runner: Rename CertificateChain to Credential After https://boringssl-review.googlesource.com/c/boringssl/+/62565 just renamed it. :-) This is in preparation for the type being used to test the SSL_CREDENTIAL machinery. Since we'll be using this to specify a credential on the shim, let's just make the name match. Bug: 249 Change-Id: I03e95d120266ccef2111f9bff4c97cef30deb7d3 Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/66667 Reviewed-by: Bob Beck <bbe@google.com> Commit-Queue: David Benjamin <davidben@google.com>
diff --git a/ssl/test/runner/cipher_suites.go b/ssl/test/runner/cipher_suites.go index 656a8c1..4702df6 100644 --- a/ssl/test/runner/cipher_suites.go +++ b/ssl/test/runner/cipher_suites.go
@@ -28,8 +28,8 @@ // In the case that the key agreement protocol doesn't use a // ServerKeyExchange message, generateServerKeyExchange can return nil, // nil. - generateServerKeyExchange(*Config, *CertificateChain, *clientHelloMsg, *serverHelloMsg, uint16) (*serverKeyExchangeMsg, error) - processClientKeyExchange(*Config, *CertificateChain, *clientKeyExchangeMsg, uint16) ([]byte, error) + generateServerKeyExchange(*Config, *Credential, *clientHelloMsg, *serverHelloMsg, uint16) (*serverKeyExchangeMsg, error) + processClientKeyExchange(*Config, *Credential, *clientKeyExchangeMsg, uint16) ([]byte, error) // On the client side, the next two methods are called in order.
diff --git a/ssl/test/runner/common.go b/ssl/test/runner/common.go index 69d8a69..873a4c7 100644 --- a/ssl/test/runner/common.go +++ b/ssl/test/runner/common.go
@@ -441,9 +441,9 @@ // If Time is nil, TLS uses time.Now. Time func() time.Time - // Chain contains the certificate chain to present to the other side of + // Credential contains the credential to present to the other side of // the connection. Server configurations must include this field. - Chain *CertificateChain + Credential *Credential // RootCAs defines the set of root certificate authorities // that clients use when verifying server certificates. @@ -1842,7 +1842,7 @@ // RenegotiationCertificate, if not nil, is the certificate to use on // renegotiation handshakes. - RenegotiationCertificate *CertificateChain + RenegotiationCertificate *Credential // ExpectNoCertificateAuthoritiesExtension, if true, causes the client to // reject CertificateRequest with the CertificateAuthorities extension. @@ -2139,8 +2139,10 @@ return supportedSignatureAlgorithms } -// A CertificateChain is a chain of one or more certificates, leaf first. -type CertificateChain struct { +// A Credential is a certificate chain and private key that a TLS endpoint may +// use to authenticate. +type Credential struct { + // Certificate is a chain of one or more certificates, leaf first. Certificate [][]byte PrivateKey crypto.PrivateKey // supported types: *rsa.PrivateKey, *ecdsa.PrivateKey // OCSPStaple contains an optional OCSP response which will be served @@ -2384,10 +2386,10 @@ var tmpDir string -func generateSingleCertChain(template *x509.Certificate, key crypto.Signer, ocspStaple, sctList []byte) CertificateChain { +func generateSingleCertChain(template *x509.Certificate, key crypto.Signer, ocspStaple, sctList []byte) Credential { cert := generateTestCert(template, nil, key, ocspStaple, sctList) tmpCertPath, tmpKeyPath := writeTempCertFile([]*x509.Certificate{cert}), writeTempKeyFile(key) - return CertificateChain{ + return Credential{ Certificate: [][]byte{cert.Raw}, PrivateKey: key, OCSPStaple: ocspStaple,
diff --git a/ssl/test/runner/handshake_client.go b/ssl/test/runner/handshake_client.go index 94e1db3..c23223b 100644 --- a/ssl/test/runner/handshake_client.go +++ b/ssl/test/runner/handshake_client.go
@@ -1184,7 +1184,7 @@ return err } - var chainToSend *CertificateChain + var credential *Credential var certReq *certificateRequestMsg if c.didResume { // Copy over authentication from the session. @@ -1214,7 +1214,7 @@ hs.writeServerHash(certReq.marshal()) - chainToSend = c.config.Chain + credential = c.config.Credential msg, err = c.readHandshake() if err != nil { return err @@ -1435,8 +1435,8 @@ hasRequestContext: true, requestContext: certReq.requestContext, } - if chainToSend != nil { - for _, certData := range chainToSend.Certificate { + if credential != nil { + for _, certData := range credential.Certificate { certMsg.certificates = append(certMsg.certificates, certificateEntry{ data: certData, extraExtension: c.config.Bugs.SendExtensionOnCertificate, @@ -1446,13 +1446,13 @@ hs.writeClientHash(certMsg.marshal()) c.writeRecord(recordTypeHandshake, certMsg.marshal()) - if chainToSend != nil { + if credential != nil { certVerify := &certificateVerifyMsg{ hasSignatureAlgorithm: true, } // Determine the hash to sign. - privKey := chainToSend.PrivateKey + privKey := credential.PrivateKey var err error certVerify.signatureAlgorithm, err = selectSignatureAlgorithm(c.vers, privKey, c.config, certReq.signatureAlgorithms) @@ -1692,7 +1692,7 @@ } } - var chainToSend *CertificateChain + var credential *Credential var certRequested bool certReq, ok := msg.(*certificateRequestMsg) if ok { @@ -1703,7 +1703,7 @@ hs.writeServerHash(certReq.marshal()) - chainToSend = c.config.Chain + credential = c.config.Credential msg, err = c.readHandshake() if err != nil { return err @@ -1722,8 +1722,8 @@ // a certificate to send. if certRequested && !c.config.Bugs.SkipClientCertificate { certMsg := new(certificateMsg) - if chainToSend != nil { - for _, certData := range chainToSend.Certificate { + if credential != nil { + for _, certData := range credential.Certificate { certMsg.certificates = append(certMsg.certificates, certificateEntry{ data: certData, }) @@ -1760,13 +1760,13 @@ hs.masterSecret = masterFromPreMasterSecret(c.vers, hs.suite, preMasterSecret, hs.hello.random, hs.serverHello.random) } - if chainToSend != nil { + if credential != nil { certVerify := &certificateVerifyMsg{ hasSignatureAlgorithm: c.vers >= VersionTLS12, } // Determine the hash to sign. - privKey := c.config.Chain.PrivateKey + privKey := c.config.Credential.PrivateKey if certVerify.hasSignatureAlgorithm { certVerify.signatureAlgorithm, err = selectSignatureAlgorithm(c.vers, privKey, c.config, certReq.signatureAlgorithms)
diff --git a/ssl/test/runner/handshake_server.go b/ssl/test/runner/handshake_server.go index d3f6392..64c982d 100644 --- a/ssl/test/runner/handshake_server.go +++ b/ssl/test/runner/handshake_server.go
@@ -36,7 +36,7 @@ finishedHash finishedHash masterSecret []byte certsFromClient [][]byte - cert *CertificateChain + cert *Credential finishedBytes []byte echHPKEContext *hpke.Context echConfigID uint8 @@ -1587,11 +1587,11 @@ if len(hs.clientHello.serverName) > 0 { c.serverName = hs.clientHello.serverName } - if config.Chain == nil { + if config.Credential == nil { c.sendAlert(alertInternalError) return errors.New("tls: no certificates configured") } - hs.cert = config.Chain + hs.cert = config.Credential if expected := c.config.Bugs.ExpectServerName; expected != "" && expected != hs.clientHello.serverName { return fmt.Errorf("tls: unexpected server name: wanted %q, got %q", expected, hs.clientHello.serverName) }
diff --git a/ssl/test/runner/key_agreement.go b/ssl/test/runner/key_agreement.go index e513852..c3aee9a 100644 --- a/ssl/test/runner/key_agreement.go +++ b/ssl/test/runner/key_agreement.go
@@ -39,7 +39,7 @@ exportKey *rsa.PrivateKey } -func (ka *rsaKeyAgreement) generateServerKeyExchange(config *Config, cert *CertificateChain, clientHello *clientHelloMsg, hello *serverHelloMsg, version uint16) (*serverKeyExchangeMsg, error) { +func (ka *rsaKeyAgreement) generateServerKeyExchange(config *Config, cert *Credential, clientHello *clientHelloMsg, hello *serverHelloMsg, version uint16) (*serverKeyExchangeMsg, error) { // Save the client version for comparison later. ka.clientVersion = clientHello.vers @@ -96,7 +96,7 @@ return skx, nil } -func (ka *rsaKeyAgreement) processClientKeyExchange(config *Config, cert *CertificateChain, ckx *clientKeyExchangeMsg, version uint16) ([]byte, error) { +func (ka *rsaKeyAgreement) processClientKeyExchange(config *Config, cert *Credential, ckx *clientKeyExchangeMsg, version uint16) ([]byte, error) { preMasterSecret := make([]byte, 48) _, err := io.ReadFull(config.rand(), preMasterSecret[2:]) if err != nil { @@ -453,7 +453,7 @@ // keyAgreementAuthentication is a helper interface that specifies how // to authenticate the ServerKeyExchange parameters. type keyAgreementAuthentication interface { - signParameters(config *Config, cert *CertificateChain, clientHello *clientHelloMsg, hello *serverHelloMsg, params []byte) (*serverKeyExchangeMsg, error) + signParameters(config *Config, cert *Credential, clientHello *clientHelloMsg, hello *serverHelloMsg, params []byte) (*serverKeyExchangeMsg, error) verifyParameters(config *Config, clientHello *clientHelloMsg, serverHello *serverHelloMsg, key crypto.PublicKey, params []byte, sig []byte) error } @@ -461,7 +461,7 @@ // agreement parameters. type nilKeyAgreementAuthentication struct{} -func (ka *nilKeyAgreementAuthentication) signParameters(config *Config, cert *CertificateChain, clientHello *clientHelloMsg, hello *serverHelloMsg, params []byte) (*serverKeyExchangeMsg, error) { +func (ka *nilKeyAgreementAuthentication) signParameters(config *Config, cert *Credential, clientHello *clientHelloMsg, hello *serverHelloMsg, params []byte) (*serverKeyExchangeMsg, error) { skx := new(serverKeyExchangeMsg) skx.key = params return skx, nil @@ -479,7 +479,7 @@ peerSignatureAlgorithm signatureAlgorithm } -func (ka *signedKeyAgreement) signParameters(config *Config, cert *CertificateChain, clientHello *clientHelloMsg, hello *serverHelloMsg, params []byte) (*serverKeyExchangeMsg, error) { +func (ka *signedKeyAgreement) signParameters(config *Config, cert *Credential, clientHello *clientHelloMsg, hello *serverHelloMsg, params []byte) (*serverKeyExchangeMsg, error) { // The message to be signed is prepended by the randoms. var msg []byte msg = append(msg, clientHello.random...) @@ -585,7 +585,7 @@ peerKey []byte } -func (ka *ecdheKeyAgreement) generateServerKeyExchange(config *Config, cert *CertificateChain, clientHello *clientHelloMsg, hello *serverHelloMsg, version uint16) (*serverKeyExchangeMsg, error) { +func (ka *ecdheKeyAgreement) generateServerKeyExchange(config *Config, cert *Credential, clientHello *clientHelloMsg, hello *serverHelloMsg, version uint16) (*serverKeyExchangeMsg, error) { var curveid CurveID preferredCurves := config.curvePreferences() @@ -636,7 +636,7 @@ return ka.auth.signParameters(config, cert, clientHello, hello, serverECDHParams) } -func (ka *ecdheKeyAgreement) processClientKeyExchange(config *Config, cert *CertificateChain, ckx *clientKeyExchangeMsg, version uint16) ([]byte, error) { +func (ka *ecdheKeyAgreement) processClientKeyExchange(config *Config, cert *Credential, ckx *clientKeyExchangeMsg, version uint16) ([]byte, error) { if len(ckx.ciphertext) == 0 || int(ckx.ciphertext[0]) != len(ckx.ciphertext)-1 { return nil, errClientKeyExchange } @@ -703,11 +703,11 @@ // exchange. type nilKeyAgreement struct{} -func (ka *nilKeyAgreement) generateServerKeyExchange(config *Config, cert *CertificateChain, clientHello *clientHelloMsg, hello *serverHelloMsg, version uint16) (*serverKeyExchangeMsg, error) { +func (ka *nilKeyAgreement) generateServerKeyExchange(config *Config, cert *Credential, clientHello *clientHelloMsg, hello *serverHelloMsg, version uint16) (*serverKeyExchangeMsg, error) { return nil, nil } -func (ka *nilKeyAgreement) processClientKeyExchange(config *Config, cert *CertificateChain, ckx *clientKeyExchangeMsg, version uint16) ([]byte, error) { +func (ka *nilKeyAgreement) processClientKeyExchange(config *Config, cert *Credential, ckx *clientKeyExchangeMsg, version uint16) ([]byte, error) { if len(ckx.ciphertext) != 0 { return nil, errClientKeyExchange } @@ -755,7 +755,7 @@ identityHint string } -func (ka *pskKeyAgreement) generateServerKeyExchange(config *Config, cert *CertificateChain, clientHello *clientHelloMsg, hello *serverHelloMsg, version uint16) (*serverKeyExchangeMsg, error) { +func (ka *pskKeyAgreement) generateServerKeyExchange(config *Config, cert *Credential, clientHello *clientHelloMsg, hello *serverHelloMsg, version uint16) (*serverKeyExchangeMsg, error) { // Assemble the identity hint. bytes := make([]byte, 2+len(config.PreSharedKeyIdentity)) bytes[0] = byte(len(config.PreSharedKeyIdentity) >> 8) @@ -782,7 +782,7 @@ return skx, nil } -func (ka *pskKeyAgreement) processClientKeyExchange(config *Config, cert *CertificateChain, ckx *clientKeyExchangeMsg, version uint16) ([]byte, error) { +func (ka *pskKeyAgreement) processClientKeyExchange(config *Config, cert *Credential, ckx *clientKeyExchangeMsg, version uint16) ([]byte, error) { // First, process the PSK identity. if len(ckx.ciphertext) < 2 { return nil, errClientKeyExchange
diff --git a/ssl/test/runner/runner.go b/ssl/test/runner/runner.go index 0aa0d21..5f1cc75 100644 --- a/ssl/test/runner/runner.go +++ b/ssl/test/runner/runner.go
@@ -208,21 +208,21 @@ var testSCTExtension = append([]byte{byte(extensionSignedCertificateTimestamp) >> 8, byte(extensionSignedCertificateTimestamp), 0, byte(len(testSCTList))}, testSCTList...) var ( - rsaCertificate CertificateChain - rsaChainCertificate CertificateChain - rsa1024Certificate CertificateChain - ecdsaP224Certificate CertificateChain - ecdsaP256Certificate CertificateChain - ecdsaP384Certificate CertificateChain - ecdsaP521Certificate CertificateChain - ed25519Certificate CertificateChain - garbageCertificate CertificateChain + rsaCertificate Credential + rsaChainCertificate Credential + rsa1024Certificate Credential + ecdsaP224Certificate Credential + ecdsaP256Certificate Credential + ecdsaP384Certificate Credential + ecdsaP521Certificate Credential + ed25519Certificate Credential + garbageCertificate Credential ) func initCertificates() { for _, def := range []struct { key crypto.Signer - out *CertificateChain + out *Credential }{ {&rsa1024Key, &rsa1024Certificate}, {&rsa2048Key, &rsaCertificate}, @@ -256,7 +256,7 @@ keyPath := writeTempKeyFile(&rsa2048Key) rootCertPath, chainPath := writeTempCertFile([]*x509.Certificate{rootCert}), writeTempCertFile([]*x509.Certificate{leafCert, intermediateCert}) - rsaChainCertificate = CertificateChain{ + rsaChainCertificate = Credential{ Certificate: [][]byte{leafCert.Raw, intermediateCert.Raw}, PrivateKey: &rsa2048Key, OCSPStaple: testOCSPResponse, @@ -500,7 +500,7 @@ curveID CurveID // peerCertificate, if not nil, is the certificate chain the peer is // expected to send. - peerCertificate *CertificateChain + peerCertificate *Credential // quicTransportParams contains the QUIC transport parameters that are to be // sent by the peer using codepoint 57. quicTransportParams []byte @@ -662,7 +662,7 @@ skipVersionNameCheck bool // shimCertificate, if populated, is the certificate/chain which should be sent // by the server/client (this populates the -cert-file and -key-file flags). - shimCertificate *CertificateChain + shimCertificate *Credential } var testCases []testCase @@ -1330,8 +1330,8 @@ if test.resumeConfig != nil { resumeConfig = *test.resumeConfig resumeConfig.Rand = config.Rand - if resumeConfig.Chain == nil { - resumeConfig.Chain = config.Chain + if resumeConfig.Credential == nil { + resumeConfig.Credential = config.Credential } } else { resumeConfig = config @@ -1580,11 +1580,11 @@ flags = append(flags, "-write-settings", transcriptPrefix) } - if test.testType == clientTest && test.config.Chain == nil { - test.config.Chain = &rsaCertificate + if test.testType == clientTest && test.config.Credential == nil { + test.config.Credential = &rsaCertificate } - if test.config.Chain != nil { - flags = append(flags, "-trust-cert", test.config.Chain.RootPath) + if test.config.Credential != nil { + flags = append(flags, "-trust-cert", test.config.Credential.RootPath) } flags = append(flags, test.flags...) @@ -2056,7 +2056,7 @@ name: "ServerSkipCertificateVerify", config: Config{ MaxVersion: VersionTLS12, - Chain: &rsaCertificate, + Credential: &rsaCertificate, Bugs: ProtocolBugs{ SkipCertificateVerify: true, }, @@ -3554,14 +3554,14 @@ testCases = append(testCases, testCase{ name: "LargeMessage", config: Config{ - Chain: &cert, + Credential: &cert, }, }) testCases = append(testCases, testCase{ protocol: dtls, name: "LargeMessage-DTLS", config: Config{ - Chain: &cert, + Credential: &cert, }, }) @@ -3569,7 +3569,7 @@ testCases = append(testCases, testCase{ name: "LargeMessage-Reject", config: Config{ - Chain: &cert, + Credential: &cert, }, flags: []string{"-max-cert-list", "16384"}, shouldFail: true, @@ -3579,7 +3579,7 @@ protocol: dtls, name: "LargeMessage-Reject-DTLS", config: Config{ - Chain: &cert, + Credential: &cert, }, flags: []string{"-max-cert-list", "16384"}, shouldFail: true, @@ -3627,7 +3627,7 @@ } prefix := protocol.String() + "-" - var cert CertificateChain + var cert Credential if hasComponent(suite.name, "ECDSA") { cert = ecdsaP256Certificate } else { @@ -3680,7 +3680,7 @@ MinVersion: ver.version, MaxVersion: ver.version, CipherSuites: []uint16{suite.id}, - Chain: &cert, + Credential: &cert, PreSharedKey: []byte(psk), PreSharedKeyIdentity: pskIdentity, Bugs: ProtocolBugs{ @@ -3703,7 +3703,7 @@ MinVersion: ver.version, MaxVersion: ver.version, CipherSuites: serverCipherSuites, - Chain: &cert, + Credential: &cert, PreSharedKey: []byte(psk), PreSharedKeyIdentity: pskIdentity, Bugs: ProtocolBugs{ @@ -3730,7 +3730,7 @@ MinVersion: ver.version, MaxVersion: ver.version, CipherSuites: []uint16{suite.id}, - Chain: &cert, + Credential: &cert, PreSharedKey: []byte(psk), PreSharedKeyIdentity: pskIdentity, }, @@ -3757,7 +3757,7 @@ MinVersion: ver.version, MaxVersion: ver.version, CipherSuites: []uint16{suite.id}, - Chain: &cert, + Credential: &cert, PreSharedKey: []byte(psk), PreSharedKeyIdentity: pskIdentity, }, @@ -3897,7 +3897,7 @@ config: Config{ MaxVersion: VersionTLS12, CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256}, - Chain: &rsaCertificate, + Credential: &rsaCertificate, Bugs: ProtocolBugs{ SendCipherSuite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, }, @@ -3910,7 +3910,7 @@ config: Config{ MaxVersion: VersionTLS12, CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256}, - Chain: &ecdsaP256Certificate, + Credential: &ecdsaP256Certificate, Bugs: ProtocolBugs{ SendCipherSuite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, }, @@ -3923,7 +3923,7 @@ config: Config{ MaxVersion: VersionTLS12, CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256}, - Chain: &ed25519Certificate, + Credential: &ed25519Certificate, Bugs: ProtocolBugs{ SendCipherSuite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, }, @@ -4089,7 +4089,7 @@ config: Config{ MaxVersion: VersionTLS12, CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256}, - Chain: &ecdsaP256Certificate, + Credential: &ecdsaP256Certificate, Bugs: ProtocolBugs{ BadECDSAR: badR, BadECDSAS: badS, @@ -4102,7 +4102,7 @@ name: fmt.Sprintf("BadECDSA-%d-%d-TLS13", badR, badS), config: Config{ MaxVersion: VersionTLS13, - Chain: &ecdsaP256Certificate, + Credential: &ecdsaP256Certificate, Bugs: ProtocolBugs{ BadECDSAR: badR, BadECDSAS: badS, @@ -4213,7 +4213,7 @@ func addClientAuthTests() { // Add a dummy cert pool to stress certificate authority parsing. certPool := x509.NewCertPool() - for _, cert := range []CertificateChain{rsaCertificate, rsa1024Certificate} { + for _, cert := range []Credential{rsaCertificate, rsa1024Certificate} { cert, err := x509.ParseCertificate(cert.Certificate[0]) if err != nil { panic(err) @@ -4240,7 +4240,7 @@ config: Config{ MinVersion: ver.version, MaxVersion: ver.version, - Chain: &rsaCertificate, + Credential: &rsaCertificate, }, flags: []string{"-require-any-client-certificate"}, }) @@ -4250,7 +4250,7 @@ config: Config{ MinVersion: ver.version, MaxVersion: ver.version, - Chain: &ecdsaP256Certificate, + Credential: &ecdsaP256Certificate, }, flags: []string{"-require-any-client-certificate"}, }) @@ -4382,7 +4382,7 @@ config: Config{ MinVersion: ver.version, MaxVersion: ver.version, - Chain: &rsaCertificate, + Credential: &rsaCertificate, Bugs: ProtocolBugs{ ExpectCertificateReqNames: caNames, }, @@ -4399,7 +4399,7 @@ config: Config{ MinVersion: ver.version, MaxVersion: ver.version, - Chain: &rsaCertificate, + Credential: &rsaCertificate, ClientAuth: RequireAnyClientCert, ClientCAs: certPool, }, @@ -4451,7 +4451,7 @@ name: "Null-Client-CA-List", config: Config{ MaxVersion: VersionTLS12, - Chain: &rsaCertificate, + Credential: &rsaCertificate, Bugs: ProtocolBugs{ ExpectCertificateReqNames: [][]byte{}, }, @@ -4468,7 +4468,7 @@ name: "TLS13-Empty-Client-CA-List", config: Config{ MaxVersion: VersionTLS13, - Chain: &rsaCertificate, + Credential: &rsaCertificate, Bugs: ProtocolBugs{ ExpectNoCertificateAuthoritiesExtension: true, }, @@ -5066,7 +5066,7 @@ name: "ClientAuth-Server", config: Config{ MaxVersion: VersionTLS12, - Chain: &rsaCertificate, + Credential: &rsaCertificate, }, flags: []string{"-require-any-client-certificate"}, }) @@ -5076,7 +5076,7 @@ name: "ClientAuth-Server-TLS13", config: Config{ MaxVersion: VersionTLS13, - Chain: &rsaCertificate, + Credential: &rsaCertificate, }, flags: []string{"-require-any-client-certificate"}, }) @@ -5202,7 +5202,7 @@ name: "ClientOCSPCallback-Pass-" + vers.name, config: Config{ MaxVersion: vers.version, - Chain: &rsaCertificate, + Credential: &rsaCertificate, }, flags: []string{ "-enable-ocsp-stapling", @@ -5220,7 +5220,7 @@ name: "ClientOCSPCallback-Fail-" + vers.name, config: Config{ MaxVersion: vers.version, - Chain: &rsaCertificate, + Credential: &rsaCertificate, }, flags: []string{ "-enable-ocsp-stapling", @@ -5240,7 +5240,7 @@ name: "ClientOCSPCallback-FailNoStaple-" + vers.name, config: Config{ MaxVersion: vers.version, - Chain: &certNoStaple, + Credential: &certNoStaple, }, flags: []string{ "-enable-ocsp-stapling", @@ -5350,7 +5350,7 @@ name: "CertificateVerificationSucceed" + suffix, config: Config{ MaxVersion: vers.version, - Chain: &rsaCertificate, + Credential: &rsaCertificate, }, flags: append([]string{"-expect-verify-result"}, flags...), resumeSession: true, @@ -5360,7 +5360,7 @@ name: "CertificateVerificationFail" + suffix, config: Config{ MaxVersion: vers.version, - Chain: &rsaCertificate, + Credential: &rsaCertificate, }, flags: append([]string{"-verify-fail"}, flags...), shouldFail: true, @@ -5373,7 +5373,7 @@ name: "CertificateVerificationDoesNotFailOnResume" + suffix, config: Config{ MaxVersion: vers.version, - Chain: &rsaCertificate, + Credential: &rsaCertificate, }, flags: append([]string{"-on-resume-verify-fail"}, flags...), resumeSession: true, @@ -5384,7 +5384,7 @@ name: "CertificateVerificationFailsOnResume" + suffix, config: Config{ MaxVersion: vers.version, - Chain: &rsaCertificate, + Credential: &rsaCertificate, }, flags: append([]string{ "-on-resume-verify-fail", @@ -5400,7 +5400,7 @@ name: "CertificateVerificationPassesOnResume" + suffix, config: Config{ MaxVersion: vers.version, - Chain: &rsaCertificate, + Credential: &rsaCertificate, }, flags: append([]string{ "-reverify-on-resume", @@ -5531,7 +5531,7 @@ name: "CertificateVerificationSoftFail-" + vers.name, config: Config{ MaxVersion: vers.version, - Chain: &rsaCertificate, + Credential: &rsaCertificate, }, flags: []string{ "-verify-fail", @@ -8391,7 +8391,7 @@ testType: clientTest, config: Config{ MaxVersion: ver.version, - Chain: &emptySCTListCert, + Credential: &emptySCTListCert, }, flags: []string{ "-enable-signed-cert-timestamps", @@ -8410,7 +8410,7 @@ testType: clientTest, config: Config{ MaxVersion: ver.version, - Chain: &emptySCTCert, + Credential: &emptySCTCert, }, flags: []string{ "-enable-signed-cert-timestamps", @@ -8643,7 +8643,7 @@ testType: serverTest, config: Config{ MaxVersion: VersionTLS13, - Chain: &rsaCertificate, + Credential: &rsaCertificate, Bugs: ProtocolBugs{ SendExtensionOnCertificate: testOCSPExtension, }, @@ -8673,7 +8673,7 @@ name: "IgnoreExtensionsOnIntermediates-TLS13", config: Config{ MaxVersion: VersionTLS13, - Chain: &rsaChainCertificate, + Credential: &rsaChainCertificate, Bugs: ProtocolBugs{ // Send different values on the intermediate. This tests // the intermediate's extensions do not override the @@ -9735,7 +9735,7 @@ name: "Renegotiation-CertificateChange", config: Config{ MaxVersion: VersionTLS12, - Chain: &rsaCertificate, + Credential: &rsaCertificate, Bugs: ProtocolBugs{ RenegotiationCertificate: &rsaChainCertificate, }, @@ -9749,7 +9749,7 @@ name: "Renegotiation-CertificateChange-2", config: Config{ MaxVersion: VersionTLS12, - Chain: &rsaCertificate, + Credential: &rsaCertificate, Bugs: ProtocolBugs{ RenegotiationCertificate: &rsa1024Certificate, }, @@ -9858,7 +9858,7 @@ var testSignatureAlgorithms = []struct { name string id signatureAlgorithm - cert *CertificateChain + cert *Credential // If non-zero, the curve that must be supported in TLS 1.2 for cert to be // accepted. curve CurveID @@ -10023,7 +10023,7 @@ name: prefix + "Verify" + suffix, config: Config{ MaxVersion: ver.version, - Chain: alg.cert, + Credential: alg.cert, SignSignatureAlgorithms: []signatureAlgorithm{ alg.id, }, @@ -10054,7 +10054,7 @@ name: prefix + "VerifyDefault" + suffix, config: Config{ MaxVersion: ver.version, - Chain: alg.cert, + Credential: alg.cert, SignSignatureAlgorithms: []signatureAlgorithm{ alg.id, }, @@ -10083,7 +10083,7 @@ name: prefix + "InvalidSignature" + suffix, config: Config{ MaxVersion: ver.version, - Chain: alg.cert, + Credential: alg.cert, SignSignatureAlgorithms: []signatureAlgorithm{ alg.id, }, @@ -10240,7 +10240,7 @@ name: "Verify-ClientAuth-SignatureType", config: Config{ MaxVersion: VersionTLS12, - Chain: &rsaCertificate, + Credential: &rsaCertificate, SignSignatureAlgorithms: []signatureAlgorithm{ signatureRSAPKCS1WithSHA256, }, @@ -10260,7 +10260,7 @@ name: "Verify-ClientAuth-SignatureType-TLS13", config: Config{ MaxVersion: VersionTLS13, - Chain: &rsaCertificate, + Credential: &rsaCertificate, SignSignatureAlgorithms: []signatureAlgorithm{ signatureRSAPSSWithSHA256, }, @@ -10417,7 +10417,7 @@ name: "ClientAuth-Enforced", config: Config{ MaxVersion: VersionTLS12, - Chain: &rsaCertificate, + Credential: &rsaCertificate, SignSignatureAlgorithms: []signatureAlgorithm{ signatureRSAPKCS1WithMD5, }, @@ -10450,7 +10450,7 @@ name: "ClientAuth-Enforced-TLS13", config: Config{ MaxVersion: VersionTLS13, - Chain: &rsaCertificate, + Credential: &rsaCertificate, SignSignatureAlgorithms: []signatureAlgorithm{ signatureRSAPKCS1WithMD5, }, @@ -10600,7 +10600,7 @@ config: Config{ MaxVersion: VersionTLS12, CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256}, - Chain: &ecdsaP256Certificate, + Credential: &ecdsaP256Certificate, }, flags: []string{"-curves", strconv.Itoa(int(CurveP384))}, shouldFail: true, @@ -10612,7 +10612,7 @@ name: "CheckLeafCurve-TLS13", config: Config{ MaxVersion: VersionTLS13, - Chain: &ecdsaP256Certificate, + Credential: &ecdsaP256Certificate, }, flags: []string{"-curves", strconv.Itoa(int(CurveP384))}, }) @@ -10623,7 +10623,7 @@ config: Config{ MaxVersion: VersionTLS12, CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256}, - Chain: &ecdsaP256Certificate, + Credential: &ecdsaP256Certificate, SignSignatureAlgorithms: []signatureAlgorithm{ signatureECDSAWithP384AndSHA384, }, @@ -10635,7 +10635,7 @@ name: "ECDSACurveMismatch-Verify-TLS13", config: Config{ MaxVersion: VersionTLS13, - Chain: &ecdsaP256Certificate, + Credential: &ecdsaP256Certificate, SignSignatureAlgorithms: []signatureAlgorithm{ signatureECDSAWithP384AndSHA384, }, @@ -10713,7 +10713,7 @@ name: "NoEd25519-TLS11-ServerAuth-Verify", config: Config{ MaxVersion: VersionTLS11, - Chain: &ed25519Certificate, + Credential: &ed25519Certificate, Bugs: ProtocolBugs{ // Sign with Ed25519 even though it is TLS 1.1. SigningAlgorithmForLegacyVersions: signatureEd25519, @@ -10738,7 +10738,7 @@ name: "NoEd25519-TLS11-ClientAuth-Verify", config: Config{ MaxVersion: VersionTLS11, - Chain: &ed25519Certificate, + Credential: &ed25519Certificate, Bugs: ProtocolBugs{ // Sign with Ed25519 even though it is TLS 1.1. SigningAlgorithmForLegacyVersions: signatureEd25519, @@ -10768,7 +10768,7 @@ testType: clientTest, name: "Ed25519DefaultDisable-NoAdvertise", config: Config{ - Chain: &ed25519Certificate, + Credential: &ed25519Certificate, }, shouldFail: true, expectedLocalError: "tls: no common signature algorithms", @@ -10780,7 +10780,7 @@ testType: clientTest, name: "Ed25519DefaultDisable-NoAccept", config: Config{ - Chain: &ed25519Certificate, + Credential: &ed25519Certificate, Bugs: ProtocolBugs{ IgnorePeerSignatureAlgorithmPreferences: true, }, @@ -10795,7 +10795,7 @@ testCases = append(testCases, testCase{ name: "VerifyPreferences-Advertised", config: Config{ - Chain: &rsaCertificate, + Credential: &rsaCertificate, SignSignatureAlgorithms: []signatureAlgorithm{ signatureRSAPSSWithSHA256, signatureRSAPSSWithSHA384, @@ -10813,7 +10813,7 @@ testCases = append(testCases, testCase{ name: "VerifyPreferences-NoCommonAlgorithms", config: Config{ - Chain: &rsaCertificate, + Credential: &rsaCertificate, SignSignatureAlgorithms: []signatureAlgorithm{ signatureRSAPSSWithSHA256, signatureRSAPSSWithSHA512, @@ -10830,7 +10830,7 @@ testCases = append(testCases, testCase{ name: "VerifyPreferences-Enforced", config: Config{ - Chain: &rsaCertificate, + Credential: &rsaCertificate, SignSignatureAlgorithms: []signatureAlgorithm{ signatureRSAPSSWithSHA256, signatureRSAPSSWithSHA512, @@ -10852,7 +10852,7 @@ testCases = append(testCases, testCase{ name: "VerifyPreferences-Ed25519", config: Config{ - Chain: &ed25519Certificate, + Credential: &ed25519Certificate, }, flags: []string{ "-verify-prefs", strconv.Itoa(int(signatureEd25519)), @@ -10905,7 +10905,7 @@ name: prefix + "NoVerify-RSA_PKCS1_MD5_SHA1", config: Config{ MaxVersion: ver.version, - Chain: &rsaCertificate, + Credential: &rsaCertificate, Bugs: ProtocolBugs{ IgnorePeerSignatureAlgorithmPreferences: true, AlwaysSignAsLegacyVersion: true, @@ -13082,7 +13082,7 @@ protocol: protocol, name: "ClientCertificate" + suffix, config: Config{ - Chain: &rsaCertificate, + Credential: &rsaCertificate, MaxVersion: VersionTLS12, }, flags: []string{"-require-any-client-certificate"}, @@ -13096,7 +13096,7 @@ protocol: protocol, name: "CertificateVerify" + suffix, config: Config{ - Chain: &rsaCertificate, + Credential: &rsaCertificate, MaxVersion: VersionTLS12, }, flags: []string{"-require-any-client-certificate"}, @@ -13272,7 +13272,7 @@ protocol: protocol, name: "TLS13-ClientCertificate" + suffix, config: Config{ - Chain: &rsaCertificate, + Credential: &rsaCertificate, MaxVersion: VersionTLS13, }, flags: []string{"-require-any-client-certificate"}, @@ -13286,7 +13286,7 @@ protocol: protocol, name: "TLS13-ClientCertificateVerify" + suffix, config: Config{ - Chain: &rsaCertificate, + Credential: &rsaCertificate, MaxVersion: VersionTLS13, }, flags: []string{"-require-any-client-certificate"}, @@ -14284,11 +14284,11 @@ name: "EarlyData-RejectTicket-Client-TLS13", config: Config{ MaxVersion: VersionTLS13, - Chain: &rsaCertificate, + Credential: &rsaCertificate, }, resumeConfig: &Config{ MaxVersion: VersionTLS13, - Chain: &ecdsaP256Certificate, + Credential: &ecdsaP256Certificate, SessionTicketsDisabled: true, }, resumeSession: true, @@ -14379,11 +14379,11 @@ name: "EarlyData-HRR-RejectTicket-Client-TLS13", config: Config{ MaxVersion: VersionTLS13, - Chain: &rsaCertificate, + Credential: &rsaCertificate, }, resumeConfig: &Config{ MaxVersion: VersionTLS13, - Chain: &ecdsaP256Certificate, + Credential: &ecdsaP256Certificate, SessionTicketsDisabled: true, Bugs: ProtocolBugs{ SendHelloRetryRequestCookie: []byte{1, 2, 3, 4}, @@ -15035,7 +15035,7 @@ config: Config{ MinVersion: VersionTLS13, MaxVersion: VersionTLS13, - Chain: &rsaChainCertificate, + Credential: &rsaChainCertificate, Bugs: ProtocolBugs{ SkipCertificateVerify: true, }, @@ -15057,7 +15057,7 @@ config: Config{ MinVersion: VersionTLS13, MaxVersion: VersionTLS13, - Chain: &rsaChainCertificate, + Credential: &rsaChainCertificate, Bugs: ProtocolBugs{ SkipCertificateVerify: true, }, @@ -15423,7 +15423,7 @@ config: Config{ MinVersion: ver.version, MaxVersion: ver.version, - Chain: &rsaChainCertificate, + Credential: &rsaChainCertificate, ClientAuth: RequireAnyClientCert, }, expectations: connectionExpectations{ @@ -15441,7 +15441,7 @@ config: Config{ MinVersion: ver.version, MaxVersion: ver.version, - Chain: &rsaChainCertificate, + Credential: &rsaChainCertificate, }, expectations: connectionExpectations{ peerCertificate: &rsaChainCertificate, @@ -15460,7 +15460,7 @@ config: Config{ MinVersion: ver.version, MaxVersion: ver.version, - Chain: &garbageCertificate, + Credential: &garbageCertificate, }, shouldFail: true, expectedError: ":CANNOT_PARSE_LEAF_CERT:", @@ -15473,7 +15473,7 @@ config: Config{ MinVersion: ver.version, MaxVersion: ver.version, - Chain: &garbageCertificate, + Credential: &garbageCertificate, }, flags: []string{"-require-any-client-certificate"}, shouldFail: true, @@ -15510,7 +15510,7 @@ config: Config{ MinVersion: ver.version, MaxVersion: ver.version, - Chain: &rsaCertificate, + Credential: &rsaCertificate, }, flags: []string{ "-verify-peer", @@ -15531,7 +15531,7 @@ config: Config{ MinVersion: ver.version, MaxVersion: ver.version, - Chain: &rsaCertificate, + Credential: &rsaCertificate, }, flags: []string{ "-verify-peer", @@ -15551,7 +15551,7 @@ config: Config{ MinVersion: ver.version, MaxVersion: ver.version, - Chain: &rsaCertificate, + Credential: &rsaCertificate, }, flags: []string{ "-verify-peer", @@ -15599,7 +15599,7 @@ config: Config{ MinVersion: ver.version, MaxVersion: ver.version, - Chain: &cert, + Credential: &cert, }, shouldFail: true, expectedError: ":KEY_USAGE_BIT_INCORRECT:", @@ -15611,7 +15611,7 @@ config: Config{ MinVersion: ver.version, MaxVersion: ver.version, - Chain: &cert, + Credential: &cert, }, flags: []string{"-require-any-client-certificate"}, shouldFail: true, @@ -15674,7 +15674,7 @@ config: Config{ MinVersion: ver.version, MaxVersion: ver.version, - Chain: &encCert, + Credential: &encCert, CipherSuites: dsSuites, }, shouldFail: true, @@ -15687,7 +15687,7 @@ config: Config{ MinVersion: ver.version, MaxVersion: ver.version, - Chain: &dsCert, + Credential: &dsCert, CipherSuites: dsSuites, }, }) @@ -15700,7 +15700,7 @@ config: Config{ MinVersion: ver.version, MaxVersion: ver.version, - Chain: &encCert, + Credential: &encCert, CipherSuites: encSuites, }, }) @@ -15711,7 +15711,7 @@ config: Config{ MinVersion: ver.version, MaxVersion: ver.version, - Chain: &dsCert, + Credential: &dsCert, CipherSuites: encSuites, }, shouldFail: true, @@ -15725,7 +15725,7 @@ config: Config{ MinVersion: ver.version, MaxVersion: ver.version, - Chain: &dsCert, + Credential: &dsCert, CipherSuites: encSuites, }, flags: []string{"-expect-key-usage-invalid", "-ignore-rsa-key-usage"}, @@ -15737,7 +15737,7 @@ config: Config{ MinVersion: ver.version, MaxVersion: ver.version, - Chain: &encCert, + Credential: &encCert, CipherSuites: dsSuites, }, flags: []string{"-expect-key-usage-invalid", "-ignore-rsa-key-usage"}, @@ -15752,7 +15752,7 @@ config: Config{ MinVersion: ver.version, MaxVersion: ver.version, - Chain: &encCert, + Credential: &encCert, CipherSuites: dsSuites, }, flags: []string{"-ignore-rsa-key-usage"}, @@ -15768,7 +15768,7 @@ config: Config{ MinVersion: ver.version, MaxVersion: ver.version, - Chain: &encCert, + Credential: &encCert, }, shouldFail: true, expectedError: ":KEY_USAGE_BIT_INCORRECT:", @@ -15781,7 +15781,7 @@ config: Config{ MinVersion: ver.version, MaxVersion: ver.version, - Chain: &dsCert, + Credential: &dsCert, }, flags: []string{"-require-any-client-certificate"}, }) @@ -17367,7 +17367,7 @@ protocol: protocol, name: prefix + "ECH-Server-ClientAuth", config: Config{ - Chain: &rsaCertificate, + Credential: &rsaCertificate, ClientECHConfig: echConfig.ECHConfig, }, flags: []string{ @@ -17386,7 +17386,7 @@ protocol: protocol, name: prefix + "ECH-Server-Decline-ClientAuth", config: Config{ - Chain: &rsaCertificate, + Credential: &rsaCertificate, ClientECHConfig: echConfig.ECHConfig, Bugs: ProtocolBugs{ ExpectECHRetryConfigs: CreateECHConfigList(echConfig1.ECHConfig.Raw), @@ -19078,7 +19078,7 @@ config: Config{ MinVersion: VersionTLS13, MaxVersion: VersionTLS13, - Chain: &rsaCertificate, + Credential: &rsaCertificate, }, flags: []string{ "-allow-hint-mismatch", @@ -19290,7 +19290,7 @@ isWPACipherSuite = true } - var cert CertificateChain + var cert Credential if hasComponent(suite.name, "ECDSA") { cert = ecdsaP384Certificate } else { @@ -19338,7 +19338,7 @@ MinVersion: VersionTLS12, MaxVersion: maxVersion, CipherSuites: []uint16{suite.id}, - Chain: &cert, + Credential: &cert, }, flags: []string{ policy.flag, @@ -19491,7 +19491,7 @@ MinVersion: VersionTLS12, MaxVersion: maxVersion, SignSignatureAlgorithms: []signatureAlgorithm{sigalg.id}, - Chain: sigalg.cert, + Credential: sigalg.cert, }, flags: []string{ policy.flag,
diff --git a/ssl/test/runner/tls.go b/ssl/test/runner/tls.go index d283e77..b2b35a3 100644 --- a/ssl/test/runner/tls.go +++ b/ssl/test/runner/tls.go
@@ -73,7 +73,7 @@ // The configuration config must be non-nil and must have // at least one certificate. func Listen(network, laddr string, config *Config) (net.Listener, error) { - if config == nil || config.Chain == nil { + if config == nil || config.Credential == nil { return nil, errors.New("tls.Listen: no certificates in configuration") } l, err := net.Listen(network, laddr) @@ -173,7 +173,7 @@ // LoadX509KeyPair reads and parses a public/private key pair from a pair of // files. The files must contain PEM encoded data. -func LoadX509KeyPair(certFile, keyFile string) (cert CertificateChain, err error) { +func LoadX509KeyPair(certFile, keyFile string) (cert Credential, err error) { certPEMBlock, err := os.ReadFile(certFile) if err != nil { return @@ -187,7 +187,7 @@ // X509KeyPair parses a public/private key pair from a pair of // PEM encoded data. -func X509KeyPair(certPEMBlock, keyPEMBlock []byte) (cert CertificateChain, err error) { +func X509KeyPair(certPEMBlock, keyPEMBlock []byte) (cert Credential, err error) { var certDERBlock *pem.Block for { certDERBlock, certPEMBlock = pem.Decode(certPEMBlock)