kris/th5
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

crypto/tls: extract certificate validation for the client

Browse Source 
Moved some code and added a comment in preparation for extending the TLS
1.3 client with certificate validation. No functional change.
This commit is contained in:
Peter Wu 2017-09-15 18:30:24 +01:00
parent 9e25a0a25d
commit 928e35b73a
1 changed files with 57 additions and 46 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

49
handshake_client.go
View File

@ -350,25 +350,12 @@ func (hs *clientHandshakeState) pickCipherSuite() error {
return nil return nil
} }
func (hs *clientHandshakeState) doFullHandshake() error { // processCertsFromServer takes a chain of server certificates from a
// Certificate message and verifies them.
func (hs *clientHandshakeState) processCertsFromServer(certificates [][]byte) error {
c := hs.c c := hs.c
certs := make([]*x509.Certificate, len(certificates))
msg, err := c.readHandshake() for i, asn1Data := range certificates {
if err != nil {
return err
}
certMsg, ok := msg.(*certificateMsg)
if !ok || len(certMsg.certificates) == 0 {
c.sendAlert(alertUnexpectedMessage)
return unexpectedMessageError(certMsg, msg)
}
hs.finishedHash.Write(certMsg.marshal())
if c.handshakes == 0 {
// If this is the first handshake on a connection, process and
// (optionally) verify the server's certificates.
certs := make([]*x509.Certificate, len(certMsg.certificates))
for i, asn1Data := range certMsg.certificates {
cert, err := x509.ParseCertificate(asn1Data) cert, err := x509.ParseCertificate(asn1Data)
if err != nil { if err != nil {
c.sendAlert(alertBadCertificate) c.sendAlert(alertBadCertificate)
@ -391,6 +378,7 @@ func (hs *clientHandshakeState) doFullHandshake() error {
} }
opts.Intermediates.AddCert(cert) opts.Intermediates.AddCert(cert)
} }
var err error
c.verifiedChains, err = certs[0].Verify(opts) c.verifiedChains, err = certs[0].Verify(opts)
if err != nil { if err != nil {
c.sendAlert(alertBadCertificate) c.sendAlert(alertBadCertificate)
@ -399,7 +387,7 @@ func (hs *clientHandshakeState) doFullHandshake() error {
} }
if c.config.VerifyPeerCertificate != nil { if c.config.VerifyPeerCertificate != nil {
if err := c.config.VerifyPeerCertificate(certMsg.certificates, c.verifiedChains); err != nil { if err := c.config.VerifyPeerCertificate(certificates, c.verifiedChains); err != nil {
c.sendAlert(alertBadCertificate) c.sendAlert(alertBadCertificate)
return err return err
} }
@ -414,6 +402,29 @@ func (hs *clientHandshakeState) doFullHandshake() error {
} }
c.peerCertificates = certs c.peerCertificates = certs
return nil
}
func (hs *clientHandshakeState) doFullHandshake() error {
c := hs.c
msg, err := c.readHandshake()
if err != nil {
return err
}
certMsg, ok := msg.(*certificateMsg)
if !ok || len(certMsg.certificates) == 0 {
c.sendAlert(alertUnexpectedMessage)
return unexpectedMessageError(certMsg, msg)
}
hs.finishedHash.Write(certMsg.marshal())
if c.handshakes == 0 {
// If this is the first handshake on a connection, process and
// (optionally) verify the server's certificates.
if err := hs.processCertsFromServer(certMsg.certificates); err != nil {
return err
}
} else { } else {
// This is a renegotiation handshake. We require that the // This is a renegotiation handshake. We require that the
// server's identity (i.e. leaf certificate) is unchanged and // server's identity (i.e. leaf certificate) is unchanged and