Minimal number of changes needed to udpate to draft-28 (#115)
* includes AD in authentication check of TLS records As per 5.2 of TLS 1.3 draft-28, the additional data is record header. * tests: Update tests in order to support draft-28 * Interoperability: Updates NSS and BoringSSL versions to the one supporting draft-28 * Bogo: Updates revision number to use tests for draft-28 * FIX: makefile was using test-compat target instead of test-interop * DC test: constify * Use binary interface to encode in big-endian
This commit is contained in:
parent
0d6e4561a6
commit
d3e18f99e2
@ -71,7 +71,7 @@ We run 3 kinds of test:.
|
|||||||
|
|
||||||
* Unit testing: <br/>``make -f _dev/Makefile test-unit``
|
* Unit testing: <br/>``make -f _dev/Makefile test-unit``
|
||||||
* Testing against BoringSSL test suite: <br/>``make -f _dev/Makefile test-bogo``
|
* Testing against BoringSSL test suite: <br/>``make -f _dev/Makefile test-bogo``
|
||||||
* Compatibility testing (see below):<br/>``make -f _dev/Makefile test-compat``
|
* Compatibility testing (see below):<br/>``make -f _dev/Makefile test-interop``
|
||||||
|
|
||||||
To run all the tests in one go use:
|
To run all the tests in one go use:
|
||||||
```
|
```
|
||||||
|
@ -115,4 +115,4 @@ clean-all: clean
|
|||||||
fmtcheck:
|
fmtcheck:
|
||||||
$(DEV_DIR)/utils/fmtcheck.sh
|
$(DEV_DIR)/utils/fmtcheck.sh
|
||||||
|
|
||||||
.PHONY: $(BUILD_DIR) clean build build-test test test-unit test-bogo test-compat
|
.PHONY: $(BUILD_DIR) clean build build-test test test-unit test-bogo test-interop
|
||||||
|
@ -26,7 +26,10 @@ RUN git clone https://github.com/henrydcase/crypto-tls-bogo-shim \
|
|||||||
#ARG REVISION=d07b9e80a87c871c2569ce4aabd06695336c5dc5
|
#ARG REVISION=d07b9e80a87c871c2569ce4aabd06695336c5dc5
|
||||||
|
|
||||||
# Draft 23 (+ client authentication)
|
# Draft 23 (+ client authentication)
|
||||||
ARG REVISION=cd33ad248ae9490854f0077ca046b47cac3735bf
|
# ARG REVISION=cd33ad248ae9490854f0077ca046b47cac3735bf
|
||||||
|
|
||||||
|
# Draft 28
|
||||||
|
ARG REVISION=33204d1eaa497819c6325998d7ba6b66316790f3
|
||||||
|
|
||||||
RUN cd /go/src/github.com/henrydcase/crypto-tls-bogo-shim && \
|
RUN cd /go/src/github.com/henrydcase/crypto-tls-bogo-shim && \
|
||||||
git checkout $REVISION
|
git checkout $REVISION
|
||||||
|
@ -2,7 +2,7 @@
|
|||||||
set -e
|
set -e
|
||||||
|
|
||||||
/boringssl/build/tool/bssl client -grease -min-version tls1.3 -max-version tls1.3 \
|
/boringssl/build/tool/bssl client -grease -min-version tls1.3 -max-version tls1.3 \
|
||||||
-tls13-variant draft23 -session-out /session -connect "$@" < /httpreq.txt
|
-tls13-variant draft28 -session-out /session -connect "$@" < /httpreq.txt
|
||||||
exec /boringssl/build/tool/bssl client -grease -min-version tls1.3 -max-version tls1.3 \
|
exec /boringssl/build/tool/bssl client -grease -min-version tls1.3 -max-version tls1.3 \
|
||||||
-tls13-variant draft23 -session-in /session -connect "$@" < /httpreq.txt
|
-tls13-variant draft28 -session-in /session -connect "$@" < /httpreq.txt
|
||||||
|
|
||||||
|
@ -6,21 +6,21 @@ set -x
|
|||||||
bssl server \
|
bssl server \
|
||||||
-key rsa.pem \
|
-key rsa.pem \
|
||||||
-min-version tls1.2 -max-version tls1.3 \
|
-min-version tls1.2 -max-version tls1.3 \
|
||||||
-tls13-variant draft23 \
|
-tls13-variant draft28 \
|
||||||
-accept 1443 -loop -www 2>&1 &
|
-accept 1443 -loop -www 2>&1 &
|
||||||
|
|
||||||
# ECDSA
|
# ECDSA
|
||||||
bssl server \
|
bssl server \
|
||||||
-key ecdsa.pem \
|
-key ecdsa.pem \
|
||||||
-min-version tls1.2 -max-version tls1.3 \
|
-min-version tls1.2 -max-version tls1.3 \
|
||||||
-tls13-variant draft23 \
|
-tls13-variant draft28 \
|
||||||
-accept 2443 -loop -www 2>&1 &
|
-accept 2443 -loop -www 2>&1 &
|
||||||
|
|
||||||
# Require client authentication (with ECDSA)
|
# Require client authentication (with ECDSA)
|
||||||
bssl server \
|
bssl server \
|
||||||
-key ecdsa.pem \
|
-key ecdsa.pem \
|
||||||
-min-version tls1.2 -max-version tls1.3 \
|
-min-version tls1.2 -max-version tls1.3 \
|
||||||
-tls13-variant draft23 \
|
-tls13-variant draft28 \
|
||||||
-accept 6443 -loop -www \
|
-accept 6443 -loop -www \
|
||||||
-require-any-client-cert -debug 2>&1 &
|
-require-any-client-cert -debug 2>&1 &
|
||||||
|
|
||||||
|
@ -44,6 +44,7 @@ var tlsVersionToName = map[uint16]string{
|
|||||||
tls.VersionTLS13Draft21: "1.3 (draft 21)",
|
tls.VersionTLS13Draft21: "1.3 (draft 21)",
|
||||||
tls.VersionTLS13Draft22: "1.3 (draft 22)",
|
tls.VersionTLS13Draft22: "1.3 (draft 22)",
|
||||||
tls.VersionTLS13Draft23: "1.3 (draft 23)",
|
tls.VersionTLS13Draft23: "1.3 (draft 23)",
|
||||||
|
tls.VersionTLS13Draft28: "1.3 (draft 28)",
|
||||||
}
|
}
|
||||||
|
|
||||||
func NewServer() *server {
|
func NewServer() *server {
|
||||||
|
@ -18,6 +18,7 @@ var tlsVersionToName = map[uint16]string{
|
|||||||
tls.VersionTLS13: "1.3",
|
tls.VersionTLS13: "1.3",
|
||||||
tls.VersionTLS13Draft18: "1.3 (draft 18)",
|
tls.VersionTLS13Draft18: "1.3 (draft 18)",
|
||||||
tls.VersionTLS13Draft23: "1.3 (draft 23)",
|
tls.VersionTLS13Draft23: "1.3 (draft 23)",
|
||||||
|
tls.VersionTLS13Draft28: "1.3 (draft 28)",
|
||||||
}
|
}
|
||||||
|
|
||||||
var cipherSuiteIdToName = map[uint16]string{
|
var cipherSuiteIdToName = map[uint16]string{
|
||||||
|
@ -24,7 +24,10 @@ ENV USE_64=1 NSS_ENABLE_TLS_1_3=1
|
|||||||
#ARG REVISION=88c3f3fa581b
|
#ARG REVISION=88c3f3fa581b
|
||||||
|
|
||||||
# Draft 23
|
# Draft 23
|
||||||
ARG REVISION=16c622c9e1cc
|
# ARG REVISION=16c622c9e1cc
|
||||||
|
|
||||||
|
# Latest
|
||||||
|
ARG REVISION=09ab3310e710
|
||||||
|
|
||||||
RUN cd nss && hg pull
|
RUN cd nss && hg pull
|
||||||
RUN cd nss && hg checkout -C $REVISION
|
RUN cd nss && hg checkout -C $REVISION
|
||||||
|
@ -174,7 +174,10 @@ type fixedNonceAEAD struct {
|
|||||||
aead cipher.AEAD
|
aead cipher.AEAD
|
||||||
}
|
}
|
||||||
|
|
||||||
func (f *fixedNonceAEAD) NonceSize() int { return 8 }
|
func (f *fixedNonceAEAD) NonceSize() int { return 8 }
|
||||||
|
|
||||||
|
// Overhead returns the maximum difference between the lengths of a
|
||||||
|
// plaintext and its ciphertext.
|
||||||
func (f *fixedNonceAEAD) Overhead() int { return f.aead.Overhead() }
|
func (f *fixedNonceAEAD) Overhead() int { return f.aead.Overhead() }
|
||||||
func (f *fixedNonceAEAD) explicitNonceLen() int { return 8 }
|
func (f *fixedNonceAEAD) explicitNonceLen() int { return 8 }
|
||||||
|
|
||||||
|
@ -31,6 +31,7 @@ const (
|
|||||||
VersionTLS13Draft21 = 0x7f00 | 21
|
VersionTLS13Draft21 = 0x7f00 | 21
|
||||||
VersionTLS13Draft22 = 0x7f00 | 22
|
VersionTLS13Draft22 = 0x7f00 | 22
|
||||||
VersionTLS13Draft23 = 0x7f00 | 23
|
VersionTLS13Draft23 = 0x7f00 | 23
|
||||||
|
VersionTLS13Draft28 = 0x7f00 | 28
|
||||||
)
|
)
|
||||||
|
|
||||||
const (
|
const (
|
||||||
@ -41,7 +42,7 @@ const (
|
|||||||
maxWarnAlertCount = 5 // maximum number of consecutive warning alerts
|
maxWarnAlertCount = 5 // maximum number of consecutive warning alerts
|
||||||
|
|
||||||
minVersion = VersionTLS12
|
minVersion = VersionTLS12
|
||||||
maxVersion = VersionTLS13Draft23
|
maxVersion = VersionTLS13Draft28
|
||||||
)
|
)
|
||||||
|
|
||||||
// TLS record types.
|
// TLS record types.
|
||||||
@ -888,7 +889,7 @@ var configSuppVersArray = [...]uint16{VersionTLS13, VersionTLS12, VersionTLS11,
|
|||||||
// with TLS 1.3 draft versions included.
|
// with TLS 1.3 draft versions included.
|
||||||
//
|
//
|
||||||
// TODO: remove once TLS 1.3 is finalised.
|
// TODO: remove once TLS 1.3 is finalised.
|
||||||
var tls13DraftSuppVersArray = [...]uint16{VersionTLS13Draft23, VersionTLS12, VersionTLS11, VersionTLS10, VersionSSL30}
|
var tls13DraftSuppVersArray = [...]uint16{VersionTLS13Draft28, VersionTLS12, VersionTLS11, VersionTLS10, VersionSSL30}
|
||||||
|
|
||||||
// getSupportedVersions returns the protocol versions that are supported by the
|
// getSupportedVersions returns the protocol versions that are supported by the
|
||||||
// current configuration.
|
// current configuration.
|
||||||
|
26
conn.go
26
conn.go
@ -11,6 +11,7 @@ import (
|
|||||||
"crypto/cipher"
|
"crypto/cipher"
|
||||||
"crypto/subtle"
|
"crypto/subtle"
|
||||||
"crypto/x509"
|
"crypto/x509"
|
||||||
|
"encoding/binary"
|
||||||
"errors"
|
"errors"
|
||||||
"fmt"
|
"fmt"
|
||||||
"io"
|
"io"
|
||||||
@ -358,6 +359,15 @@ func (hc *halfConn) decrypt(b *block) (ok bool, prefixLen int, alertValue alert)
|
|||||||
hc.additionalData[11] = byte(n >> 8)
|
hc.additionalData[11] = byte(n >> 8)
|
||||||
hc.additionalData[12] = byte(n)
|
hc.additionalData[12] = byte(n)
|
||||||
additionalData = hc.additionalData[:]
|
additionalData = hc.additionalData[:]
|
||||||
|
} else {
|
||||||
|
if len(payload) > int((1<<14)+256) {
|
||||||
|
return false, 0, alertRecordOverflow
|
||||||
|
}
|
||||||
|
// Check AD header, see 5.2 of RFC8446
|
||||||
|
additionalData = make([]byte, 5)
|
||||||
|
additionalData[0] = 23
|
||||||
|
binary.BigEndian.PutUint16(additionalData[1:], 0x0303)
|
||||||
|
binary.BigEndian.PutUint16(additionalData[3:], uint16(len(payload)))
|
||||||
}
|
}
|
||||||
var err error
|
var err error
|
||||||
payload, err = c.Open(payload[:0], nonce, payload, additionalData)
|
payload, err = c.Open(payload[:0], nonce, payload, additionalData)
|
||||||
@ -460,10 +470,11 @@ func (hc *halfConn) encrypt(b *block, explicitIVLen int) (bool, alert) {
|
|||||||
case cipher.Stream:
|
case cipher.Stream:
|
||||||
c.XORKeyStream(payload, payload)
|
c.XORKeyStream(payload, payload)
|
||||||
case aead:
|
case aead:
|
||||||
|
// explicitIVLen is always 0 for TLS1.3
|
||||||
payloadLen := len(b.data) - recordHeaderLen - explicitIVLen
|
payloadLen := len(b.data) - recordHeaderLen - explicitIVLen
|
||||||
overhead := c.Overhead()
|
overhead := c.Overhead()
|
||||||
if hc.version >= VersionTLS13 {
|
if hc.version >= VersionTLS13 {
|
||||||
overhead++
|
overhead++ // TODO(kk): why this is done?
|
||||||
}
|
}
|
||||||
b.resize(len(b.data) + overhead)
|
b.resize(len(b.data) + overhead)
|
||||||
|
|
||||||
@ -478,16 +489,19 @@ func (hc *halfConn) encrypt(b *block, explicitIVLen int) (bool, alert) {
|
|||||||
if hc.version < VersionTLS13 {
|
if hc.version < VersionTLS13 {
|
||||||
copy(hc.additionalData[:], hc.seq[:])
|
copy(hc.additionalData[:], hc.seq[:])
|
||||||
copy(hc.additionalData[8:], b.data[:3])
|
copy(hc.additionalData[8:], b.data[:3])
|
||||||
hc.additionalData[11] = byte(payloadLen >> 8)
|
binary.BigEndian.PutUint16(hc.additionalData[11:], uint16(payloadLen))
|
||||||
hc.additionalData[12] = byte(payloadLen)
|
|
||||||
additionalData = hc.additionalData[:]
|
additionalData = hc.additionalData[:]
|
||||||
}
|
} else {
|
||||||
|
|
||||||
if hc.version >= VersionTLS13 {
|
|
||||||
// opaque type
|
// opaque type
|
||||||
payload = payload[:len(payload)+1]
|
payload = payload[:len(payload)+1]
|
||||||
payload[len(payload)-1] = b.data[0]
|
payload[len(payload)-1] = b.data[0]
|
||||||
b.data[0] = byte(recordTypeApplicationData)
|
b.data[0] = byte(recordTypeApplicationData)
|
||||||
|
|
||||||
|
// Add AD header, see 5.2 of RFC8446
|
||||||
|
additionalData = make([]byte, 5)
|
||||||
|
additionalData[0] = byte(recordTypeApplicationData)
|
||||||
|
binary.BigEndian.PutUint16(additionalData[1:], VersionTLS12)
|
||||||
|
binary.BigEndian.PutUint16(additionalData[3:], uint16(payloadLen+overhead))
|
||||||
}
|
}
|
||||||
|
|
||||||
c.Seal(payload[:0], nonce, payload, additionalData)
|
c.Seal(payload[:0], nonce, payload, additionalData)
|
||||||
|
@ -155,8 +155,8 @@ func ExampleConfig_keyLogWriter_TLS13() {
|
|||||||
// preferences.
|
// preferences.
|
||||||
|
|
||||||
// Output:
|
// Output:
|
||||||
// CLIENT_HANDSHAKE_TRAFFIC_SECRET 0000000000000000000000000000000000000000000000000000000000000000 a829dab06ccbe9323e0ad6cf331cd64d9a499f7f4b1e0b52d0dfaba90c07f275
|
// CLIENT_HANDSHAKE_TRAFFIC_SECRET 0000000000000000000000000000000000000000000000000000000000000000 16ca97d21087a14d406b2601b4713dd82b156cc01d54665baaa4bdb62b72b9a4
|
||||||
// SERVER_HANDSHAKE_TRAFFIC_SECRET 0000000000000000000000000000000000000000000000000000000000000000 5f6a288b5b5aba5cfc65d9966b279e911ac58bd7f81abbb67b10427106f01940
|
// SERVER_HANDSHAKE_TRAFFIC_SECRET 0000000000000000000000000000000000000000000000000000000000000000 102c68d960da4f5e2b76a99636ac07bb5774e43b8ce8c14aa4dfd9bf54d11754
|
||||||
// SERVER_TRAFFIC_SECRET_0 0000000000000000000000000000000000000000000000000000000000000000 1f202d1c1d43e74a8c4f46a56eae2cef9de417ff9f5f3927195eacc168f459b3
|
// SERVER_TRAFFIC_SECRET_0 0000000000000000000000000000000000000000000000000000000000000000 f3208d533bb885f32f52142acb484eed104739970c2f426e72a1ee31f6d28650
|
||||||
// CLIENT_TRAFFIC_SECRET_0 0000000000000000000000000000000000000000000000000000000000000000 67ece7874ec4f661fe1f06fb4240decd25f54062d78f0784844bf222d1967c20
|
// CLIENT_TRAFFIC_SECRET_0 0000000000000000000000000000000000000000000000000000000000000000 70de6b1936df7db171c02f9cfdb04dfa9405a891c959beb15b86f26b2057ba23
|
||||||
}
|
}
|
||||||
|
@ -18,7 +18,7 @@ import (
|
|||||||
// A PEM-encoded "delegation certificate", an X.509 certificate with the
|
// A PEM-encoded "delegation certificate", an X.509 certificate with the
|
||||||
// DelegationUsage extension. The extension is defined in
|
// DelegationUsage extension. The extension is defined in
|
||||||
// specified in https://tools.ietf.org/html/draft-ietf-tls-subcerts-02.
|
// specified in https://tools.ietf.org/html/draft-ietf-tls-subcerts-02.
|
||||||
var dcDelegationCertPEM = `-----BEGIN CERTIFICATE-----
|
const DcCertWithDelegationUsage = `-----BEGIN CERTIFICATE-----
|
||||||
MIIBejCCASGgAwIBAgIQXXtl0v50W2OadoW0QwLUlzAKBggqhkjOPQQDAjAUMRIw
|
MIIBejCCASGgAwIBAgIQXXtl0v50W2OadoW0QwLUlzAKBggqhkjOPQQDAjAUMRIw
|
||||||
EAYDVQQKEwlBY21lIEluYy4wHhcNMTgwNzMwMjAxMTE5WhcNMTgwODA2MjAxMTE5
|
EAYDVQQKEwlBY21lIEluYy4wHhcNMTgwNzMwMjAxMTE5WhcNMTgwODA2MjAxMTE5
|
||||||
WjAUMRIwEAYDVQQKEwlBY21lIEluYy4wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNC
|
WjAUMRIwEAYDVQQKEwlBY21lIEluYy4wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNC
|
||||||
@ -32,7 +32,7 @@ AQQBgtpLLAQAMAoGCCqGSM49BAMCA0cAMEQCIEMdIkwwmzQAJ6RSDT3wcrsySx2B
|
|||||||
|
|
||||||
// The PEM-encoded "delegation key", the secret key associated with the
|
// The PEM-encoded "delegation key", the secret key associated with the
|
||||||
// delegation certificate. This is a key for ECDSA with P256 and SHA256.
|
// delegation certificate. This is a key for ECDSA with P256 and SHA256.
|
||||||
var dcDelegationKeyPEM = `-----BEGIN EC PRIVATE KEY-----
|
const DcKeyWithDelegationUsage = `-----BEGIN EC PRIVATE KEY-----
|
||||||
MHcCAQEEIAS/pGktmxK1hlt3gF4N2nkMrJnoZihvOO63nnNcxXQroAoGCCqGSM49
|
MHcCAQEEIAS/pGktmxK1hlt3gF4N2nkMrJnoZihvOO63nnNcxXQroAoGCCqGSM49
|
||||||
AwEHoUQDQgAE3ELrmlDSd5KihrOAwXSVXe81s8hgDU+LgTRlZGdnIGg7HRZ8ffXx
|
AwEHoUQDQgAE3ELrmlDSd5KihrOAwXSVXe81s8hgDU+LgTRlZGdnIGg7HRZ8ffXx
|
||||||
om34KFnq/By7fWfkuh7PvGwzwRzYE0fy3w==
|
om34KFnq/By7fWfkuh7PvGwzwRzYE0fy3w==
|
||||||
@ -40,7 +40,7 @@ om34KFnq/By7fWfkuh7PvGwzwRzYE0fy3w==
|
|||||||
`
|
`
|
||||||
|
|
||||||
// A certificate without the DelegationUsage extension.
|
// A certificate without the DelegationUsage extension.
|
||||||
var dcCertPEM = `-----BEGIN CERTIFICATE-----
|
const DcCertWithoutDelegationUsage = `-----BEGIN CERTIFICATE-----
|
||||||
MIIBajCCAQ+gAwIBAgIRAMUg/VFqJaWWJwZ9iHoMjqIwCgYIKoZIzj0EAwIwEjEQ
|
MIIBajCCAQ+gAwIBAgIRAMUg/VFqJaWWJwZ9iHoMjqIwCgYIKoZIzj0EAwIwEjEQ
|
||||||
MA4GA1UEChMHQWNtZSBDbzAeFw0xODA3MzAyMDExMTlaFw0xOTA3MzAyMDExMTla
|
MA4GA1UEChMHQWNtZSBDbzAeFw0xODA3MzAyMDExMTlaFw0xOTA3MzAyMDExMTla
|
||||||
MBIxEDAOBgNVBAoTB0FjbWUgQ28wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATA
|
MBIxEDAOBgNVBAoTB0FjbWUgQ28wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAATA
|
||||||
@ -52,8 +52,8 @@ KFyrowMTan791RJnyANH/4uYhmvkfhfrFGSTXUli
|
|||||||
-----END CERTIFICATE-----
|
-----END CERTIFICATE-----
|
||||||
`
|
`
|
||||||
|
|
||||||
// The secret key associatted with dcCertPEM.
|
// The secret key associatted with DcCertWithoutDelegationUsage.
|
||||||
var dcKeyPEM = `-----BEGIN EC PRIVATE KEY-----
|
const DcKeyWithoutDelegationUsage = `-----BEGIN EC PRIVATE KEY-----
|
||||||
MHcCAQEEIEP82pOhzx0tKkky9t0OmUo9MHgmfdAHxDN2cHmWGqOhoAoGCCqGSM49
|
MHcCAQEEIEP82pOhzx0tKkky9t0OmUo9MHgmfdAHxDN2cHmWGqOhoAoGCCqGSM49
|
||||||
AwEHoUQDQgAEwJ/qHlkr0jR4RLJEkYJJHqwkA6FfzQPq90uQLQjhU+QGC7fMZbUk
|
AwEHoUQDQgAEwJ/qHlkr0jR4RLJEkYJJHqwkA6FfzQPq90uQLQjhU+QGC7fMZbUk
|
||||||
1nqxSP2JWSyHC8ZST0+0/l6QZ30usWgLsQ==
|
1nqxSP2JWSyHC8ZST0+0/l6QZ30usWgLsQ==
|
||||||
@ -75,7 +75,7 @@ type dcTestDC struct {
|
|||||||
// Use with maxVersion == VersionTLS13Draft23.
|
// Use with maxVersion == VersionTLS13Draft23.
|
||||||
//
|
//
|
||||||
// TODO(henrydcase): Remove this when we drop support for draft23.
|
// TODO(henrydcase): Remove this when we drop support for draft23.
|
||||||
var dcTestDataDraft23PEM = `-----BEGIN DC TEST DATA-----
|
const DcTestDataDraft23PEM = `-----BEGIN DC TEST DATA-----
|
||||||
MIIIPDCCAUETCXRsczEzcDI1NgICfxcCAgQDBIGwAAk6gAQDfxcAWzBZMBMGByqG
|
MIIIPDCCAUETCXRsczEzcDI1NgICfxcCAgQDBIGwAAk6gAQDfxcAWzBZMBMGByqG
|
||||||
SM49AgEGCCqGSM49AwEHA0IABDFeK+EcMQWKDM6xZJqHEHLcIWE0iHTAL1xAB5r6
|
SM49AgEGCCqGSM49AwEHA0IABDFeK+EcMQWKDM6xZJqHEHLcIWE0iHTAL1xAB5r6
|
||||||
bkm7GLlz1HLWcTy28PNsb9KQLV3Yeay2WYA2d2zGQjNbEhcEAwBHMEUCIQDnXyP4
|
bkm7GLlz1HLWcTy28PNsb9KQLV3Yeay2WYA2d2zGQjNbEhcEAwBHMEUCIQDnXyP4
|
||||||
@ -126,7 +126,7 @@ AiEiKCRicw1Upfdy+xdSF0N3XXkLHB13criCfJr2rbZ1o8V7CsX6U70o+/48huPI
|
|||||||
// Use with maxVersion == VersionTLS13Draft28.
|
// Use with maxVersion == VersionTLS13Draft28.
|
||||||
//
|
//
|
||||||
// TODO(henrydcase): Remove this when we drop support for draft28.
|
// TODO(henrydcase): Remove this when we drop support for draft28.
|
||||||
var dcTestDataDraft28PEM = `-----BEGIN DC TEST DATA-----
|
const DcTestDataDraft28PEM = `-----BEGIN DC TEST DATA-----
|
||||||
MIIIOjCCAUATCXRsczEzcDI1NgICfxwCAgQDBIGvAAk6gAQDfxwAWzBZMBMGByqG
|
MIIIOjCCAUATCXRsczEzcDI1NgICfxwCAgQDBIGvAAk6gAQDfxwAWzBZMBMGByqG
|
||||||
SM49AgEGCCqGSM49AwEHA0IABAOcQMVs6VmVQ1BYyK+YhUAucZqH3LmDQmAaVDs8
|
SM49AgEGCCqGSM49AwEHA0IABAOcQMVs6VmVQ1BYyK+YhUAucZqH3LmDQmAaVDs8
|
||||||
brnePHVmSdOoQCU+Ybp3kgnklW958EFZiJ2oK7iWkIpi4TIEAwBGMEQCIB8w0eko
|
brnePHVmSdOoQCU+Ybp3kgnklW958EFZiJ2oK7iWkIpi4TIEAwBGMEQCIB8w0eko
|
||||||
@ -175,7 +175,7 @@ x/tlNfATUGmFQGwPug4RyWVux22dGrn81/SsIXJ8hz1eb0s9EKOBbxwhJ//ACg==
|
|||||||
`
|
`
|
||||||
|
|
||||||
// Use with maxVersion == VersionTLS13.
|
// Use with maxVersion == VersionTLS13.
|
||||||
var dcTestDataPEM = `-----BEGIN DC TEST DATA-----
|
const DcTestDataTLS13PEM = `-----BEGIN DC TEST DATA-----
|
||||||
MIIIOzCCAUATCXRsczEzcDI1NgICAwQCAgQDBIGvAAk6gAQDAwQAWzBZMBMGByqG
|
MIIIOzCCAUATCXRsczEzcDI1NgICAwQCAgQDBIGvAAk6gAQDAwQAWzBZMBMGByqG
|
||||||
SM49AgEGCCqGSM49AwEHA0IABFTImzqflLfyu3rqlCVsezSv45fKJglhjDYcwJ3H
|
SM49AgEGCCqGSM49AwEHA0IABFTImzqflLfyu3rqlCVsezSv45fKJglhjDYcwJ3H
|
||||||
ylqX6rFCupeCwKmMhFvxRkkWAOobv2DZxLYALFgggC8KckkEAwBGMEQCIBWO8rFt
|
ylqX6rFCupeCwKmMhFvxRkkWAOobv2DZxLYALFgggC8KckkEAwBGMEQCIBWO8rFt
|
||||||
@ -273,11 +273,11 @@ func init() {
|
|||||||
var testData []byte
|
var testData []byte
|
||||||
switch maxVersion {
|
switch maxVersion {
|
||||||
case VersionTLS13Draft23:
|
case VersionTLS13Draft23:
|
||||||
testData = []byte(dcTestDataDraft23PEM)
|
testData = []byte(DcTestDataDraft23PEM)
|
||||||
case 0x7f00 | 28: // TODO(henrydcase): Fix once draft 28 is implemented
|
case 0x7f00 | 28: // TODO(henrydcase): Fix once draft 28 is implemented
|
||||||
testData = []byte(dcTestDataDraft28PEM)
|
testData = []byte(DcTestDataDraft28PEM)
|
||||||
case 0x0304: // TODO(henrydcase): Fix once the final version is implemented
|
case 0x0304: // TODO(henrydcase): Fix once the final version is implemented
|
||||||
testData = []byte(dcTestDataPEM)
|
testData = []byte(DcTestDataTLS13PEM)
|
||||||
default:
|
default:
|
||||||
panic(fmt.Errorf("no test data for version %04x", maxVersion))
|
panic(fmt.Errorf("no test data for version %04x", maxVersion))
|
||||||
}
|
}
|
||||||
@ -299,7 +299,7 @@ func init() {
|
|||||||
}
|
}
|
||||||
|
|
||||||
// The delegation certificate.
|
// The delegation certificate.
|
||||||
dcTestDelegationCert, err = X509KeyPair([]byte(dcDelegationCertPEM), []byte(dcDelegationKeyPEM))
|
dcTestDelegationCert, err = X509KeyPair([]byte(DcCertWithDelegationUsage), []byte(DcKeyWithDelegationUsage))
|
||||||
if err != nil {
|
if err != nil {
|
||||||
panic(err)
|
panic(err)
|
||||||
}
|
}
|
||||||
@ -309,7 +309,7 @@ func init() {
|
|||||||
}
|
}
|
||||||
|
|
||||||
// A certificate without the the DelegationUsage extension for X.509.
|
// A certificate without the the DelegationUsage extension for X.509.
|
||||||
dcTestCert, err = X509KeyPair([]byte(dcCertPEM), []byte(dcKeyPEM))
|
dcTestCert, err = X509KeyPair([]byte(DcCertWithoutDelegationUsage), []byte(DcKeyWithoutDelegationUsage))
|
||||||
if err != nil {
|
if err != nil {
|
||||||
panic(err)
|
panic(err)
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user