mirror of
https://github.com/refraction-networking/utls.git
synced 2025-04-03 20:17:36 +03:00
crypto/tls,crypto/x509: clarify certificate ownership
Clarify documentation in cases where certificates returned from various methods are not owned by the caller, and as such should not be modified. Change-Id: I06bdc4cf0f686c3d5e8bbb76fc71f2a4bdb955e3 Reviewed-on: https://go-review.googlesource.com/c/go/+/427155 Auto-Submit: Roland Shoemaker <roland@golang.org> Run-TryBot: Roland Shoemaker <roland@golang.org> Reviewed-by: Filippo Valsorda <filippo@golang.org> Reviewed-by: Heschi Kreinick <heschi@google.com> TryBot-Result: Gopher Robot <gobot@golang.org>
This commit is contained in:
Roland Shoemaker
Gopher Robot
parent
4da5d50737
commit
a97d15ade9
1 changed files with 10 additions and 0 deletions
10
common.go
10
common.go
|
|
@ -246,6 +246,8 @@ type ConnectionState struct {
|
|||
// On the client side, it can't be empty. On the server side, it can be
|
||||
// empty if Config.ClientAuth is not RequireAnyClientCert or
|
||||
// RequireAndVerifyClientCert.
|
||||
//
|
||||
// PeerCertificates and its contents should not be modified.
|
||||
PeerCertificates []*x509.Certificate
|
||||
|
||||
// VerifiedChains is a list of one or more chains where the first element is
|
||||
|
|
@ -255,6 +257,8 @@ type ConnectionState struct {
|
|||
// On the client side, it's set if Config.InsecureSkipVerify is false. On
|
||||
// the server side, it's set if Config.ClientAuth is VerifyClientCertIfGiven
|
||||
// (and the peer provided a certificate) or RequireAndVerifyClientCert.
|
||||
//
|
||||
// VerifiedChains and its contents should not be modified.
|
||||
VerifiedChains [][]*x509.Certificate
|
||||
|
||||
// SignedCertificateTimestamps is a list of SCTs provided by the peer
|
||||
|
|
@ -554,6 +558,8 @@ type Config struct {
|
|||
// If GetCertificate is nil or returns nil, then the certificate is
|
||||
// retrieved from NameToCertificate. If NameToCertificate is nil, the
|
||||
// best element of Certificates will be used.
|
||||
//
|
||||
// Once a Certificate is returned it should not be modified.
|
||||
GetCertificate func(*ClientHelloInfo) (*Certificate, error)
|
||||
|
||||
// GetClientCertificate, if not nil, is called when a server requests a
|
||||
|
|
@ -569,6 +575,8 @@ type Config struct {
|
|||
//
|
||||
// GetClientCertificate may be called multiple times for the same
|
||||
// connection if renegotiation occurs or if TLS 1.3 is in use.
|
||||
//
|
||||
// Once a Certificate is returned it should not be modified.
|
||||
GetClientCertificate func(*CertificateRequestInfo) (*Certificate, error)
|
||||
|
||||
// GetConfigForClient, if not nil, is called after a ClientHello is
|
||||
|
|
@ -597,6 +605,8 @@ type Config struct {
|
|||
// setting InsecureSkipVerify, or (for a server) when ClientAuth is
|
||||
// RequestClientCert or RequireAnyClientCert, then this callback will
|
||||
// be considered but the verifiedChains argument will always be nil.
|
||||
//
|
||||
// verifiedChains and its contents should not be modified.
|
||||
VerifyPeerCertificate func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error
|
||||
|
||||
// VerifyConnection, if not nil, is called after normal certificate
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue