Fix certificate validation.

asn1: add support for T61String because this is the string type which
    several www.google.com certificates are now using for fields like
    CommonName
tls: force a handshake in Dial so that certificates are ready
    afterwards.

Fixes #1114.

R=rsc
CC=golang-dev
https://golang.org/cl/2216043

diff --git a/src/pkg/asn1/asn1.go b/src/pkg/asn1/asn1.go
index 3e3bb105b6f505a2e1fb27d0d220f200367e9a31..cd23fd76455caeec67589068651ef8e129c95a5a 100644 (file)
--- a/src/pkg/asn1/asn1.go
+++ b/src/pkg/asn1/asn1.go
@@ -290,6 +290,14 @@ func parseIA5String(bytes []byte) (ret string, err os.Error) {
        return
 }
 
+// T61String
+
+// parseT61String parses a ASN.1 T61String (8-bit clean string) from the given
+// byte array and returns it.
+func parseT61String(bytes []byte) (ret string, err os.Error) {
+       return string(bytes), nil
+}
+
 // A RawValue represents an undecoded ASN.1 object.
 type RawValue struct {
        Class, Tag int
@@ -472,6 +480,8 @@ func parseField(v reflect.Value, bytes []byte, initOffset int, params fieldParam
                                result, err = parsePrintableString(innerBytes)
                        case tagIA5String:
                                result, err = parseIA5String(innerBytes)
+                       case tagT61String:
+                               result, err = parseT61String(innerBytes)
                        case tagInteger:
                                result, err = parseInt64(innerBytes)
                        case tagBitString:
@@ -689,6 +699,8 @@ func parseField(v reflect.Value, bytes []byte, initOffset int, params fieldParam
                        v, err = parsePrintableString(innerBytes)
                case tagIA5String:
                        v, err = parseIA5String(innerBytes)
+               case tagT61String:
+                       v, err = parseT61String(innerBytes)
                default:
                        err = SyntaxError{fmt.Sprintf("internal error: unknown string type %d", universalTag)}
                }

diff --git a/src/pkg/asn1/common.go b/src/pkg/asn1/common.go
index 3ea0f09b1246b7e550757b9e96dccc3570f07d3f..4a5eca1450f0f61e6fef1ae0fc0ca588ea9dfa85 100644 (file)
--- a/src/pkg/asn1/common.go
+++ b/src/pkg/asn1/common.go
@@ -28,6 +28,7 @@ const (
        tagSequence        = 16
        tagSet             = 17
        tagPrintableString = 19
+       tagT61String       = 20
        tagIA5String       = 22
        tagUTCTime         = 23
        tagGeneralizedTime = 24

diff --git a/src/pkg/crypto/tls/conn.go b/src/pkg/crypto/tls/conn.go
index 78566fa8c534a703edd31ebeb4f56c7e3636ff4f..9bf9f21851d1c444fffd68c4be4038a246e4304b 100644 (file)
--- a/src/pkg/crypto/tls/conn.go
+++ b/src/pkg/crypto/tls/conn.go
@@ -675,5 +675,13 @@ func (c *Conn) PeerCertificates() []*x509.Certificate {
 // connecting to host.  If so, it returns nil; if not, it returns an os.Error
 // describing the problem.
 func (c *Conn) VerifyHostname(host string) os.Error {
-       return c.PeerCertificates()[0].VerifyHostname(host)
+       c.handshakeMutex.Lock()
+       defer c.handshakeMutex.Unlock()
+       if !c.isClient {
+               return os.ErrorString("VerifyHostname called on TLS server connection")
+       }
+       if !c.handshakeComplete {
+               return os.ErrorString("TLS handshake has not yet been performed")
+       }
+       return c.peerCertificates[0].VerifyHostname(host)
 }

diff --git a/src/pkg/crypto/tls/tls.go b/src/pkg/crypto/tls/tls.go
index 27e32cc2f208ba6fdaa4f30fd0f80fb575d84be9..2aec160a1e35761249d8cde62b96d0d4a4ee2a7a 100644 (file)
--- a/src/pkg/crypto/tls/tls.go
+++ b/src/pkg/crypto/tls/tls.go
@@ -67,7 +67,13 @@ func Dial(network, laddr, raddr string) (net.Conn, os.Error) {
        if err != nil {
                return nil, err
        }
-       return Client(c, nil), nil
+       conn := Client(c, nil)
+       err = conn.Handshake()
+       if err == nil {
+               return conn, nil
+       }
+       c.Close()
+       return nil, err
 }
 
 // LoadX509KeyPair