crypto/tls: add CertificateVerificationError to tls handshake

Fixes #48152

Change-Id: I503f088edeb5574fd5eb5905bff7c3c23b2bc8fc
GitHub-Last-Rev: 2b0e982f3f6bca33062b0bbd64ed1804801e2c13
GitHub-Pull-Request: golang/go#56686
Reviewed-on: https://go-review.googlesource.com/c/go/+/449336
Run-TryBot: Roland Shoemaker <roland@golang.org>
Auto-Submit: Roland Shoemaker <roland@golang.org>
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-by: Julie Qiu <julieqiu@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>

diff --git a/api/next/48152.txt b/api/next/48152.txt
new file mode 100644 (file)
index 0000000..9ff5f99
--- /dev/null
+++ b/api/next/48152.txt
@@ -0,0 +1,5 @@
+pkg crypto/tls, type CertificateVerificationError struct #48152
+pkg crypto/tls, type CertificateVerificationError struct, UnverifiedCertificates []*x509.Certificate #48152
+pkg crypto/tls, type CertificateVerificationError struct, Err error #48152
+pkg crypto/tls, method (*CertificateVerificationError) Error() string #48152
+pkg crypto/tls, method (*CertificateVerificationError) Unwrap() error #48152

diff --git a/src/crypto/tls/common.go b/src/crypto/tls/common.go
index 62324de5139b46343a2300ef11f909578ce6324d..007f0f47b233c637ba440c05861172fb1d8abf30 100644 (file)
--- a/src/crypto/tls/common.go
+++ b/src/crypto/tls/common.go
@@ -1493,3 +1493,18 @@ func isSupportedSignatureAlgorithm(sigAlg SignatureScheme, supportedSignatureAlg
        }
        return false
 }
+
+// CertificateVerificationError is returned when certificate verification fails during the handshake.
+type CertificateVerificationError struct {
+       // UnverifiedCertificates and its contents should not be modified.
+       UnverifiedCertificates []*x509.Certificate
+       Err                    error
+}
+
+func (e *CertificateVerificationError) Error() string {
+       return fmt.Sprintf("tls: failed to verify certificate: %s", e.Err)
+}
+
+func (e *CertificateVerificationError) Unwrap() error {
+       return e.Err
+}

diff --git a/src/crypto/tls/handshake_client.go b/src/crypto/tls/handshake_client.go
index 2e3b693199620a3938499a3e0dbb5f89b02614c4..7cf906c91d8ee132bf7960ba5f0cd8045a417d49 100644 (file)
--- a/src/crypto/tls/handshake_client.go
+++ b/src/crypto/tls/handshake_client.go
@@ -876,7 +876,7 @@ func (c *Conn) verifyServerCertificate(certificates [][]byte) error {
                c.verifiedChains, err = certs[0].Verify(opts)
                if err != nil {
                        c.sendAlert(alertBadCertificate)
-                       return err
+                       return &CertificateVerificationError{UnverifiedCertificates: certs, Err: err}
                }
        }
 

diff --git a/src/crypto/tls/handshake_server.go b/src/crypto/tls/handshake_server.go
index fc0a7ac13d6c8de0138af72bde43c388de8bd392..682cfc20619f684aa2632821b37940e5bbc3891f 100644 (file)
--- a/src/crypto/tls/handshake_server.go
+++ b/src/crypto/tls/handshake_server.go
@@ -831,7 +831,7 @@ func (c *Conn) processCertsFromClient(certificate Certificate) error {
                chains, err := certs[0].Verify(opts)
                if err != nil {
                        c.sendAlert(alertBadCertificate)
-                       return errors.New("tls: failed to verify client certificate: " + err.Error())
+                       return &CertificateVerificationError{UnverifiedCertificates: certs, Err: err}
                }
 
                c.verifiedChains = chains

diff --git a/src/net/http/transport_test.go b/src/net/http/transport_test.go
index b637e40cb429b7e3420117d03335e3ffc0b21049..c0cabccab82b7d9f10fd5a5f83a29c285ca6eb92 100644 (file)
--- a/src/net/http/transport_test.go
+++ b/src/net/http/transport_test.go
@@ -4818,7 +4818,7 @@ func testTransportEventTraceTLSVerify(t *testing.T, mode testMode) {
 
        wantOnce("TLSHandshakeStart")
        wantOnce("TLSHandshakeDone")
-       wantOnce("err = x509: certificate is valid for example.com")
+       wantOnce("err = tls: failed to verify certificate: x509: certificate is valid for example.com")
 
        if t.Failed() {
                t.Errorf("Output:\n%s", got)