Skip to content

crypto/tls: add CertificateVerificationError to tls handshake #56686

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 4 commits into from
Closed

crypto/tls: add CertificateVerificationError to tls handshake #56686

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
e6e962c
add custom error type that returns the certificate on verification
izolight Nov 9, 2022
0841f68
adjust test to check for new error string
izolight Nov 16, 2022
fb029bd
clarify that the contained certificates shouldn't be modified
izolight Nov 16, 2022
2b0e982
add newline at end of file
izolight Nov 18, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions api/next/48152.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
pkg crypto/tls, type CertificateVerificationError struct #48152
pkg crypto/tls, type CertificateVerificationError, UnverifiedCertificates []*x509.Certificate #48152
pkg crypto/tls, type CertificateVerificationError, Err error #48152
pkg crypto/tls, method (*CertificateVerificationError) Error() string #48152
pkg crypto/tls, method (*CertificateVerificationError) Unwrap() error #48152
15 changes: 15 additions & 0 deletions src/crypto/tls/common.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1493,3 +1493,18 @@ func isSupportedSignatureAlgorithm(sigAlg SignatureScheme, supportedSignatureAlg
}
return false
}

// CertificateVerificationError is returned when certificate verification fails during the handshake.
type CertificateVerificationError struct {
// UnverifiedCertificates and its contents should not be modified.
UnverifiedCertificates []*x509.Certificate
Err error
}

func (e *CertificateVerificationError) Error() string {
return fmt.Sprintf("tls: failed to verify certificate: %s", e.Err)
}

func (e *CertificateVerificationError) Unwrap() error {
return e.Err
}
2 changes: 1 addition & 1 deletion src/crypto/tls/handshake_client.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -876,7 +876,7 @@ func (c *Conn) verifyServerCertificate(certificates [][]byte) error {
c.verifiedChains, err = certs[0].Verify(opts)
if err != nil {
c.sendAlert(alertBadCertificate)
return err
return &CertificateVerificationError{UnverifiedCertificates: certs, Err: err}
}
}

Expand Down
2 changes: 1 addition & 1 deletion src/crypto/tls/handshake_server.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -831,7 +831,7 @@ func (c *Conn) processCertsFromClient(certificate Certificate) error {
chains, err := certs[0].Verify(opts)
if err != nil {
c.sendAlert(alertBadCertificate)
return errors.New("tls: failed to verify client certificate: " + err.Error())
return &CertificateVerificationError{UnverifiedCertificates: certs, Err: err}
}

c.verifiedChains = chains
Expand Down
2 changes: 1 addition & 1 deletion src/net/http/transport_test.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4818,7 +4818,7 @@ func testTransportEventTraceTLSVerify(t *testing.T, mode testMode) {

wantOnce("TLSHandshakeStart")
wantOnce("TLSHandshakeDone")
wantOnce("err = x509: certificate is valid for example.com")
wantOnce("err = tls: failed to verify certificate: x509: certificate is valid for example.com")

if t.Failed() {
t.Errorf("Output:\n%s", got)
Expand Down