1
0
mirror of https://github.com/golang/go synced 2024-11-26 06:17:57 -07:00

crypto/tls: add CertificateVerificationError to tls handshake

Fixes #48152

Change-Id: I503f088edeb5574fd5eb5905bff7c3c23b2bc8fc
GitHub-Last-Rev: 2b0e982f3f
GitHub-Pull-Request: golang/go#56686
Reviewed-on: https://go-review.googlesource.com/c/go/+/449336
Run-TryBot: Roland Shoemaker <roland@golang.org>
Auto-Submit: Roland Shoemaker <roland@golang.org>
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-by: Julie Qiu <julieqiu@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>
This commit is contained in:
Gabor Tanz 2022-11-18 07:59:03 +00:00 committed by Gopher Robot
parent fd00c14bf1
commit f64c2a2ce5
5 changed files with 23 additions and 3 deletions

5
api/next/48152.txt Normal file
View File

@ -0,0 +1,5 @@
pkg crypto/tls, type CertificateVerificationError struct #48152
pkg crypto/tls, type CertificateVerificationError struct, UnverifiedCertificates []*x509.Certificate #48152
pkg crypto/tls, type CertificateVerificationError struct, Err error #48152
pkg crypto/tls, method (*CertificateVerificationError) Error() string #48152
pkg crypto/tls, method (*CertificateVerificationError) Unwrap() error #48152

View File

@ -1493,3 +1493,18 @@ func isSupportedSignatureAlgorithm(sigAlg SignatureScheme, supportedSignatureAlg
}
return false
}
// CertificateVerificationError is returned when certificate verification fails during the handshake.
type CertificateVerificationError struct {
// UnverifiedCertificates and its contents should not be modified.
UnverifiedCertificates []*x509.Certificate
Err error
}
func (e *CertificateVerificationError) Error() string {
return fmt.Sprintf("tls: failed to verify certificate: %s", e.Err)
}
func (e *CertificateVerificationError) Unwrap() error {
return e.Err
}

View File

@ -876,7 +876,7 @@ func (c *Conn) verifyServerCertificate(certificates [][]byte) error {
c.verifiedChains, err = certs[0].Verify(opts)
if err != nil {
c.sendAlert(alertBadCertificate)
return err
return &CertificateVerificationError{UnverifiedCertificates: certs, Err: err}
}
}

View File

@ -831,7 +831,7 @@ func (c *Conn) processCertsFromClient(certificate Certificate) error {
chains, err := certs[0].Verify(opts)
if err != nil {
c.sendAlert(alertBadCertificate)
return errors.New("tls: failed to verify client certificate: " + err.Error())
return &CertificateVerificationError{UnverifiedCertificates: certs, Err: err}
}
c.verifiedChains = chains

View File

@ -4818,7 +4818,7 @@ func testTransportEventTraceTLSVerify(t *testing.T, mode testMode) {
wantOnce("TLSHandshakeStart")
wantOnce("TLSHandshakeDone")
wantOnce("err = x509: certificate is valid for example.com")
wantOnce("err = tls: failed to verify certificate: x509: certificate is valid for example.com")
if t.Failed() {
t.Errorf("Output:\n%s", got)