMsg.certificates) == 0 { if !ok {
c.sendAlert(alertUnexpectedMessage) c.sendAlert(alertUnexpectedMessage)
return unexpectedMessageError(certMsg, msg) return unexpectedMessageError(certMsg, msg)
} }
hs.writeServerHash(certMsg.marshal()) hs.writeServerHash(certMsg.marshal())
certs := make([]*x509.Certificate, len(certMsg.certificates)) if err := hs.verifyCertificates(certMsg); err != nil {
for i, asn1Data := range certMsg.certificates { return err
cert, err := x509.ParseCertificate(asn1Data)
if err != nil {
c.sendAlert(alertBadCertificate)
return errors.New("tls: failed to parse certificate from server: " + err.Error())
}
certs[i] = cert
} }
leaf = certs[0] leaf = c.peerCertificates[0]
if !c.config.InsecureSkipVerify {
opts := x509.VerifyOptions{
Roots: c.config.RootCAs,
CurrentTime: c.config.time(),
DNSName: c.config.ServerName,
Intermediates: x509.NewCertPool(),
}
for i, cert := range certs {
if i == 0 {
continue
}
opts.Intermediates.AddCert(cert)
}
c.verifiedChains, err = leaf.Verify(opts)
if err != nil {
c.sendAlert(alertBadCertificate)
return err
}
}
switch leaf.PublicKey.(type) {
case *rsa.PublicKey, *ecdsa.PublicKey:
break
default:
c.sendAlert(alertUnsupportedCertificate)
return fmt.Errorf("tls: server's certificate contains an unsupported type of public key: %T", leaf.PublicKey)
}
c.peerCertificates = certs
} }
if hs.serverHello.extensions.ocspStapling { if hs.serverHello.extensions.ocspStapling {
@ -603,6 +566,58 @@ func (hs *clientHandshakeState) doFullHandshake() error {
return nil return nil
} }
func (hs *clientHandshakeState) verifyCertificates(certMsg *certificateMsg) error {
c := hs.c
if len(certMsg.certificates) == 0 {
c.sendAlert(alertIllegalParameter)
return errors.New("tls: no certificates sent")
}
certs := make([]*x509.Certificate, len(certMsg.certificates))
for i, asn1Data := range certMsg.certificates {
cert, err := x509.ParseCertificate(asn1Data)
if err != nil {
c.sendAlert(alertBadCertificate)
return errors.New("tls: failed to parse certificate from server: " + err.Error())
}
certs[i] = cert
}
if !c.config.InsecureSkipVerify {
opts := x509.VerifyOptions{
Roots: c.config.RootCAs,
CurrentTime: c.config.time(),
DNSName: c.config.ServerName,
Intermediates: x509.NewCertPool(),
}
for i, cert := range certs {
if i == 0 {
continue
}
opts.Intermediates.AddCert(cert)
}
var err error
c.verifiedChains, err = certs[0].Verify(opts)
if err != nil {
c.sendAlert(alertBadCertificate)
return err
}
}
switch certs[0].PublicKey.(type) {
case *rsa.PublicKey, *ecdsa.PublicKey:
break
default:
c.sendAlert(alertUnsupportedCertificate)
return fmt.Errorf("tls: server's certificate contains an unsupported type of public key: %T", certs[0].PublicKey)
}
c.peerCertificates = certs
return nil
}
func (hs *clientHandshakeState) establishKeys() error { func (hs *clientHandshakeState) establishKeys() error {
c := hs.c c := hs.c