Commit Graph

31 Commits

Author SHA1 Message Date
Brad Fitzpatrick
ada990689f crypto/tls: fix loading keys labeled just "PRIVATE KEY"
Worked in Go 1, broken in f440e65f93fe.

Fixes #4477

R=golang-dev, agl
CC=golang-dev
https://golang.org/cl/6865043
2012-12-01 11:02:08 -08:00
Joel Sing
d7e46146f4 crypto/tls: add support for loading EC X.509 key pairs
Add support for loading X.509 key pairs that consist of a certificate
with an EC public key and its corresponding EC private key.

R=agl
CC=golang-dev
https://golang.org/cl/6776043
2012-11-16 19:33:59 +11:00
Adam Langley
d263b7d38c crypto/tls: allow certificates and key to be in either order.
X509KeyPair wasn't really supposed to allow the certificate and
key to be in the same file, but it did work if you put the key
first. Since some HTTPS servers support loading keys and certs
like this, this change makes it work in either order.

Fixes #3986.

R=golang-dev, dave, rsc
CC=golang-dev
https://golang.org/cl/6499103
2012-09-13 11:00:16 -04:00
Mikkel Krautz
c8b807a37a crypto/x509: new home for root fetchers; build chains using Windows API
This moves the various CA root fetchers from crypto/tls into crypto/x509.

The move was brought about by issue 2997. Windows doesn't ship with all
its root certificates, but will instead download them as-needed when using
CryptoAPI for certificate verification.

This CL changes crypto/x509 to verify a certificate using the system root
CAs when VerifyOptions.RootCAs == nil. On Windows, this verification is
now implemented using Windows's CryptoAPI. All other root fetchers are
unchanged, and still use Go's own verification code.

The CL also fixes the hostname matching logic in crypto/tls/tls.go, in
order to be able to test whether hostname mismatches are honored by the
Windows verification code.

The move to crypto/x509 also allows other packages to use the OS-provided
root certificates, instead of hiding them inside the crypto/tls package.

Fixes #2997.

R=agl, golang-dev, alex.brainman, rsc, mikkel
CC=golang-dev
https://golang.org/cl/5700087
2012-03-07 13:12:35 -05:00
Adam Langley
4c6dfb2f88 crypto/tls: make the package description more accurate and less aspirational.
Fixes #3216.

R=golang-dev, bradfitz
CC=golang-dev
https://golang.org/cl/5755056
2012-03-06 12:49:29 -05:00
Adam Langley
afe534d19b crypto/...: changes to address some of bug 2841.
This change addresses a subset of the issues raised in bug 2841.

R=rsc
CC=golang-dev
https://golang.org/cl/5629044
2012-02-03 15:08:53 -05:00
Jeff R. Allen
5fa105421a crypto/tls: Improve TLS Client Authentication
Fix incorrect marshal/unmarshal of certificateRequest.
Add support for configuring client-auth on the server side.
Fix the certificate selection in the client side.
Update generate_cert.go to new time package

Fixes #2521.

R=krautz, agl, bradfitz
CC=golang-dev, mikkel
https://golang.org/cl/5448093
2012-01-05 12:05:38 -05:00
Adam Langley
82f6e24f53 crypto/x509, crypto/tls: support PKCS#8 private keys.
OpenSSL 1.0.0 has switched to generating PKCS#8 format private keys by
default. This change allows http.ListenAndServeTLS to work with either
types of keys.

See http://groups.google.com/group/golang-nuts/browse_thread/thread/84715b5f0c9e3c30/63a8a27b53e102a6

R=bradfitz
CC=golang-dev
https://golang.org/cl/5416059
2011-11-21 14:18:42 -05:00
Russ Cox
107fb7400c src/pkg/[a-m]*: gofix -r error -force=error
R=golang-dev, iant
CC=golang-dev
https://golang.org/cl/5322051
2011-11-01 22:04:37 -04:00
Robert Griesemer
a5b2e93aa2 os.Error API: don't export os.ErrorString, use os.NewError consistently
This is a core API change.

1) gofix misc src
2) Manual adjustments to the following files under src/pkg:
   gob/decode.go
   rpc/client.go
   os/error.go
   io/io.go
   bufio/bufio.go
   http/request.go
   websocket/client.go
as well as:
   src/cmd/gofix/testdata/*.go.in (reverted)
   test/fixedbugs/bug243.go
3) Implemented gofix patch (oserrorstring.go) and test case (oserrorstring_test.go)

Compiles and runs all tests.

R=r, rsc, gri
CC=golang-dev
https://golang.org/cl/4607052
2011-06-22 10:52:47 -07:00
Adam Langley
5a4918e635 crypto: reorg, cleanup and add function for generating CRLs.
This change moves a number of common PKIX structures into
crypto/x509/pkix, from where x509, and ocsp can reference
them, saving duplication. It also removes x509/crl and merges it into
x509 and x509/pkix.

x509 is changed to take advantage of the big.Int support that now
exists in asn1. Because of this, the public/private key pair in
http/httptest/server.go had to be updated because it was serialised
with an old version of the code that didn't zero pad ASN.1 INTEGERs.

R=bradfitz, rsc
CC=golang-dev
https://golang.org/cl/4532115
2011-06-06 10:35:46 -04:00
Nigel Tao
5a11e9ba00 src/pkg: make package doc comments consistently start with "Package foo".
R=rsc
CC=golang-dev
https://golang.org/cl/4442064
2011-04-20 09:57:05 +10:00
Brad Fitzpatrick
1721e53cdf httptest: add NewTLSServer
Enables the use of https servers in tests.

R=agl, rsc, agl1
CC=golang-dev
https://golang.org/cl/4284063
2011-04-04 08:32:59 -07:00
Russ Cox
9fe949aa97 net: drop laddr from Dial, cname from LookupHost; new functions
Drop laddr argument from Dial.

Drop cname return from LookupHost.

Add LookupIP, LookupCNAME, ParseCIDR, IP.Equal.
Export SplitHostPort, JoinHostPort.
Add AAAA (IPv6) support to host lookups.

Preparations for implementing some of the
lookups using cgo.

ParseCIDR and IP.Equal are logically new in this CL
but accidentally snuck into an earlier CL about unused
labels that was in the same client.

In crypto/tls, drop laddr from Dial to match net.

R=golang-dev, dsymonds, adg, rh
CC=golang-dev
https://golang.org/cl/4244055
2011-03-28 23:28:42 -04:00
Adam Langley
1abb987e07 crypto/tls: load a chain of certificates from a file.
Many recently issued certificates are chained: there's one or more
intermediate certificates between the host certificate and the root CA
certificate. This change causes the code to load any number of
certificates from the certificate file. This matches the behaviour of
common webservers, and the output of OpenSSL's command line tools.

R=golang-dev, r2
CC=golang-dev
https://golang.org/cl/4119057
2011-02-05 13:54:25 -05:00
Russ Cox
f98d01fb7e crypto/tls: add *Config argument to Dial
Document undocumented exported names.
Allow nil Rand, Time, RootCAs in Config.

Fixes #1248.

R=agl1
CC=golang-dev
https://golang.org/cl/3481042
2010-12-07 16:15:15 -05:00
Adam Langley
93eb884c98 crypto/tls: use pool building for certificate checking
Previously we checked the certificate chain from the leaf
upwards and expected to jump from the last cert in the chain to
a root certificate.

Although technically correct, there are a number of sites with
problems including out-of-order certs, superfluous certs and
missing certs.

The last of these requires AIA chasing, which is a lot of
complexity. However, we can address the more common cases by
using a pool building algorithm, as browsers do.

We build a pool of root certificates and a pool from the
server's chain. We then try to build a path to a root
certificate, using either of these pools.

This differs from the behaviour of, say, Firefox in that Firefox
will accumulate intermedite certificate in a persistent pool in
the hope that it can use them to fill in gaps in future chains.

We don't do that because it leads to confusing errors which only
occur based on the order to sites visited.

This change also enabled SNI for tls.Dial so that sites will return
the correct certificate chain.

R=rsc
CC=golang-dev
https://golang.org/cl/2916041
2010-11-05 09:54:56 -04:00
Adam Langley
dd9f217e6a crypto/tls: better error messages for certificate issues.
Fixes #1146.

R=rsc, agl1
CC=golang-dev
https://golang.org/cl/2380042
2010-10-11 10:39:56 -04:00
Adam Langley
ed8da7bff6 Fix certificate validation.
asn1: add support for T61String because this is the string type which
    several www.google.com certificates are now using for fields like
    CommonName
tls: force a handshake in Dial so that certificates are ready
    afterwards.

Fixes #1114.

R=rsc
CC=golang-dev
https://golang.org/cl/2216043
2010-09-20 10:32:08 -04:00
Adam Langley
08ec2a8e44 http, crypto/tls: followup fixes from 1684051.
(TBR because this is just addressing previous review comments.)

R=r
CC=golang-dev
https://golang.org/cl/1697048
2010-07-02 16:43:48 -04:00
Adam Langley
7b22e867e7 crypto/tls, http: Make HTTPS servers easier.
R=r, adg, rsc
CC=golang-dev
https://golang.org/cl/1684051
2010-07-02 13:00:18 -04:00
Russ Cox
751062bb0e crypto/tls: simpler implementation of record layer
Depends on CL 957045, 980043, 1004043.
Fixes #715.

R=agl1, agl
CC=golang-dev
https://golang.org/cl/943043
2010-04-26 22:19:04 -07:00
Russ Cox
91a07280c8 crypto/tls: good defaults
R=agl1
CC=golang-dev
https://golang.org/cl/851041
2010-04-05 14:38:02 -07:00
Adam Langley
016dd4b5cb crypto/tls: make Listener a pointer.
Listener contains private members and 6g now enforces that private
members cannot be assigned outside of their package.

R=rsc
CC=golang-dev
https://golang.org/cl/183073
2009-12-28 11:40:01 -08:00
Robert Griesemer
536df07f72 1) Change default gofmt default settings for
parsing and printing to new syntax.

                  Use -oldparser to parse the old syntax,
                  use -oldprinter to print the old syntax.

               2) Change default gofmt formatting settings
                  to use tabs for indentation only and to use
                  spaces for alignment. This will make the code
                  alignment insensitive to an editor's tabwidth.

                  Use -spaces=false to use tabs for alignment.

               3) Manually changed src/exp/parser/parser_test.go
                  so that it doesn't try to parse the parser's
                  source files using the old syntax (they have
                  new syntax now).

               4) gofmt -w src misc test/bench

	       1st set of files.

R=rsc
CC=agl, golang-dev, iant, ken2, r
https://golang.org/cl/180047
2009-12-15 15:33:31 -08:00
Adam Langley
79f2a55aea crypto/tls: add initial client implementation.
R=rsc, agl
CC=golang-dev
https://golang.org/cl/157076
2009-11-21 15:53:03 -08:00
Russ Cox
4625777977 gofmt -r 'α[β:len(α)] -> α[β:]' -w src/cmd src/pkg
R=r, gri
CC=golang-dev
https://golang.org/cl/156115
2009-11-20 11:45:05 -08:00
Rob Pike
a1e7e65e2d remove bytes.Copy
replace all calls with calls to copy
use copy in regexp and bytes.Buffer

R=rsc
CC=golang-dev
https://golang.org/cl/157073
2009-11-18 15:24:24 -08:00
Robert Griesemer
395b73f134 remove semis after statements in one-statement statement lists
R=rsc, r
http://go/go-review/1025029
2009-11-09 12:07:39 -08:00
Robert Griesemer
372b6eb4c5 - fine-tuning of one-line func heuristic (nodes.go)
- enabled for function declarations (not just function literals)
- applied gofmt -w $GOROOT/src
(look for instance at src/pkg/debug/elf/elf.go)

R=r, rsc
CC=go-dev
http://go/go-review/1026006
2009-11-06 14:24:38 -08:00
Adam Langley
9c63ad9791 crypto/tls (part 4/5)
R=rsc
CC=go-dev
http://go/go-review/1019002
2009-11-05 16:43:29 -08:00