Commit Graph

23 Commits

Author SHA1 Message Date
Christopher Patton
84fe9084cd Implement the delegated_credential extension for TLS
This complies with the standard, currently an Internet draft:
https://tlswg.github.io/tls-subcerts/draft-ietf-tls-subcerts.html

It also adds a minimal interface for generating new delegated
credentials.
2018-07-03 09:57:54 -07:00
d3da622def
Revert "Use go 1.10 and aligns with current state of TLS in go/crypto/tls" (#77)
Temporarily reverts update to go1.10
2018-03-21 14:27:31 +00:00
Kevin Burke
137239b5b7 crypto/tls: handle errors in generate_cert.go
I don't expect these to hit often, but we should still alert users if
we fail to write the correct data to the file, or fail to close it.

Change-Id: I33774e94108f7f18ed655ade8cca229b1993d4d2
Reviewed-on: https://go-review.googlesource.com/91456
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2018-03-13 08:38:50 +00:00
Kevin Burke
20de5509db crypto/tls: recommend P256 elliptic curve
Users (like myself) may be tempted to think the higher-numbered curve
is somehow better or more secure, but P256 is currently the best
ECDSA implementation, due to its better support in TLS clients, and a
constant time implementation.

For example, sites that present a certificate signed with P521
currently fail to load in Chrome stable, and the error on the Go side
says simply "remote error: tls: illegal parameter".

Fixes #19901.

Change-Id: Ia5e689e7027ec423624627420e33029c56f0bd82
Reviewed-on: https://go-review.googlesource.com/40211
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>
2017-04-10 17:40:01 +00:00
Asim Shankar
cf213d5c40 crypto/tls: Support ECDSA keys in generate_cert.go
R=golang-codereviews, bradfitz, agl
CC=golang-codereviews
https://golang.org/cl/117180043
2014-07-28 14:46:34 -07:00
Adam Langley
cb66b63918 encoding/asn1: use GeneralizedTime for times outside the range of UTCTime.
Fixes issue #6976.

LGTM=r
R=golang-codereviews, r
CC=golang-codereviews
https://golang.org/cl/72080044
2014-03-21 11:14:38 -04:00
Adam Langley
75982d4f0c crypto/tls: generate random serial numbers.
NSS (used in Firefox and Chrome) won't accept two certificates with the same
issuer and serial. But this causes problems with self-signed certificates
with a fixed serial number.

This change randomises the serial numbers in the certificates generated by
generate_cert.go.

R=golang-dev, r
CC=golang-dev
https://golang.org/cl/38290044
2013-12-15 12:57:57 -05:00
Frithjof Schulze
0084d30351 crypto/tls: Change TLS version to 1.1 in the package comment.
Also use 2048-bit RSA keys as default in generate_cert.go,
as recommended by the NIST.

R=golang-dev, rsc, bradfitz
CC=golang-dev
https://golang.org/cl/10676043
2013-06-27 11:23:55 -07:00
Adam Langley
b9ddc2767a crypto/x509: support IP SANs.
Subject Alternative Names in X.509 certificates may include IP
addresses. This change adds support for marshaling, unmarshaling and
verifying this form of SAN.

It also causes IP addresses to only be checked against IP SANs,
rather than against hostnames as was previously the case. This
reflects RFC 6125.

Fixes #4658.

R=golang-dev, mikioh.mikioh, bradfitz
CC=golang-dev
https://golang.org/cl/7336046
2013-02-15 10:40:17 -05:00
Russ Cox
7b88ead8c8 cmd/go: a raft of fixes
* add -work option to save temporary files (Fixes issue 2980)
* fix go test -i to work with cgo packages (Fixes issue 2936)
* do not overwrite/remove empty directories or non-object
  files during build (Fixes issue 2829)
* remove package main vs package non-main heuristic:
  a directory must contain only one package (Fixes issue 2864)
* to make last item workable, ignore +build tags for files
  named on command line: go build x.go builds x.go even
  if it says // +build ignore.
* add // +build ignore tags to helper programs

R=golang-dev, r, r
CC=golang-dev
https://golang.org/cl/5674043
2012-02-14 16:39:20 -05:00
Adam Langley
9e8d625b7c crypto/tls: update generate_cert.go for new time package
Fixes #2635.

R=golang-dev, iant
CC=golang-dev
https://golang.org/cl/5512043
2012-01-04 14:56:16 -05:00
Rob Pike
1530d25d4f renaming_2: gofix -r go1pkgrename src/pkg/[a-l]*
R=rsc
CC=golang-dev
https://golang.org/cl/5358041
2011-11-08 15:40:58 -08:00
Russ Cox
4fa24e9f66 all: sort imports
R=golang-dev, r
CC=golang-dev
https://golang.org/cl/5319072
2011-11-02 15:54:16 -04:00
Adam Langley
9c8b32c2d6 crypto/tls: fix generate_cert.go
Fixes #2030.

R=golang-dev, gri
CC=golang-dev
https://golang.org/cl/4635092
2011-07-06 16:22:21 -04:00
Rob Pike
1b7f4ea6c3 crypto/tls/generate_cert.go: fix misspelling of O_CREATE.
Fixes #1888.

R=ken
CC=golang-dev
https://golang.org/cl/4515148
2011-05-27 21:06:50 +10:00
Russ Cox
32d22d1fb1 gofix: don't rewrite O_APPEND opens
R=r, rog
CC=golang-dev
https://golang.org/cl/4364041
2011-04-05 11:12:02 -04:00
Rob Pike
abbbdb168d os: New Open API.
We replace the current Open with:
OpenFile(name, flag, perm) // same as old Open
Open(name) // same as old Open(name, O_RDONLY, 0)
Create(name) // same as old Open(name, O_RDWR|O_TRUNC|O_CREAT, 0666)

This CL includes a gofix module and full code updates: all.bash passes.
(There may be a few comments I missed.)

The interesting packages are:
        gofix
        os
Everything else is automatically generated except for hand tweaks to:
        src/pkg/io/ioutil/ioutil.go
        src/pkg/io/ioutil/tempfile.go
        src/pkg/crypto/tls/generate_cert.go
        src/cmd/goyacc/goyacc.go
        src/cmd/goyacc/units.y

R=golang-dev, bradfitzwork, rsc, r2
CC=golang-dev
https://golang.org/cl/4357052
2011-04-04 23:42:14 -07:00
Dave Cheney
a39229ebc1 crypto/tls: fix compile error
Fixes #1555.

R=rsc, bradfitzgo
CC=golang-dev
https://golang.org/cl/4284047
2011-03-12 19:35:41 -08:00
Anthony Martin
368c7fa03e crypto/tls: use rand.Reader in cert generation example
R=rsc, agl1
CC=golang-dev
https://golang.org/cl/3536043
2010-12-14 12:22:28 -05:00
Christian Himpel
24b6f5d63e crypto/tls: fix build of certificate generation example
R=agl1, rsc
CC=golang-dev
https://golang.org/cl/3366041
2010-12-07 16:14:55 -05:00
Rob Pike
feb7be32ae log: new interface
New logging interface simplifies and generalizes.

1) Loggers now have only one output.
2) log.Stdout, Stderr, Crash and friends are gone.
	Logging is now always to standard error by default.
3) log.Panic* replaces log.Crash*.
4) Exiting and panicking are not part of the logger's state; instead
	the functions Exit* and Panic* simply call Exit or panic after
	printing.
5) There is now one 'standard logger'.  Instead of calling Stderr,
	use Print etc.  There are now triples, by analogy with fmt:
		Print, Println, Printf
	What was log.Stderr is now best represented by log.Println,
	since there are now separate Print and Println functions
	(and methods).
6) New functions SetOutput, SetFlags, and SetPrefix allow global
	editing of the standard logger's properties.   This is new
	functionality. For instance, one can call
		log.SetFlags(log.Lshortfile|log.Ltime|log.Lmicroseconds)
	to get all logging output to show file name, line number, and
	time stamp.

In short, for most purposes
	log.Stderr -> log.Println or log.Print
	log.Stderrf -> log.Printf
	log.Crash -> log.Panicln or log.Panic
	log.Crashf -> log.Panicf
	log.Exit -> log.Exitln or log.Exit
	log.Exitf -> log.Exitf (no change)

This has a slight breakage: since loggers now write only to one
output, existing calls to log.New() need to delete the second argument.
Also, custom loggers with exit or panic properties will need to be
reworked.

All package code updated to new interface.

The test has been reworked somewhat.

The old interface will be removed after the new release.
For now, its elements are marked 'deprecated' in their comments.

Fixes #1184.

R=rsc
CC=golang-dev
https://golang.org/cl/2419042
2010-10-12 12:59:18 -07:00
Adam Langley
08ec2a8e44 http, crypto/tls: followup fixes from 1684051.
(TBR because this is just addressing previous review comments.)

R=r
CC=golang-dev
https://golang.org/cl/1697048
2010-07-02 16:43:48 -04:00
Adam Langley
7b22e867e7 crypto/tls, http: Make HTTPS servers easier.
R=r, adg, rsc
CC=golang-dev
https://golang.org/cl/1684051
2010-07-02 13:00:18 -04:00