From f13a5e0288b7d26c122947888c34603c7b0999a9 Mon Sep 17 00:00:00 2001 From: Andrew Brampton Date: Tue, 7 Oct 2014 20:09:48 -0700 Subject: [PATCH 1/2] Added support for SSL_get_verify_result(..) --- conn.go | 63 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 63 insertions(+) diff --git a/conn.go b/conn.go index 61c0203..a7903e0 100644 --- a/conn.go +++ b/conn.go @@ -60,6 +60,65 @@ type Conn struct { want_read_future *utils.Future } +type VerifyResult int + +const ( + Ok VerifyResult = C.X509_V_OK + UnableToGetIssuerCert VerifyResult = C.X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT + UnableToGetCrl VerifyResult = C.X509_V_ERR_UNABLE_TO_GET_CRL + UnableToDecryptCertSignature VerifyResult = C.X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE + UnableToDecryptCrlSignature VerifyResult = C.X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE + UnableToDecodeIssuerPublicKey VerifyResult = C.X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY + CertSignatureFailure VerifyResult = C.X509_V_ERR_CERT_SIGNATURE_FAILURE + CrlSignatureFailure VerifyResult = C.X509_V_ERR_CRL_SIGNATURE_FAILURE + CertNotYetValid VerifyResult = C.X509_V_ERR_CERT_NOT_YET_VALID + CertHasExpired VerifyResult = C.X509_V_ERR_CERT_HAS_EXPIRED + CrlNotYetValid VerifyResult = C.X509_V_ERR_CRL_NOT_YET_VALID + CrlHasExpired VerifyResult = C.X509_V_ERR_CRL_HAS_EXPIRED + ErrorInCertNotBeforeField VerifyResult = C.X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD + ErrorInCertNotAfterField VerifyResult = C.X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD + ErrorInCrlLastUpdateField VerifyResult = C.X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD + ErrorInCrlNextUpdateField VerifyResult = C.X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD + OutOfMem VerifyResult = C.X509_V_ERR_OUT_OF_MEM + DepthZeroSelfSignedCert VerifyResult = C.X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT + SelfSignedCertInChain VerifyResult = C.X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN + UnableToGetIssuerCertLocally VerifyResult = C.X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY + UnableToVerifyLeafSignature VerifyResult = C.X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE + CertChainTooLong VerifyResult = C.X509_V_ERR_CERT_CHAIN_TOO_LONG + CertRevoked VerifyResult = C.X509_V_ERR_CERT_REVOKED + InvalidCa VerifyResult = C.X509_V_ERR_INVALID_CA + PathLengthExceeded VerifyResult = C.X509_V_ERR_PATH_LENGTH_EXCEEDED + InvalidPurpose VerifyResult = C.X509_V_ERR_INVALID_PURPOSE + CertUntrusted VerifyResult = C.X509_V_ERR_CERT_UNTRUSTED + CertRejected VerifyResult = C.X509_V_ERR_CERT_REJECTED + SubjectIssuerMismatch VerifyResult = C.X509_V_ERR_SUBJECT_ISSUER_MISMATCH + AkidSkidMismatch VerifyResult = C.X509_V_ERR_AKID_SKID_MISMATCH + AkidIssuerSerialMismatch VerifyResult = C.X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH + KeyusageNoCertsign VerifyResult = C.X509_V_ERR_KEYUSAGE_NO_CERTSIGN + UnableToGetCrlIssuer VerifyResult = C.X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER + UnhandledCriticalExtension VerifyResult = C.X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION + KeyusageNoCrlSign VerifyResult = C.X509_V_ERR_KEYUSAGE_NO_CRL_SIGN + UnhandledCriticalCrlExtension VerifyResult = C.X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION + InvalidNonCa VerifyResult = C.X509_V_ERR_INVALID_NON_CA + ProxyPathLengthExceeded VerifyResult = C.X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED + KeyusageNoDigitalSignature VerifyResult = C.X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE + ProxyCertificatesNotAllowed VerifyResult = C.X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED + InvalidExtension VerifyResult = C.X509_V_ERR_INVALID_EXTENSION + InvalidPolicyExtension VerifyResult = C.X509_V_ERR_INVALID_POLICY_EXTENSION + NoExplicitPolicy VerifyResult = C.X509_V_ERR_NO_EXPLICIT_POLICY + DifferentCrlScope VerifyResult = C.X509_V_ERR_DIFFERENT_CRL_SCOPE + UnsupportedExtensionFeature VerifyResult = C.X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE + UnnestedResource VerifyResult = C.X509_V_ERR_UNNESTED_RESOURCE + PermittedViolation VerifyResult = C.X509_V_ERR_PERMITTED_VIOLATION + ExcludedViolation VerifyResult = C.X509_V_ERR_EXCLUDED_VIOLATION + SubtreeMinmax VerifyResult = C.X509_V_ERR_SUBTREE_MINMAX + UnsupportedConstraintType VerifyResult = C.X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE + UnsupportedConstraintSyntax VerifyResult = C.X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX + UnsupportedNameSyntax VerifyResult = C.X509_V_ERR_UNSUPPORTED_NAME_SYNTAX + CrlPathValidationError VerifyResult = C.X509_V_ERR_CRL_PATH_VALIDATION_ERROR + ApplicationVerification VerifyResult = C.X509_V_ERR_APPLICATION_VERIFICATION +) + func newSSL(ctx *C.SSL_CTX) (*C.SSL, error) { runtime.LockOSThread() defer runtime.UnlockOSThread() @@ -500,3 +559,7 @@ func (c *Conn) SetTlsExtHostName(name string) error { } return nil } + +func (c *Conn) VerifyResult() VerifyResult { + return VerifyResult( C.SSL_get_verify_result(c.ssl) ); +} From 948f12287179f741c01a8183416223c65eb96e58 Mon Sep 17 00:00:00 2001 From: Andrew Brampton Date: Wed, 8 Oct 2014 09:25:03 -0700 Subject: [PATCH 2/2] Correctly formated my changes. --- conn.go | 110 ++++++++++++++++++++++++++++---------------------------- 1 file changed, 55 insertions(+), 55 deletions(-) diff --git a/conn.go b/conn.go index a7903e0..bc34ee5 100644 --- a/conn.go +++ b/conn.go @@ -63,60 +63,60 @@ type Conn struct { type VerifyResult int const ( - Ok VerifyResult = C.X509_V_OK - UnableToGetIssuerCert VerifyResult = C.X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT - UnableToGetCrl VerifyResult = C.X509_V_ERR_UNABLE_TO_GET_CRL - UnableToDecryptCertSignature VerifyResult = C.X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE - UnableToDecryptCrlSignature VerifyResult = C.X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE - UnableToDecodeIssuerPublicKey VerifyResult = C.X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY - CertSignatureFailure VerifyResult = C.X509_V_ERR_CERT_SIGNATURE_FAILURE - CrlSignatureFailure VerifyResult = C.X509_V_ERR_CRL_SIGNATURE_FAILURE - CertNotYetValid VerifyResult = C.X509_V_ERR_CERT_NOT_YET_VALID - CertHasExpired VerifyResult = C.X509_V_ERR_CERT_HAS_EXPIRED - CrlNotYetValid VerifyResult = C.X509_V_ERR_CRL_NOT_YET_VALID - CrlHasExpired VerifyResult = C.X509_V_ERR_CRL_HAS_EXPIRED - ErrorInCertNotBeforeField VerifyResult = C.X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD - ErrorInCertNotAfterField VerifyResult = C.X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD - ErrorInCrlLastUpdateField VerifyResult = C.X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD - ErrorInCrlNextUpdateField VerifyResult = C.X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD - OutOfMem VerifyResult = C.X509_V_ERR_OUT_OF_MEM - DepthZeroSelfSignedCert VerifyResult = C.X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT - SelfSignedCertInChain VerifyResult = C.X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN - UnableToGetIssuerCertLocally VerifyResult = C.X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY - UnableToVerifyLeafSignature VerifyResult = C.X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE - CertChainTooLong VerifyResult = C.X509_V_ERR_CERT_CHAIN_TOO_LONG - CertRevoked VerifyResult = C.X509_V_ERR_CERT_REVOKED - InvalidCa VerifyResult = C.X509_V_ERR_INVALID_CA - PathLengthExceeded VerifyResult = C.X509_V_ERR_PATH_LENGTH_EXCEEDED - InvalidPurpose VerifyResult = C.X509_V_ERR_INVALID_PURPOSE - CertUntrusted VerifyResult = C.X509_V_ERR_CERT_UNTRUSTED - CertRejected VerifyResult = C.X509_V_ERR_CERT_REJECTED - SubjectIssuerMismatch VerifyResult = C.X509_V_ERR_SUBJECT_ISSUER_MISMATCH - AkidSkidMismatch VerifyResult = C.X509_V_ERR_AKID_SKID_MISMATCH - AkidIssuerSerialMismatch VerifyResult = C.X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH - KeyusageNoCertsign VerifyResult = C.X509_V_ERR_KEYUSAGE_NO_CERTSIGN - UnableToGetCrlIssuer VerifyResult = C.X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER - UnhandledCriticalExtension VerifyResult = C.X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION - KeyusageNoCrlSign VerifyResult = C.X509_V_ERR_KEYUSAGE_NO_CRL_SIGN - UnhandledCriticalCrlExtension VerifyResult = C.X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION - InvalidNonCa VerifyResult = C.X509_V_ERR_INVALID_NON_CA - ProxyPathLengthExceeded VerifyResult = C.X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED - KeyusageNoDigitalSignature VerifyResult = C.X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE - ProxyCertificatesNotAllowed VerifyResult = C.X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED - InvalidExtension VerifyResult = C.X509_V_ERR_INVALID_EXTENSION - InvalidPolicyExtension VerifyResult = C.X509_V_ERR_INVALID_POLICY_EXTENSION - NoExplicitPolicy VerifyResult = C.X509_V_ERR_NO_EXPLICIT_POLICY - DifferentCrlScope VerifyResult = C.X509_V_ERR_DIFFERENT_CRL_SCOPE - UnsupportedExtensionFeature VerifyResult = C.X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE - UnnestedResource VerifyResult = C.X509_V_ERR_UNNESTED_RESOURCE - PermittedViolation VerifyResult = C.X509_V_ERR_PERMITTED_VIOLATION - ExcludedViolation VerifyResult = C.X509_V_ERR_EXCLUDED_VIOLATION - SubtreeMinmax VerifyResult = C.X509_V_ERR_SUBTREE_MINMAX - UnsupportedConstraintType VerifyResult = C.X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE - UnsupportedConstraintSyntax VerifyResult = C.X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX - UnsupportedNameSyntax VerifyResult = C.X509_V_ERR_UNSUPPORTED_NAME_SYNTAX - CrlPathValidationError VerifyResult = C.X509_V_ERR_CRL_PATH_VALIDATION_ERROR - ApplicationVerification VerifyResult = C.X509_V_ERR_APPLICATION_VERIFICATION + Ok VerifyResult = C.X509_V_OK + UnableToGetIssuerCert VerifyResult = C.X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT + UnableToGetCrl VerifyResult = C.X509_V_ERR_UNABLE_TO_GET_CRL + UnableToDecryptCertSignature VerifyResult = C.X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE + UnableToDecryptCrlSignature VerifyResult = C.X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE + UnableToDecodeIssuerPublicKey VerifyResult = C.X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY + CertSignatureFailure VerifyResult = C.X509_V_ERR_CERT_SIGNATURE_FAILURE + CrlSignatureFailure VerifyResult = C.X509_V_ERR_CRL_SIGNATURE_FAILURE + CertNotYetValid VerifyResult = C.X509_V_ERR_CERT_NOT_YET_VALID + CertHasExpired VerifyResult = C.X509_V_ERR_CERT_HAS_EXPIRED + CrlNotYetValid VerifyResult = C.X509_V_ERR_CRL_NOT_YET_VALID + CrlHasExpired VerifyResult = C.X509_V_ERR_CRL_HAS_EXPIRED + ErrorInCertNotBeforeField VerifyResult = C.X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD + ErrorInCertNotAfterField VerifyResult = C.X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD + ErrorInCrlLastUpdateField VerifyResult = C.X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD + ErrorInCrlNextUpdateField VerifyResult = C.X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD + OutOfMem VerifyResult = C.X509_V_ERR_OUT_OF_MEM + DepthZeroSelfSignedCert VerifyResult = C.X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT + SelfSignedCertInChain VerifyResult = C.X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN + UnableToGetIssuerCertLocally VerifyResult = C.X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY + UnableToVerifyLeafSignature VerifyResult = C.X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE + CertChainTooLong VerifyResult = C.X509_V_ERR_CERT_CHAIN_TOO_LONG + CertRevoked VerifyResult = C.X509_V_ERR_CERT_REVOKED + InvalidCa VerifyResult = C.X509_V_ERR_INVALID_CA + PathLengthExceeded VerifyResult = C.X509_V_ERR_PATH_LENGTH_EXCEEDED + InvalidPurpose VerifyResult = C.X509_V_ERR_INVALID_PURPOSE + CertUntrusted VerifyResult = C.X509_V_ERR_CERT_UNTRUSTED + CertRejected VerifyResult = C.X509_V_ERR_CERT_REJECTED + SubjectIssuerMismatch VerifyResult = C.X509_V_ERR_SUBJECT_ISSUER_MISMATCH + AkidSkidMismatch VerifyResult = C.X509_V_ERR_AKID_SKID_MISMATCH + AkidIssuerSerialMismatch VerifyResult = C.X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH + KeyusageNoCertsign VerifyResult = C.X509_V_ERR_KEYUSAGE_NO_CERTSIGN + UnableToGetCrlIssuer VerifyResult = C.X509_V_ERR_UNABLE_TO_GET_CRL_ISSUER + UnhandledCriticalExtension VerifyResult = C.X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION + KeyusageNoCrlSign VerifyResult = C.X509_V_ERR_KEYUSAGE_NO_CRL_SIGN + UnhandledCriticalCrlExtension VerifyResult = C.X509_V_ERR_UNHANDLED_CRITICAL_CRL_EXTENSION + InvalidNonCa VerifyResult = C.X509_V_ERR_INVALID_NON_CA + ProxyPathLengthExceeded VerifyResult = C.X509_V_ERR_PROXY_PATH_LENGTH_EXCEEDED + KeyusageNoDigitalSignature VerifyResult = C.X509_V_ERR_KEYUSAGE_NO_DIGITAL_SIGNATURE + ProxyCertificatesNotAllowed VerifyResult = C.X509_V_ERR_PROXY_CERTIFICATES_NOT_ALLOWED + InvalidExtension VerifyResult = C.X509_V_ERR_INVALID_EXTENSION + InvalidPolicyExtension VerifyResult = C.X509_V_ERR_INVALID_POLICY_EXTENSION + NoExplicitPolicy VerifyResult = C.X509_V_ERR_NO_EXPLICIT_POLICY + DifferentCrlScope VerifyResult = C.X509_V_ERR_DIFFERENT_CRL_SCOPE + UnsupportedExtensionFeature VerifyResult = C.X509_V_ERR_UNSUPPORTED_EXTENSION_FEATURE + UnnestedResource VerifyResult = C.X509_V_ERR_UNNESTED_RESOURCE + PermittedViolation VerifyResult = C.X509_V_ERR_PERMITTED_VIOLATION + ExcludedViolation VerifyResult = C.X509_V_ERR_EXCLUDED_VIOLATION + SubtreeMinmax VerifyResult = C.X509_V_ERR_SUBTREE_MINMAX + UnsupportedConstraintType VerifyResult = C.X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE + UnsupportedConstraintSyntax VerifyResult = C.X509_V_ERR_UNSUPPORTED_CONSTRAINT_SYNTAX + UnsupportedNameSyntax VerifyResult = C.X509_V_ERR_UNSUPPORTED_NAME_SYNTAX + CrlPathValidationError VerifyResult = C.X509_V_ERR_CRL_PATH_VALIDATION_ERROR + ApplicationVerification VerifyResult = C.X509_V_ERR_APPLICATION_VERIFICATION ) func newSSL(ctx *C.SSL_CTX) (*C.SSL, error) { @@ -561,5 +561,5 @@ func (c *Conn) SetTlsExtHostName(name string) error { } func (c *Conn) VerifyResult() VerifyResult { - return VerifyResult( C.SSL_get_verify_result(c.ssl) ); + return VerifyResult(C.SSL_get_verify_result(c.ssl)) }