qbit/go
1
0
Fork 0
mirror of https://github.com/golang/go synced 2024-11-26 08:27:56 -07:00
Code Releases Activity

crypto/tls: add CertificateVerificationError to tls handshake

Browse Source 
Fixes #48152

Change-Id: I503f088edeb5574fd5eb5905bff7c3c23b2bc8fc
GitHub-Last-Rev: 2b0e982f3f
GitHub-Pull-Request: golang/go#56686
Reviewed-on: https://go-review.googlesource.com/c/go/+/449336
Run-TryBot: Roland Shoemaker <roland@golang.org>
Auto-Submit: Roland Shoemaker <roland@golang.org>
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-by: Julie Qiu <julieqiu@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>
This commit is contained in:
Gabor Tanz 2022-11-18 07:59:03 +00:00 committed by Gopher Robot
parent fd00c14bf1
commit f64c2a2ce5
5 changed files with 23 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
api/next/48152.txt Normal file
View File

@ -0,0 +1,5 @@
pkg crypto/tls, type CertificateVerificationError struct #48152
pkg crypto/tls, type CertificateVerificationError struct, UnverifiedCertificates []*x509.Certificate #48152
pkg crypto/tls, type CertificateVerificationError struct, Err error #48152
pkg crypto/tls, method (*CertificateVerificationError) Error() string #48152
pkg crypto/tls, method (*CertificateVerificationError) Unwrap() error #48152

15
src/crypto/tls/common.go
View File

@ -1493,3 +1493,18 @@ func isSupportedSignatureAlgorithm(sigAlg SignatureScheme, supportedSignatureAlg
} }
return false return false
} }
// CertificateVerificationError is returned when certificate verification fails during the handshake.
type CertificateVerificationError struct {
// UnverifiedCertificates and its contents should not be modified.
UnverifiedCertificates []*x509.Certificate
Err error
}
func (e *CertificateVerificationError) Error() string {
return fmt.Sprintf("tls: failed to verify certificate: %s", e.Err)
}
func (e *CertificateVerificationError) Unwrap() error {
return e.Err
}

2
src/crypto/tls/handshake_client.go
View File

@ -876,7 +876,7 @@ func (c *Conn) verifyServerCertificate(certificates [][]byte) error {
c.verifiedChains, err = certs[0].Verify(opts) c.verifiedChains, err = certs[0].Verify(opts)
if err != nil { if err != nil {
c.sendAlert(alertBadCertificate) c.sendAlert(alertBadCertificate)
return err return &CertificateVerificationError{UnverifiedCertificates: certs, Err: err}
} }
} }

2
src/crypto/tls/handshake_server.go
View File

@ -831,7 +831,7 @@ func (c *Conn) processCertsFromClient(certificate Certificate) error {
chains, err := certs[0].Verify(opts) chains, err := certs[0].Verify(opts)
if err != nil { if err != nil {
c.sendAlert(alertBadCertificate) c.sendAlert(alertBadCertificate)
return errors.New("tls: failed to verify client certificate: " + err.Error()) return &CertificateVerificationError{UnverifiedCertificates: certs, Err: err}
} }
c.verifiedChains = chains c.verifiedChains = chains

2
src/net/http/transport_test.go
View File

@ -4818,7 +4818,7 @@ func testTransportEventTraceTLSVerify(t *testing.T, mode testMode) {
wantOnce("TLSHandshakeStart") wantOnce("TLSHandshakeStart")
wantOnce("TLSHandshakeDone") wantOnce("TLSHandshakeDone")
wantOnce("err = x509: certificate is valid for example.com") wantOnce("err = tls: failed to verify certificate: x509: certificate is valid for example.com")
if t.Failed() { if t.Failed() {
t.Errorf("Output:\n%s", got) t.Errorf("Output:\n%s", got)