diff options
| author | Ondřej Surý <ondrej@sury.org> | 2011-04-28 10:35:15 +0200 | 
|---|---|---|
| committer | Ondřej Surý <ondrej@sury.org> | 2011-04-28 10:35:15 +0200 | 
| commit | c1ba1a0fec4aed430709030f98a3bdb90bfeea16 (patch) | |
| tree | 3df18657e50a0313ed6defcda30e4474cb28a467 /src/pkg/crypto/tls/handshake_client.go | |
| parent | 7b15ed9ef455b6b66c6b376898a88aef5d6a9970 (diff) | |
| download | golang-c1ba1a0fec4aed430709030f98a3bdb90bfeea16.tar.gz | |
Imported Upstream version 2011.04.27upstream/2011.04.27
Diffstat (limited to 'src/pkg/crypto/tls/handshake_client.go')
| -rw-r--r-- | src/pkg/crypto/tls/handshake_client.go | 49 | 
1 files changed, 15 insertions, 34 deletions
| diff --git a/src/pkg/crypto/tls/handshake_client.go b/src/pkg/crypto/tls/handshake_client.go index 540b25c87..c758c96d4 100644 --- a/src/pkg/crypto/tls/handshake_client.go +++ b/src/pkg/crypto/tls/handshake_client.go @@ -88,7 +88,6 @@ func (c *Conn) clientHandshake() os.Error {  	finishedHash.Write(certMsg.marshal())  	certs := make([]*x509.Certificate, len(certMsg.certificates)) -	chain := NewCASet()  	for i, asn1Data := range certMsg.certificates {  		cert, err := x509.ParseCertificate(asn1Data)  		if err != nil { @@ -96,47 +95,29 @@ func (c *Conn) clientHandshake() os.Error {  			return os.ErrorString("failed to parse certificate from server: " + err.String())  		}  		certs[i] = cert -		chain.AddCert(cert)  	}  	// If we don't have a root CA set configured then anything is accepted.  	// TODO(rsc): Find certificates for OS X 10.6. -	for cur := certs[0]; c.config.RootCAs != nil; { -		parent := c.config.RootCAs.FindVerifiedParent(cur) -		if parent != nil { -			break +	if c.config.RootCAs != nil { +		opts := x509.VerifyOptions{ +			Roots:         c.config.RootCAs, +			CurrentTime:   c.config.time(), +			DNSName:       c.config.ServerName, +			Intermediates: x509.NewCertPool(),  		} -		parent = chain.FindVerifiedParent(cur) -		if parent == nil { -			c.sendAlert(alertBadCertificate) -			return os.ErrorString("could not find root certificate for chain") +		for i, cert := range certs { +			if i == 0 { +				continue +			} +			opts.Intermediates.AddCert(cert)  		} - -		if !parent.BasicConstraintsValid || !parent.IsCA { +		c.verifiedChains, err = certs[0].Verify(opts) +		if err != nil {  			c.sendAlert(alertBadCertificate) -			return os.ErrorString("intermediate certificate does not have CA bit set") +			return err  		} -		// KeyUsage status flags are ignored. From Engineering -		// Security, Peter Gutmann: A European government CA marked its -		// signing certificates as being valid for encryption only, but -		// no-one noticed. Another European CA marked its signature -		// keys as not being valid for signatures. A different CA -		// marked its own trusted root certificate as being invalid for -		// certificate signing.  Another national CA distributed a -		// certificate to be used to encrypt data for the country’s tax -		// authority that was marked as only being usable for digital -		// signatures but not for encryption. Yet another CA reversed -		// the order of the bit flags in the keyUsage due to confusion -		// over encoding endianness, essentially setting a random -		// keyUsage in certificates that it issued. Another CA created -		// a self-invalidating certificate by adding a certificate -		// policy statement stipulating that the certificate had to be -		// used strictly as specified in the keyUsage, and a keyUsage -		// containing a flag indicating that the RSA encryption key -		// could only be used for Diffie-Hellman key agreement. - -		cur = parent  	}  	if _, ok := certs[0].PublicKey.(*rsa.PublicKey); !ok { @@ -145,7 +126,7 @@ func (c *Conn) clientHandshake() os.Error {  	c.peerCertificates = certs -	if serverHello.certStatus { +	if serverHello.ocspStapling {  		msg, err = c.readHandshake()  		if err != nil {  			return err | 
