mirrors/utls
1
0
Fork 0
mirror of https://github.com/refraction-networking/utls.git synced 2025-04-04 12:37:35 +03:00
Code Issues Projects Releases Packages Wiki Activity

crypto/tls,crypto/x509: clarify certificate ownership

Browse source 
Clarify documentation in cases where certificates returned from
various methods are not owned by the caller, and as such should not
be modified.

Change-Id: I06bdc4cf0f686c3d5e8bbb76fc71f2a4bdb955e3
Reviewed-on: https://go-review.googlesource.com/c/go/+/427155
Auto-Submit: Roland Shoemaker <roland@golang.org>
Run-TryBot: Roland Shoemaker <roland@golang.org>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Heschi Kreinick <heschi@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
This commit is contained in:
Roland Shoemaker 2022-08-31 12:24:21 -07:00 committed by Gopher Robot
parent 4da5d50737
commit a97d15ade9
1 changed files with 10 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

10
common.go
View file

@ -246,6 +246,8 @@ type ConnectionState struct {
// On the client side, it can't be empty. On the server side, it can be // On the client side, it can't be empty. On the server side, it can be
// empty if Config.ClientAuth is not RequireAnyClientCert or // empty if Config.ClientAuth is not RequireAnyClientCert or
// RequireAndVerifyClientCert. // RequireAndVerifyClientCert.
//
// PeerCertificates and its contents should not be modified.
PeerCertificates []*x509.Certificate PeerCertificates []*x509.Certificate
// VerifiedChains is a list of one or more chains where the first element is // VerifiedChains is a list of one or more chains where the first element is
@ -255,6 +257,8 @@ type ConnectionState struct {
// On the client side, it's set if Config.InsecureSkipVerify is false. On // On the client side, it's set if Config.InsecureSkipVerify is false. On
// the server side, it's set if Config.ClientAuth is VerifyClientCertIfGiven // the server side, it's set if Config.ClientAuth is VerifyClientCertIfGiven
// (and the peer provided a certificate) or RequireAndVerifyClientCert. // (and the peer provided a certificate) or RequireAndVerifyClientCert.
//
// VerifiedChains and its contents should not be modified.
VerifiedChains [][]*x509.Certificate VerifiedChains [][]*x509.Certificate
// SignedCertificateTimestamps is a list of SCTs provided by the peer // SignedCertificateTimestamps is a list of SCTs provided by the peer
@ -554,6 +558,8 @@ type Config struct {
// If GetCertificate is nil or returns nil, then the certificate is // If GetCertificate is nil or returns nil, then the certificate is
// retrieved from NameToCertificate. If NameToCertificate is nil, the // retrieved from NameToCertificate. If NameToCertificate is nil, the
// best element of Certificates will be used. // best element of Certificates will be used.
//
// Once a Certificate is returned it should not be modified.
GetCertificate func(*ClientHelloInfo) (*Certificate, error) GetCertificate func(*ClientHelloInfo) (*Certificate, error)
// GetClientCertificate, if not nil, is called when a server requests a // GetClientCertificate, if not nil, is called when a server requests a
@ -569,6 +575,8 @@ type Config struct {
// //
// GetClientCertificate may be called multiple times for the same // GetClientCertificate may be called multiple times for the same
// connection if renegotiation occurs or if TLS 1.3 is in use. // connection if renegotiation occurs or if TLS 1.3 is in use.
//
// Once a Certificate is returned it should not be modified.
GetClientCertificate func(*CertificateRequestInfo) (*Certificate, error) GetClientCertificate func(*CertificateRequestInfo) (*Certificate, error)
// GetConfigForClient, if not nil, is called after a ClientHello is // GetConfigForClient, if not nil, is called after a ClientHello is
@ -597,6 +605,8 @@ type Config struct {
// setting InsecureSkipVerify, or (for a server) when ClientAuth is // setting InsecureSkipVerify, or (for a server) when ClientAuth is
// RequestClientCert or RequireAnyClientCert, then this callback will // RequestClientCert or RequireAnyClientCert, then this callback will
// be considered but the verifiedChains argument will always be nil. // be considered but the verifiedChains argument will always be nil.
//
// verifiedChains and its contents should not be modified.
VerifyPeerCertificate func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error VerifyPeerCertificate func(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error
// VerifyConnection, if not nil, is called after normal certificate // VerifyConnection, if not nil, is called after normal certificate