[go] crypto/tls: expose local Certificates used in handshake via ConnectionState
Gerrit Bot (Gerrit)
Gerrit Bot has uploaded the change for review![]( "Open in Gerrit")
Commit message
crypto/tls: expose local Certificates used in handshake via ConnectionState
If the local party didn't send a certificate in the handshake, leave the field nil. This information is predominantly useful when debugging.
Fixes #24673
Change diff
diff --git a/api/next/24673.txt b/api/next/24673.txt
new file mode 100644
index 0000000..a359279
--- /dev/null
+++ b/api/next/24673.txt
@@ -0,0 +1 @@
+pkg crypto/tls, type ConnectionState struct, LocalCertificate *Certificate #24673
diff --git a/doc/next/6-stdlib/99-minor/crypto/tls/24673.md b/doc/next/6-stdlib/99-minor/crypto/tls/24673.md
new file mode 100644
index 0000000..2f9dd7c
--- /dev/null
+++ b/doc/next/6-stdlib/99-minor/crypto/tls/24673.md
@@ -0,0 +1,2 @@
+Make the local party's [Certificate] available via
+[ConnectionState.LocalCertificate] if provided during the handshake.
\ No newline at end of file
diff --git a/src/crypto/tls/common.go b/src/crypto/tls/common.go
index 6fe6f34..a1ff14c 100644
--- a/src/crypto/tls/common.go
+++ b/src/crypto/tls/common.go
@@ -275,6 +275,13 @@
// PeerCertificates and its contents should not be modified.
PeerCertificates []*x509.Certificate
+ // LocalCertificate is the local certificate sent by this side of the
+ // handshake. It's available both on the server and on the client side.
+ // May be nil if a certificate wasn't exchanged by this party in the
+ // handshake, e.g. a client opening a connection without providing a client
+ // cert.
+ LocalCertificate *Certificate
+
// VerifiedChains is a list of one or more chains where the first element is
// PeerCertificates[0] and the last element is from Config.RootCAs (on the
// client side) or Config.ClientCAs (on the server side).
diff --git a/src/crypto/tls/conn.go b/src/crypto/tls/conn.go
index 09dc9ea..811c6c0 100644
--- a/src/crypto/tls/conn.go
+++ b/src/crypto/tls/conn.go
@@ -55,6 +55,7 @@
ocspResponse []byte // stapled OCSP response
scts [][]byte // signed certificate timestamps from server
peerCertificates []*x509.Certificate
+ localCertificate *Certificate
// verifiedChains contains the certificate chains that we built, as
// opposed to the ones presented by the server.
verifiedChains [][]*x509.Certificate
@@ -1619,6 +1620,7 @@
state.ServerName = c.serverName
state.CipherSuite = c.cipherSuite
state.PeerCertificates = c.peerCertificates
+ state.LocalCertificate = c.localCertificate
state.VerifiedChains = c.verifiedChains
state.SignedCertificateTimestamps = c.scts
state.OCSPResponse = c.ocspResponse
diff --git a/src/crypto/tls/handshake_client.go b/src/crypto/tls/handshake_client.go
index 90c5bda..7b724b7 100644
--- a/src/crypto/tls/handshake_client.go
+++ b/src/crypto/tls/handshake_client.go
@@ -834,6 +834,7 @@
return err
}
}
+ hs.c.localCertificate = chainToSend
signed := hs.finishedHash.hashForClientCertificate(sigType, sigHash)
signOpts := crypto.SignerOpts(sigHash)
diff --git a/src/crypto/tls/handshake_client_tls13.go b/src/crypto/tls/handshake_client_tls13.go
index 7018bb2..6bcd5d5 100644
--- a/src/crypto/tls/handshake_client_tls13.go
+++ b/src/crypto/tls/handshake_client_tls13.go
@@ -823,6 +823,7 @@
if _, err := hs.c.writeHandshakeRecord(certVerifyMsg, hs.transcript); err != nil {
return err
}
+ hs.c.localCertificate = cert
return nil
}
diff --git a/src/crypto/tls/handshake_server.go b/src/crypto/tls/handshake_server.go
index 088c66f..3975ed6 100644
--- a/src/crypto/tls/handshake_server.go
+++ b/src/crypto/tls/handshake_server.go
@@ -283,6 +283,7 @@
}
return err
}
+ hs.c.localCertificate = hs.cert
if hs.clientHello.scts {
hs.hello.scts = hs.cert.SignedCertificateTimestamps
}
diff --git a/src/crypto/tls/handshake_server_tls13.go b/src/crypto/tls/handshake_server_tls13.go
index c5b0552..835c227 100644
--- a/src/crypto/tls/handshake_server_tls13.go
+++ b/src/crypto/tls/handshake_server_tls13.go
@@ -533,6 +533,7 @@
return err
}
hs.cert = certificate
+ hs.c.localCertificate = hs.cert
return nil
}
Change information
- A api/next/24673.txt
- A doc/next/6-stdlib/99-minor/crypto/tls/24673.md
- M src/crypto/tls/common.go
- M src/crypto/tls/conn.go
- M src/crypto/tls/handshake_client.go
- M src/crypto/tls/handshake_client_tls13.go
- M src/crypto/tls/handshake_server.go
- M src/crypto/tls/handshake_server_tls13.go
Related details
Code-Review
No-Unresolved-Comments
Review-Enforcement
TryBots-Pass
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Gopher Robot (Gerrit)
Gopher Robot added 1 comment![]( "Open in Gerrit")
I spotted some possible problems with your PR:
1. You have a long 140 character line in the commit message body. Please add line breaks to long lines that should be wrapped. Lines in the commit message body should be wrapped at ~76 characters unless needed for things like URLs or tables. (Note: GitHub might render long lines as soft-wrapped, so double-check in the Gerrit commit message shown above.)
Please address any problems by updating the GitHub PR.
When complete, mark this comment as 'Done' and click the [blue 'Reply' button](https://go.dev/wiki/GerritBot#i-left-a-reply-to-a-comment-in-gerrit-but-no-one-but-me-can-see-it) above. These findings are based on heuristics; if a finding does not apply, briefly reply here saying so.
To update the commit title or commit message body shown here in Gerrit, you must edit the GitHub PR title and PR description (the first comment) in the GitHub web interface using the 'Edit' button or 'Edit' menu entry there. Note: pushing a new commit to the PR will not automatically update the commit message used by Gerrit.
For more details, see:
- [how to update commit messages](https://go.dev/wiki/GerritBot/#how-does-gerritbot-determine-the-final-commit-message) for PRs imported into Gerrit.
- the Go project's [conventions for commit messages](https://go.dev/doc/contribute#commit_messages) that you should follow.
(In general for Gerrit code reviews, the change author is expected to [log in to Gerrit](https://go-review.googlesource.com/login/) with a Gmail or other Google account and then close out each piece of feedback by marking it as 'Done' if implemented as suggested or otherwise reply to each review comment. See the [Review](https://go.dev/doc/contribute#review) section of the Contributing Guide for details.)
Related details
Code-Review
No-Unresolved-Comments
Review-Enforcement
TryBots-Pass
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Gopher Robot (Gerrit)
Message from Gopher Robot![]( "Open in Gerrit")
Congratulations on opening your first change. Thank you for your contribution!
Next steps:
A maintainer will review your change and provide feedback. See
https://go.dev/doc/contribute#review for more info and tips to get your
patch through code review.
Most changes in the Go project go through a few rounds of revision. This can be
surprising to people new to the project. The careful, iterative review process
is our way of helping mentor contributors and ensuring that their contributions
have a lasting impact.
During May-July and Nov-Jan the Go project is in a code freeze, during which
little code gets reviewed or merged. If a reviewer responds with a comment like
R=go1.11 or adds a tag like "wait-release", it means that this CL will be
reviewed as part of the next development cycle. See https://go.dev/s/release
for more details.
Related details
Code-Review
No-Unresolved-Comments
Review-Enforcement
TryBots-Pass
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |