crypto/tls: extract certificate validation for the client
Moved some code and added a comment in preparation for extending the TLS 1.3 client with certificate validation. No functional change.
This commit is contained in:
Peter Wu
parent
9e25a0a25d
commit
928e35b73a
@ -350,25 +350,12 @@ func (hs *clientHandshakeState) pickCipherSuite() error {
|
||||
return nil
|
||||
}
|
||||
|
||||
func (hs *clientHandshakeState) doFullHandshake() error {
|
||||
// processCertsFromServer takes a chain of server certificates from a
|
||||
// Certificate message and verifies them.
|
||||
func (hs *clientHandshakeState) processCertsFromServer(certificates [][]byte) error {
|
||||
c := hs.c
|
||||
|
||||
msg, err := c.readHandshake()
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
certMsg, ok := msg.(*certificateMsg)
|
||||
if !ok || len(certMsg.certificates) == 0 {
|
||||
c.sendAlert(alertUnexpectedMessage)
|
||||
return unexpectedMessageError(certMsg, msg)
|
||||
}
|
||||
hs.finishedHash.Write(certMsg.marshal())
|
||||
|
||||
if c.handshakes == 0 {
|
||||
// If this is the first handshake on a connection, process and
|
||||
// (optionally) verify the server's certificates.
|
||||
certs := make([]*x509.Certificate, len(certMsg.certificates))
|
||||
for i, asn1Data := range certMsg.certificates {
|
||||
certs := make([]*x509.Certificate, len(certificates))
|
||||
for i, asn1Data := range certificates {
|
||||
cert, err := x509.ParseCertificate(asn1Data)
|
||||
if err != nil {
|
||||
c.sendAlert(alertBadCertificate)
|
||||
@ -391,6 +378,7 @@ func (hs *clientHandshakeState) doFullHandshake() error {
|
||||
}
|
||||
opts.Intermediates.AddCert(cert)
|
||||
}
|
||||
var err error
|
||||
c.verifiedChains, err = certs[0].Verify(opts)
|
||||
if err != nil {
|
||||
c.sendAlert(alertBadCertificate)
|
||||
@ -399,7 +387,7 @@ func (hs *clientHandshakeState) doFullHandshake() error {
|
||||
}
|
||||
|
||||
if c.config.VerifyPeerCertificate != nil {
|
||||
if err := c.config.VerifyPeerCertificate(certMsg.certificates, c.verifiedChains); err != nil {
|
||||
if err := c.config.VerifyPeerCertificate(certificates, c.verifiedChains); err != nil {
|
||||
c.sendAlert(alertBadCertificate)
|
||||
return err
|
||||
}
|
||||
@ -414,6 +402,29 @@ func (hs *clientHandshakeState) doFullHandshake() error {
|
||||
}
|
||||
|
||||
c.peerCertificates = certs
|
||||
return nil
|
||||
}
|
||||
|
||||
func (hs *clientHandshakeState) doFullHandshake() error {
|
||||
c := hs.c
|
||||
|
||||
msg, err := c.readHandshake()
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
certMsg, ok := msg.(*certificateMsg)
|
||||
if !ok || len(certMsg.certificates) == 0 {
|
||||
c.sendAlert(alertUnexpectedMessage)
|
||||
return unexpectedMessageError(certMsg, msg)
|
||||
}
|
||||
hs.finishedHash.Write(certMsg.marshal())
|
||||
|
||||
if c.handshakes == 0 {
|
||||
// If this is the first handshake on a connection, process and
|
||||
// (optionally) verify the server's certificates.
|
||||
if err := hs.processCertsFromServer(certMsg.certificates); err != nil {
|
||||
return err
|
||||
}
|
||||
} else {
|
||||
// This is a renegotiation handshake. We require that the
|
||||
// server's identity (i.e. leaf certificate) is unchanged and
|
||||
|
||||
Loading…
Reference in New Issue
Block a user