Rietveld Code Review Tool
Help | Bug tracker | Discussion group | Source code | Sign in
(2624)

Side by Side Diff: src/pkg/crypto/tls/common.go

Issue 5448093: crypto/tls: Make TLS Client Authentication work according to the spec (Closed)
Patch Set: diff -r 7ec969250bfc https://go.googlecode.com/hg/ Created 12 years, 2 months ago
Left:
Right:
Use n/p to move between diff chunks; N/P to move between comments. Please Sign in to add in-line comments.
Jump to:
View unified diff | Download patch
« no previous file with comments | « no previous file | src/pkg/crypto/tls/generate_cert.go » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright 2009 The Go Authors. All rights reserved. 1 // Copyright 2009 The Go Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style 2 // Use of this source code is governed by a BSD-style
3 // license that can be found in the LICENSE file. 3 // license that can be found in the LICENSE file.
4 4
5 package tls 5 package tls
6 6
7 import ( 7 import (
8 "crypto" 8 "crypto"
9 "crypto/rand" 9 "crypto/rand"
10 "crypto/x509" 10 "crypto/x509"
(...skipping 93 matching lines...) Expand 10 before | Expand all | Expand 10 after
104 // ServerName contains the server name indicated by the client, if any. 104 // ServerName contains the server name indicated by the client, if any.
105 // (Only valid for server connections.) 105 // (Only valid for server connections.)
106 ServerName string 106 ServerName string
107 107
108 // the certificate chain that was presented by the other side 108 // the certificate chain that was presented by the other side
109 PeerCertificates []*x509.Certificate 109 PeerCertificates []*x509.Certificate
110 // the verified certificate chains built from PeerCertificates. 110 // the verified certificate chains built from PeerCertificates.
111 VerifiedChains [][]*x509.Certificate 111 VerifiedChains [][]*x509.Certificate
112 } 112 }
113 113
114 // ClientAuthType declares the policy the server will follow for
115 // TLS Client Authentication.
116 type ClientAuthType int
117
118 const (
119 NoClientCert ClientAuthType = iota
120 RequestClientCert
121 RequireAnyClientCert
122 VerifyClientCertIfGiven
123 RequireAndVerifyClientCert
124 )
125
114 // A Config structure is used to configure a TLS client or server. After one 126 // A Config structure is used to configure a TLS client or server. After one
115 // has been passed to a TLS function it must not be modified. 127 // has been passed to a TLS function it must not be modified.
116 type Config struct { 128 type Config struct {
117 // Rand provides the source of entropy for nonces and RSA blinding. 129 // Rand provides the source of entropy for nonces and RSA blinding.
118 // If Rand is nil, TLS uses the cryptographic random reader in package 130 // If Rand is nil, TLS uses the cryptographic random reader in package
119 // crypto/rand. 131 // crypto/rand.
120 Rand io.Reader 132 Rand io.Reader
121 133
122 // Time returns the current time as the number of seconds since the epoc h. 134 // Time returns the current time as the number of seconds since the epoc h.
123 » // If Time is nil, TLS uses the system time.Seconds. 135 » // If Time is nil, TLS uses time.Now.
124 Time func() time.Time 136 Time func() time.Time
125 137
126 // Certificates contains one or more certificate chains 138 // Certificates contains one or more certificate chains
127 // to present to the other side of the connection. 139 // to present to the other side of the connection.
128 // Server configurations must include at least one certificate. 140 // Server configurations must include at least one certificate.
129 Certificates []Certificate 141 Certificates []Certificate
130 142
131 // NameToCertificate maps from a certificate name to an element of 143 // NameToCertificate maps from a certificate name to an element of
132 // Certificates. Note that a certificate name can be of the form 144 // Certificates. Note that a certificate name can be of the form
133 // '*.example.com' and so doesn't have to be a domain name as such. 145 // '*.example.com' and so doesn't have to be a domain name as such.
134 // See Config.BuildNameToCertificate 146 // See Config.BuildNameToCertificate
135 // The nil value causes the first element of Certificates to be used 147 // The nil value causes the first element of Certificates to be used
136 // for all connections. 148 // for all connections.
137 NameToCertificate map[string]*Certificate 149 NameToCertificate map[string]*Certificate
138 150
139 // RootCAs defines the set of root certificate authorities 151 // RootCAs defines the set of root certificate authorities
140 // that clients use when verifying server certificates. 152 // that clients use when verifying server certificates.
141 // If RootCAs is nil, TLS uses the host's root CA set. 153 // If RootCAs is nil, TLS uses the host's root CA set.
142 RootCAs *x509.CertPool 154 RootCAs *x509.CertPool
143 155
144 // NextProtos is a list of supported, application level protocols. 156 // NextProtos is a list of supported, application level protocols.
145 NextProtos []string 157 NextProtos []string
146 158
147 // ServerName is included in the client's handshake to support virtual 159 // ServerName is included in the client's handshake to support virtual
148 // hosting. 160 // hosting.
149 ServerName string 161 ServerName string
150 162
151 » // AuthenticateClient controls whether a server will request a certifica te 163 » // ClientAuth determines the server's policy for
152 » // from the client. It does not require that the client send a 164 » // TLS Client Authentication. The default is NoClientCert.
153 » // certificate nor does it require that the certificate sent be 165 » ClientAuth ClientAuthType
154 » // anything more than self-signed. 166
155 » AuthenticateClient bool 167 » // ClientCAs defines the set of root certificate authorities
168 » // that servers use if required to verify a client certificate
169 » // by the policy in ClientAuth.
170 » ClientCAs *x509.CertPool
156 171
157 // InsecureSkipVerify controls whether a client verifies the 172 // InsecureSkipVerify controls whether a client verifies the
158 // server's certificate chain and host name. 173 // server's certificate chain and host name.
159 // If InsecureSkipVerify is true, TLS accepts any certificate 174 // If InsecureSkipVerify is true, TLS accepts any certificate
160 // presented by the server and any host name in that certificate. 175 // presented by the server and any host name in that certificate.
161 // In this mode, TLS is susceptible to man-in-the-middle attacks. 176 // In this mode, TLS is susceptible to man-in-the-middle attacks.
162 // This should be used only for testing. 177 // This should be used only for testing.
163 InsecureSkipVerify bool 178 InsecureSkipVerify bool
164 179
165 // CipherSuites is a list of supported cipher suites. If CipherSuites 180 // CipherSuites is a list of supported cipher suites. If CipherSuites
(...skipping 86 matching lines...) Expand 10 before | Expand all | Expand 10 after
252 } 267 }
253 } 268 }
254 269
255 // A Certificate is a chain of one or more certificates, leaf first. 270 // A Certificate is a chain of one or more certificates, leaf first.
256 type Certificate struct { 271 type Certificate struct {
257 Certificate [][]byte 272 Certificate [][]byte
258 PrivateKey crypto.PrivateKey // supported types: *rsa.PrivateKey 273 PrivateKey crypto.PrivateKey // supported types: *rsa.PrivateKey
259 // OCSPStaple contains an optional OCSP response which will be served 274 // OCSPStaple contains an optional OCSP response which will be served
260 // to clients that request it. 275 // to clients that request it.
261 OCSPStaple []byte 276 OCSPStaple []byte
277 // ParsedLeaf is the parsed form of the leaf certificate, which may be
278 // initialized by callers using x509.ParseCertificate to reduce
279 // per-handshake processing. If nil, the leaf certificate will
280 // be parsed during each SSL handshake.
281 ParsedLeaf *x509.Certificate
262 } 282 }
263 283
264 // A TLS record. 284 // A TLS record.
265 type record struct { 285 type record struct {
266 contentType recordType 286 contentType recordType
267 major, minor uint8 287 major, minor uint8
268 payload []byte 288 payload []byte
269 } 289 }
270 290
271 type handshakeMessage interface { 291 type handshakeMessage interface {
(...skipping 40 matching lines...) Expand 10 before | Expand all | Expand 10 after
312 varDefaultRoots *x509.CertPool 332 varDefaultRoots *x509.CertPool
313 varDefaultCipherSuites []uint16 333 varDefaultCipherSuites []uint16
314 ) 334 )
315 335
316 func initDefaultCipherSuites() { 336 func initDefaultCipherSuites() {
317 varDefaultCipherSuites = make([]uint16, len(cipherSuites)) 337 varDefaultCipherSuites = make([]uint16, len(cipherSuites))
318 for i, suite := range cipherSuites { 338 for i, suite := range cipherSuites {
319 varDefaultCipherSuites[i] = suite.id 339 varDefaultCipherSuites[i] = suite.id
320 } 340 }
321 } 341 }
OLDNEW
« no previous file with comments | « no previous file | src/pkg/crypto/tls/generate_cert.go » ('j') | no next file with comments »

Powered by Google App Engine
RSS Feeds Recent Issues | This issue
This is Rietveld f62528b