runner: Rename CertificateChain to Credential
After https://boringssl-review.googlesource.com/c/boringssl/+/62565 just
renamed it. :-)
This is in preparation for the type being used to test the
SSL_CREDENTIAL machinery. Since we'll be using this to specify a
credential on the shim, let's just make the name match.
Bug: 249
Change-Id: I03e95d120266ccef2111f9bff4c97cef30deb7d3
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/66667
Reviewed-by: Bob Beck <bbe@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
diff --git a/ssl/test/runner/cipher_suites.go b/ssl/test/runner/cipher_suites.go
index 656a8c1..4702df6 100644
--- a/ssl/test/runner/cipher_suites.go
+++ b/ssl/test/runner/cipher_suites.go
@@ -28,8 +28,8 @@
// In the case that the key agreement protocol doesn't use a
// ServerKeyExchange message, generateServerKeyExchange can return nil,
// nil.
- generateServerKeyExchange(*Config, *CertificateChain, *clientHelloMsg, *serverHelloMsg, uint16) (*serverKeyExchangeMsg, error)
- processClientKeyExchange(*Config, *CertificateChain, *clientKeyExchangeMsg, uint16) ([]byte, error)
+ generateServerKeyExchange(*Config, *Credential, *clientHelloMsg, *serverHelloMsg, uint16) (*serverKeyExchangeMsg, error)
+ processClientKeyExchange(*Config, *Credential, *clientKeyExchangeMsg, uint16) ([]byte, error)
// On the client side, the next two methods are called in order.
diff --git a/ssl/test/runner/common.go b/ssl/test/runner/common.go
index 69d8a69..873a4c7 100644
--- a/ssl/test/runner/common.go
+++ b/ssl/test/runner/common.go
@@ -441,9 +441,9 @@
// If Time is nil, TLS uses time.Now.
Time func() time.Time
- // Chain contains the certificate chain to present to the other side of
+ // Credential contains the credential to present to the other side of
// the connection. Server configurations must include this field.
- Chain *CertificateChain
+ Credential *Credential
// RootCAs defines the set of root certificate authorities
// that clients use when verifying server certificates.
@@ -1842,7 +1842,7 @@
// RenegotiationCertificate, if not nil, is the certificate to use on
// renegotiation handshakes.
- RenegotiationCertificate *CertificateChain
+ RenegotiationCertificate *Credential
// ExpectNoCertificateAuthoritiesExtension, if true, causes the client to
// reject CertificateRequest with the CertificateAuthorities extension.
@@ -2139,8 +2139,10 @@
return supportedSignatureAlgorithms
}
-// A CertificateChain is a chain of one or more certificates, leaf first.
-type CertificateChain struct {
+// A Credential is a certificate chain and private key that a TLS endpoint may
+// use to authenticate.
+type Credential struct {
+ // Certificate is a chain of one or more certificates, leaf first.
Certificate [][]byte
PrivateKey crypto.PrivateKey // supported types: *rsa.PrivateKey, *ecdsa.PrivateKey
// OCSPStaple contains an optional OCSP response which will be served
@@ -2384,10 +2386,10 @@
var tmpDir string
-func generateSingleCertChain(template *x509.Certificate, key crypto.Signer, ocspStaple, sctList []byte) CertificateChain {
+func generateSingleCertChain(template *x509.Certificate, key crypto.Signer, ocspStaple, sctList []byte) Credential {
cert := generateTestCert(template, nil, key, ocspStaple, sctList)
tmpCertPath, tmpKeyPath := writeTempCertFile([]*x509.Certificate{cert}), writeTempKeyFile(key)
- return CertificateChain{
+ return Credential{
Certificate: [][]byte{cert.Raw},
PrivateKey: key,
OCSPStaple: ocspStaple,
diff --git a/ssl/test/runner/handshake_client.go b/ssl/test/runner/handshake_client.go
index 94e1db3..c23223b 100644
--- a/ssl/test/runner/handshake_client.go
+++ b/ssl/test/runner/handshake_client.go
@@ -1184,7 +1184,7 @@
return err
}
- var chainToSend *CertificateChain
+ var credential *Credential
var certReq *certificateRequestMsg
if c.didResume {
// Copy over authentication from the session.
@@ -1214,7 +1214,7 @@
hs.writeServerHash(certReq.marshal())
- chainToSend = c.config.Chain
+ credential = c.config.Credential
msg, err = c.readHandshake()
if err != nil {
return err
@@ -1435,8 +1435,8 @@
hasRequestContext: true,
requestContext: certReq.requestContext,
}
- if chainToSend != nil {
- for _, certData := range chainToSend.Certificate {
+ if credential != nil {
+ for _, certData := range credential.Certificate {
certMsg.certificates = append(certMsg.certificates, certificateEntry{
data: certData,
extraExtension: c.config.Bugs.SendExtensionOnCertificate,
@@ -1446,13 +1446,13 @@
hs.writeClientHash(certMsg.marshal())
c.writeRecord(recordTypeHandshake, certMsg.marshal())
- if chainToSend != nil {
+ if credential != nil {
certVerify := &certificateVerifyMsg{
hasSignatureAlgorithm: true,
}
// Determine the hash to sign.
- privKey := chainToSend.PrivateKey
+ privKey := credential.PrivateKey
var err error
certVerify.signatureAlgorithm, err = selectSignatureAlgorithm(c.vers, privKey, c.config, certReq.signatureAlgorithms)
@@ -1692,7 +1692,7 @@
}
}
- var chainToSend *CertificateChain
+ var credential *Credential
var certRequested bool
certReq, ok := msg.(*certificateRequestMsg)
if ok {
@@ -1703,7 +1703,7 @@
hs.writeServerHash(certReq.marshal())
- chainToSend = c.config.Chain
+ credential = c.config.Credential
msg, err = c.readHandshake()
if err != nil {
return err
@@ -1722,8 +1722,8 @@
// a certificate to send.
if certRequested && !c.config.Bugs.SkipClientCertificate {
certMsg := new(certificateMsg)
- if chainToSend != nil {
- for _, certData := range chainToSend.Certificate {
+ if credential != nil {
+ for _, certData := range credential.Certificate {
certMsg.certificates = append(certMsg.certificates, certificateEntry{
data: certData,
})
@@ -1760,13 +1760,13 @@
hs.masterSecret = masterFromPreMasterSecret(c.vers, hs.suite, preMasterSecret, hs.hello.random, hs.serverHello.random)
}
- if chainToSend != nil {
+ if credential != nil {
certVerify := &certificateVerifyMsg{
hasSignatureAlgorithm: c.vers >= VersionTLS12,
}
// Determine the hash to sign.
- privKey := c.config.Chain.PrivateKey
+ privKey := c.config.Credential.PrivateKey
if certVerify.hasSignatureAlgorithm {
certVerify.signatureAlgorithm, err = selectSignatureAlgorithm(c.vers, privKey, c.config, certReq.signatureAlgorithms)
diff --git a/ssl/test/runner/handshake_server.go b/ssl/test/runner/handshake_server.go
index d3f6392..64c982d 100644
--- a/ssl/test/runner/handshake_server.go
+++ b/ssl/test/runner/handshake_server.go
@@ -36,7 +36,7 @@
finishedHash finishedHash
masterSecret []byte
certsFromClient [][]byte
- cert *CertificateChain
+ cert *Credential
finishedBytes []byte
echHPKEContext *hpke.Context
echConfigID uint8
@@ -1587,11 +1587,11 @@
if len(hs.clientHello.serverName) > 0 {
c.serverName = hs.clientHello.serverName
}
- if config.Chain == nil {
+ if config.Credential == nil {
c.sendAlert(alertInternalError)
return errors.New("tls: no certificates configured")
}
- hs.cert = config.Chain
+ hs.cert = config.Credential
if expected := c.config.Bugs.ExpectServerName; expected != "" && expected != hs.clientHello.serverName {
return fmt.Errorf("tls: unexpected server name: wanted %q, got %q", expected, hs.clientHello.serverName)
}
diff --git a/ssl/test/runner/key_agreement.go b/ssl/test/runner/key_agreement.go
index e513852..c3aee9a 100644
--- a/ssl/test/runner/key_agreement.go
+++ b/ssl/test/runner/key_agreement.go
@@ -39,7 +39,7 @@
exportKey *rsa.PrivateKey
}
-func (ka *rsaKeyAgreement) generateServerKeyExchange(config *Config, cert *CertificateChain, clientHello *clientHelloMsg, hello *serverHelloMsg, version uint16) (*serverKeyExchangeMsg, error) {
+func (ka *rsaKeyAgreement) generateServerKeyExchange(config *Config, cert *Credential, clientHello *clientHelloMsg, hello *serverHelloMsg, version uint16) (*serverKeyExchangeMsg, error) {
// Save the client version for comparison later.
ka.clientVersion = clientHello.vers
@@ -96,7 +96,7 @@
return skx, nil
}
-func (ka *rsaKeyAgreement) processClientKeyExchange(config *Config, cert *CertificateChain, ckx *clientKeyExchangeMsg, version uint16) ([]byte, error) {
+func (ka *rsaKeyAgreement) processClientKeyExchange(config *Config, cert *Credential, ckx *clientKeyExchangeMsg, version uint16) ([]byte, error) {
preMasterSecret := make([]byte, 48)
_, err := io.ReadFull(config.rand(), preMasterSecret[2:])
if err != nil {
@@ -453,7 +453,7 @@
// keyAgreementAuthentication is a helper interface that specifies how
// to authenticate the ServerKeyExchange parameters.
type keyAgreementAuthentication interface {
- signParameters(config *Config, cert *CertificateChain, clientHello *clientHelloMsg, hello *serverHelloMsg, params []byte) (*serverKeyExchangeMsg, error)
+ signParameters(config *Config, cert *Credential, clientHello *clientHelloMsg, hello *serverHelloMsg, params []byte) (*serverKeyExchangeMsg, error)
verifyParameters(config *Config, clientHello *clientHelloMsg, serverHello *serverHelloMsg, key crypto.PublicKey, params []byte, sig []byte) error
}
@@ -461,7 +461,7 @@
// agreement parameters.
type nilKeyAgreementAuthentication struct{}
-func (ka *nilKeyAgreementAuthentication) signParameters(config *Config, cert *CertificateChain, clientHello *clientHelloMsg, hello *serverHelloMsg, params []byte) (*serverKeyExchangeMsg, error) {
+func (ka *nilKeyAgreementAuthentication) signParameters(config *Config, cert *Credential, clientHello *clientHelloMsg, hello *serverHelloMsg, params []byte) (*serverKeyExchangeMsg, error) {
skx := new(serverKeyExchangeMsg)
skx.key = params
return skx, nil
@@ -479,7 +479,7 @@
peerSignatureAlgorithm signatureAlgorithm
}
-func (ka *signedKeyAgreement) signParameters(config *Config, cert *CertificateChain, clientHello *clientHelloMsg, hello *serverHelloMsg, params []byte) (*serverKeyExchangeMsg, error) {
+func (ka *signedKeyAgreement) signParameters(config *Config, cert *Credential, clientHello *clientHelloMsg, hello *serverHelloMsg, params []byte) (*serverKeyExchangeMsg, error) {
// The message to be signed is prepended by the randoms.
var msg []byte
msg = append(msg, clientHello.random...)
@@ -585,7 +585,7 @@
peerKey []byte
}
-func (ka *ecdheKeyAgreement) generateServerKeyExchange(config *Config, cert *CertificateChain, clientHello *clientHelloMsg, hello *serverHelloMsg, version uint16) (*serverKeyExchangeMsg, error) {
+func (ka *ecdheKeyAgreement) generateServerKeyExchange(config *Config, cert *Credential, clientHello *clientHelloMsg, hello *serverHelloMsg, version uint16) (*serverKeyExchangeMsg, error) {
var curveid CurveID
preferredCurves := config.curvePreferences()
@@ -636,7 +636,7 @@
return ka.auth.signParameters(config, cert, clientHello, hello, serverECDHParams)
}
-func (ka *ecdheKeyAgreement) processClientKeyExchange(config *Config, cert *CertificateChain, ckx *clientKeyExchangeMsg, version uint16) ([]byte, error) {
+func (ka *ecdheKeyAgreement) processClientKeyExchange(config *Config, cert *Credential, ckx *clientKeyExchangeMsg, version uint16) ([]byte, error) {
if len(ckx.ciphertext) == 0 || int(ckx.ciphertext[0]) != len(ckx.ciphertext)-1 {
return nil, errClientKeyExchange
}
@@ -703,11 +703,11 @@
// exchange.
type nilKeyAgreement struct{}
-func (ka *nilKeyAgreement) generateServerKeyExchange(config *Config, cert *CertificateChain, clientHello *clientHelloMsg, hello *serverHelloMsg, version uint16) (*serverKeyExchangeMsg, error) {
+func (ka *nilKeyAgreement) generateServerKeyExchange(config *Config, cert *Credential, clientHello *clientHelloMsg, hello *serverHelloMsg, version uint16) (*serverKeyExchangeMsg, error) {
return nil, nil
}
-func (ka *nilKeyAgreement) processClientKeyExchange(config *Config, cert *CertificateChain, ckx *clientKeyExchangeMsg, version uint16) ([]byte, error) {
+func (ka *nilKeyAgreement) processClientKeyExchange(config *Config, cert *Credential, ckx *clientKeyExchangeMsg, version uint16) ([]byte, error) {
if len(ckx.ciphertext) != 0 {
return nil, errClientKeyExchange
}
@@ -755,7 +755,7 @@
identityHint string
}
-func (ka *pskKeyAgreement) generateServerKeyExchange(config *Config, cert *CertificateChain, clientHello *clientHelloMsg, hello *serverHelloMsg, version uint16) (*serverKeyExchangeMsg, error) {
+func (ka *pskKeyAgreement) generateServerKeyExchange(config *Config, cert *Credential, clientHello *clientHelloMsg, hello *serverHelloMsg, version uint16) (*serverKeyExchangeMsg, error) {
// Assemble the identity hint.
bytes := make([]byte, 2+len(config.PreSharedKeyIdentity))
bytes[0] = byte(len(config.PreSharedKeyIdentity) >> 8)
@@ -782,7 +782,7 @@
return skx, nil
}
-func (ka *pskKeyAgreement) processClientKeyExchange(config *Config, cert *CertificateChain, ckx *clientKeyExchangeMsg, version uint16) ([]byte, error) {
+func (ka *pskKeyAgreement) processClientKeyExchange(config *Config, cert *Credential, ckx *clientKeyExchangeMsg, version uint16) ([]byte, error) {
// First, process the PSK identity.
if len(ckx.ciphertext) < 2 {
return nil, errClientKeyExchange
diff --git a/ssl/test/runner/runner.go b/ssl/test/runner/runner.go
index 0aa0d21..5f1cc75 100644
--- a/ssl/test/runner/runner.go
+++ b/ssl/test/runner/runner.go
@@ -208,21 +208,21 @@
var testSCTExtension = append([]byte{byte(extensionSignedCertificateTimestamp) >> 8, byte(extensionSignedCertificateTimestamp), 0, byte(len(testSCTList))}, testSCTList...)
var (
- rsaCertificate CertificateChain
- rsaChainCertificate CertificateChain
- rsa1024Certificate CertificateChain
- ecdsaP224Certificate CertificateChain
- ecdsaP256Certificate CertificateChain
- ecdsaP384Certificate CertificateChain
- ecdsaP521Certificate CertificateChain
- ed25519Certificate CertificateChain
- garbageCertificate CertificateChain
+ rsaCertificate Credential
+ rsaChainCertificate Credential
+ rsa1024Certificate Credential
+ ecdsaP224Certificate Credential
+ ecdsaP256Certificate Credential
+ ecdsaP384Certificate Credential
+ ecdsaP521Certificate Credential
+ ed25519Certificate Credential
+ garbageCertificate Credential
)
func initCertificates() {
for _, def := range []struct {
key crypto.Signer
- out *CertificateChain
+ out *Credential
}{
{&rsa1024Key, &rsa1024Certificate},
{&rsa2048Key, &rsaCertificate},
@@ -256,7 +256,7 @@
keyPath := writeTempKeyFile(&rsa2048Key)
rootCertPath, chainPath := writeTempCertFile([]*x509.Certificate{rootCert}), writeTempCertFile([]*x509.Certificate{leafCert, intermediateCert})
- rsaChainCertificate = CertificateChain{
+ rsaChainCertificate = Credential{
Certificate: [][]byte{leafCert.Raw, intermediateCert.Raw},
PrivateKey: &rsa2048Key,
OCSPStaple: testOCSPResponse,
@@ -500,7 +500,7 @@
curveID CurveID
// peerCertificate, if not nil, is the certificate chain the peer is
// expected to send.
- peerCertificate *CertificateChain
+ peerCertificate *Credential
// quicTransportParams contains the QUIC transport parameters that are to be
// sent by the peer using codepoint 57.
quicTransportParams []byte
@@ -662,7 +662,7 @@
skipVersionNameCheck bool
// shimCertificate, if populated, is the certificate/chain which should be sent
// by the server/client (this populates the -cert-file and -key-file flags).
- shimCertificate *CertificateChain
+ shimCertificate *Credential
}
var testCases []testCase
@@ -1330,8 +1330,8 @@
if test.resumeConfig != nil {
resumeConfig = *test.resumeConfig
resumeConfig.Rand = config.Rand
- if resumeConfig.Chain == nil {
- resumeConfig.Chain = config.Chain
+ if resumeConfig.Credential == nil {
+ resumeConfig.Credential = config.Credential
}
} else {
resumeConfig = config
@@ -1580,11 +1580,11 @@
flags = append(flags, "-write-settings", transcriptPrefix)
}
- if test.testType == clientTest && test.config.Chain == nil {
- test.config.Chain = &rsaCertificate
+ if test.testType == clientTest && test.config.Credential == nil {
+ test.config.Credential = &rsaCertificate
}
- if test.config.Chain != nil {
- flags = append(flags, "-trust-cert", test.config.Chain.RootPath)
+ if test.config.Credential != nil {
+ flags = append(flags, "-trust-cert", test.config.Credential.RootPath)
}
flags = append(flags, test.flags...)
@@ -2056,7 +2056,7 @@
name: "ServerSkipCertificateVerify",
config: Config{
MaxVersion: VersionTLS12,
- Chain: &rsaCertificate,
+ Credential: &rsaCertificate,
Bugs: ProtocolBugs{
SkipCertificateVerify: true,
},
@@ -3554,14 +3554,14 @@
testCases = append(testCases, testCase{
name: "LargeMessage",
config: Config{
- Chain: &cert,
+ Credential: &cert,
},
})
testCases = append(testCases, testCase{
protocol: dtls,
name: "LargeMessage-DTLS",
config: Config{
- Chain: &cert,
+ Credential: &cert,
},
})
@@ -3569,7 +3569,7 @@
testCases = append(testCases, testCase{
name: "LargeMessage-Reject",
config: Config{
- Chain: &cert,
+ Credential: &cert,
},
flags: []string{"-max-cert-list", "16384"},
shouldFail: true,
@@ -3579,7 +3579,7 @@
protocol: dtls,
name: "LargeMessage-Reject-DTLS",
config: Config{
- Chain: &cert,
+ Credential: &cert,
},
flags: []string{"-max-cert-list", "16384"},
shouldFail: true,
@@ -3627,7 +3627,7 @@
}
prefix := protocol.String() + "-"
- var cert CertificateChain
+ var cert Credential
if hasComponent(suite.name, "ECDSA") {
cert = ecdsaP256Certificate
} else {
@@ -3680,7 +3680,7 @@
MinVersion: ver.version,
MaxVersion: ver.version,
CipherSuites: []uint16{suite.id},
- Chain: &cert,
+ Credential: &cert,
PreSharedKey: []byte(psk),
PreSharedKeyIdentity: pskIdentity,
Bugs: ProtocolBugs{
@@ -3703,7 +3703,7 @@
MinVersion: ver.version,
MaxVersion: ver.version,
CipherSuites: serverCipherSuites,
- Chain: &cert,
+ Credential: &cert,
PreSharedKey: []byte(psk),
PreSharedKeyIdentity: pskIdentity,
Bugs: ProtocolBugs{
@@ -3730,7 +3730,7 @@
MinVersion: ver.version,
MaxVersion: ver.version,
CipherSuites: []uint16{suite.id},
- Chain: &cert,
+ Credential: &cert,
PreSharedKey: []byte(psk),
PreSharedKeyIdentity: pskIdentity,
},
@@ -3757,7 +3757,7 @@
MinVersion: ver.version,
MaxVersion: ver.version,
CipherSuites: []uint16{suite.id},
- Chain: &cert,
+ Credential: &cert,
PreSharedKey: []byte(psk),
PreSharedKeyIdentity: pskIdentity,
},
@@ -3897,7 +3897,7 @@
config: Config{
MaxVersion: VersionTLS12,
CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
- Chain: &rsaCertificate,
+ Credential: &rsaCertificate,
Bugs: ProtocolBugs{
SendCipherSuite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
},
@@ -3910,7 +3910,7 @@
config: Config{
MaxVersion: VersionTLS12,
CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
- Chain: &ecdsaP256Certificate,
+ Credential: &ecdsaP256Certificate,
Bugs: ProtocolBugs{
SendCipherSuite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
},
@@ -3923,7 +3923,7 @@
config: Config{
MaxVersion: VersionTLS12,
CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
- Chain: &ed25519Certificate,
+ Credential: &ed25519Certificate,
Bugs: ProtocolBugs{
SendCipherSuite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
},
@@ -4089,7 +4089,7 @@
config: Config{
MaxVersion: VersionTLS12,
CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
- Chain: &ecdsaP256Certificate,
+ Credential: &ecdsaP256Certificate,
Bugs: ProtocolBugs{
BadECDSAR: badR,
BadECDSAS: badS,
@@ -4102,7 +4102,7 @@
name: fmt.Sprintf("BadECDSA-%d-%d-TLS13", badR, badS),
config: Config{
MaxVersion: VersionTLS13,
- Chain: &ecdsaP256Certificate,
+ Credential: &ecdsaP256Certificate,
Bugs: ProtocolBugs{
BadECDSAR: badR,
BadECDSAS: badS,
@@ -4213,7 +4213,7 @@
func addClientAuthTests() {
// Add a dummy cert pool to stress certificate authority parsing.
certPool := x509.NewCertPool()
- for _, cert := range []CertificateChain{rsaCertificate, rsa1024Certificate} {
+ for _, cert := range []Credential{rsaCertificate, rsa1024Certificate} {
cert, err := x509.ParseCertificate(cert.Certificate[0])
if err != nil {
panic(err)
@@ -4240,7 +4240,7 @@
config: Config{
MinVersion: ver.version,
MaxVersion: ver.version,
- Chain: &rsaCertificate,
+ Credential: &rsaCertificate,
},
flags: []string{"-require-any-client-certificate"},
})
@@ -4250,7 +4250,7 @@
config: Config{
MinVersion: ver.version,
MaxVersion: ver.version,
- Chain: &ecdsaP256Certificate,
+ Credential: &ecdsaP256Certificate,
},
flags: []string{"-require-any-client-certificate"},
})
@@ -4382,7 +4382,7 @@
config: Config{
MinVersion: ver.version,
MaxVersion: ver.version,
- Chain: &rsaCertificate,
+ Credential: &rsaCertificate,
Bugs: ProtocolBugs{
ExpectCertificateReqNames: caNames,
},
@@ -4399,7 +4399,7 @@
config: Config{
MinVersion: ver.version,
MaxVersion: ver.version,
- Chain: &rsaCertificate,
+ Credential: &rsaCertificate,
ClientAuth: RequireAnyClientCert,
ClientCAs: certPool,
},
@@ -4451,7 +4451,7 @@
name: "Null-Client-CA-List",
config: Config{
MaxVersion: VersionTLS12,
- Chain: &rsaCertificate,
+ Credential: &rsaCertificate,
Bugs: ProtocolBugs{
ExpectCertificateReqNames: [][]byte{},
},
@@ -4468,7 +4468,7 @@
name: "TLS13-Empty-Client-CA-List",
config: Config{
MaxVersion: VersionTLS13,
- Chain: &rsaCertificate,
+ Credential: &rsaCertificate,
Bugs: ProtocolBugs{
ExpectNoCertificateAuthoritiesExtension: true,
},
@@ -5066,7 +5066,7 @@
name: "ClientAuth-Server",
config: Config{
MaxVersion: VersionTLS12,
- Chain: &rsaCertificate,
+ Credential: &rsaCertificate,
},
flags: []string{"-require-any-client-certificate"},
})
@@ -5076,7 +5076,7 @@
name: "ClientAuth-Server-TLS13",
config: Config{
MaxVersion: VersionTLS13,
- Chain: &rsaCertificate,
+ Credential: &rsaCertificate,
},
flags: []string{"-require-any-client-certificate"},
})
@@ -5202,7 +5202,7 @@
name: "ClientOCSPCallback-Pass-" + vers.name,
config: Config{
MaxVersion: vers.version,
- Chain: &rsaCertificate,
+ Credential: &rsaCertificate,
},
flags: []string{
"-enable-ocsp-stapling",
@@ -5220,7 +5220,7 @@
name: "ClientOCSPCallback-Fail-" + vers.name,
config: Config{
MaxVersion: vers.version,
- Chain: &rsaCertificate,
+ Credential: &rsaCertificate,
},
flags: []string{
"-enable-ocsp-stapling",
@@ -5240,7 +5240,7 @@
name: "ClientOCSPCallback-FailNoStaple-" + vers.name,
config: Config{
MaxVersion: vers.version,
- Chain: &certNoStaple,
+ Credential: &certNoStaple,
},
flags: []string{
"-enable-ocsp-stapling",
@@ -5350,7 +5350,7 @@
name: "CertificateVerificationSucceed" + suffix,
config: Config{
MaxVersion: vers.version,
- Chain: &rsaCertificate,
+ Credential: &rsaCertificate,
},
flags: append([]string{"-expect-verify-result"}, flags...),
resumeSession: true,
@@ -5360,7 +5360,7 @@
name: "CertificateVerificationFail" + suffix,
config: Config{
MaxVersion: vers.version,
- Chain: &rsaCertificate,
+ Credential: &rsaCertificate,
},
flags: append([]string{"-verify-fail"}, flags...),
shouldFail: true,
@@ -5373,7 +5373,7 @@
name: "CertificateVerificationDoesNotFailOnResume" + suffix,
config: Config{
MaxVersion: vers.version,
- Chain: &rsaCertificate,
+ Credential: &rsaCertificate,
},
flags: append([]string{"-on-resume-verify-fail"}, flags...),
resumeSession: true,
@@ -5384,7 +5384,7 @@
name: "CertificateVerificationFailsOnResume" + suffix,
config: Config{
MaxVersion: vers.version,
- Chain: &rsaCertificate,
+ Credential: &rsaCertificate,
},
flags: append([]string{
"-on-resume-verify-fail",
@@ -5400,7 +5400,7 @@
name: "CertificateVerificationPassesOnResume" + suffix,
config: Config{
MaxVersion: vers.version,
- Chain: &rsaCertificate,
+ Credential: &rsaCertificate,
},
flags: append([]string{
"-reverify-on-resume",
@@ -5531,7 +5531,7 @@
name: "CertificateVerificationSoftFail-" + vers.name,
config: Config{
MaxVersion: vers.version,
- Chain: &rsaCertificate,
+ Credential: &rsaCertificate,
},
flags: []string{
"-verify-fail",
@@ -8391,7 +8391,7 @@
testType: clientTest,
config: Config{
MaxVersion: ver.version,
- Chain: &emptySCTListCert,
+ Credential: &emptySCTListCert,
},
flags: []string{
"-enable-signed-cert-timestamps",
@@ -8410,7 +8410,7 @@
testType: clientTest,
config: Config{
MaxVersion: ver.version,
- Chain: &emptySCTCert,
+ Credential: &emptySCTCert,
},
flags: []string{
"-enable-signed-cert-timestamps",
@@ -8643,7 +8643,7 @@
testType: serverTest,
config: Config{
MaxVersion: VersionTLS13,
- Chain: &rsaCertificate,
+ Credential: &rsaCertificate,
Bugs: ProtocolBugs{
SendExtensionOnCertificate: testOCSPExtension,
},
@@ -8673,7 +8673,7 @@
name: "IgnoreExtensionsOnIntermediates-TLS13",
config: Config{
MaxVersion: VersionTLS13,
- Chain: &rsaChainCertificate,
+ Credential: &rsaChainCertificate,
Bugs: ProtocolBugs{
// Send different values on the intermediate. This tests
// the intermediate's extensions do not override the
@@ -9735,7 +9735,7 @@
name: "Renegotiation-CertificateChange",
config: Config{
MaxVersion: VersionTLS12,
- Chain: &rsaCertificate,
+ Credential: &rsaCertificate,
Bugs: ProtocolBugs{
RenegotiationCertificate: &rsaChainCertificate,
},
@@ -9749,7 +9749,7 @@
name: "Renegotiation-CertificateChange-2",
config: Config{
MaxVersion: VersionTLS12,
- Chain: &rsaCertificate,
+ Credential: &rsaCertificate,
Bugs: ProtocolBugs{
RenegotiationCertificate: &rsa1024Certificate,
},
@@ -9858,7 +9858,7 @@
var testSignatureAlgorithms = []struct {
name string
id signatureAlgorithm
- cert *CertificateChain
+ cert *Credential
// If non-zero, the curve that must be supported in TLS 1.2 for cert to be
// accepted.
curve CurveID
@@ -10023,7 +10023,7 @@
name: prefix + "Verify" + suffix,
config: Config{
MaxVersion: ver.version,
- Chain: alg.cert,
+ Credential: alg.cert,
SignSignatureAlgorithms: []signatureAlgorithm{
alg.id,
},
@@ -10054,7 +10054,7 @@
name: prefix + "VerifyDefault" + suffix,
config: Config{
MaxVersion: ver.version,
- Chain: alg.cert,
+ Credential: alg.cert,
SignSignatureAlgorithms: []signatureAlgorithm{
alg.id,
},
@@ -10083,7 +10083,7 @@
name: prefix + "InvalidSignature" + suffix,
config: Config{
MaxVersion: ver.version,
- Chain: alg.cert,
+ Credential: alg.cert,
SignSignatureAlgorithms: []signatureAlgorithm{
alg.id,
},
@@ -10240,7 +10240,7 @@
name: "Verify-ClientAuth-SignatureType",
config: Config{
MaxVersion: VersionTLS12,
- Chain: &rsaCertificate,
+ Credential: &rsaCertificate,
SignSignatureAlgorithms: []signatureAlgorithm{
signatureRSAPKCS1WithSHA256,
},
@@ -10260,7 +10260,7 @@
name: "Verify-ClientAuth-SignatureType-TLS13",
config: Config{
MaxVersion: VersionTLS13,
- Chain: &rsaCertificate,
+ Credential: &rsaCertificate,
SignSignatureAlgorithms: []signatureAlgorithm{
signatureRSAPSSWithSHA256,
},
@@ -10417,7 +10417,7 @@
name: "ClientAuth-Enforced",
config: Config{
MaxVersion: VersionTLS12,
- Chain: &rsaCertificate,
+ Credential: &rsaCertificate,
SignSignatureAlgorithms: []signatureAlgorithm{
signatureRSAPKCS1WithMD5,
},
@@ -10450,7 +10450,7 @@
name: "ClientAuth-Enforced-TLS13",
config: Config{
MaxVersion: VersionTLS13,
- Chain: &rsaCertificate,
+ Credential: &rsaCertificate,
SignSignatureAlgorithms: []signatureAlgorithm{
signatureRSAPKCS1WithMD5,
},
@@ -10600,7 +10600,7 @@
config: Config{
MaxVersion: VersionTLS12,
CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
- Chain: &ecdsaP256Certificate,
+ Credential: &ecdsaP256Certificate,
},
flags: []string{"-curves", strconv.Itoa(int(CurveP384))},
shouldFail: true,
@@ -10612,7 +10612,7 @@
name: "CheckLeafCurve-TLS13",
config: Config{
MaxVersion: VersionTLS13,
- Chain: &ecdsaP256Certificate,
+ Credential: &ecdsaP256Certificate,
},
flags: []string{"-curves", strconv.Itoa(int(CurveP384))},
})
@@ -10623,7 +10623,7 @@
config: Config{
MaxVersion: VersionTLS12,
CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
- Chain: &ecdsaP256Certificate,
+ Credential: &ecdsaP256Certificate,
SignSignatureAlgorithms: []signatureAlgorithm{
signatureECDSAWithP384AndSHA384,
},
@@ -10635,7 +10635,7 @@
name: "ECDSACurveMismatch-Verify-TLS13",
config: Config{
MaxVersion: VersionTLS13,
- Chain: &ecdsaP256Certificate,
+ Credential: &ecdsaP256Certificate,
SignSignatureAlgorithms: []signatureAlgorithm{
signatureECDSAWithP384AndSHA384,
},
@@ -10713,7 +10713,7 @@
name: "NoEd25519-TLS11-ServerAuth-Verify",
config: Config{
MaxVersion: VersionTLS11,
- Chain: &ed25519Certificate,
+ Credential: &ed25519Certificate,
Bugs: ProtocolBugs{
// Sign with Ed25519 even though it is TLS 1.1.
SigningAlgorithmForLegacyVersions: signatureEd25519,
@@ -10738,7 +10738,7 @@
name: "NoEd25519-TLS11-ClientAuth-Verify",
config: Config{
MaxVersion: VersionTLS11,
- Chain: &ed25519Certificate,
+ Credential: &ed25519Certificate,
Bugs: ProtocolBugs{
// Sign with Ed25519 even though it is TLS 1.1.
SigningAlgorithmForLegacyVersions: signatureEd25519,
@@ -10768,7 +10768,7 @@
testType: clientTest,
name: "Ed25519DefaultDisable-NoAdvertise",
config: Config{
- Chain: &ed25519Certificate,
+ Credential: &ed25519Certificate,
},
shouldFail: true,
expectedLocalError: "tls: no common signature algorithms",
@@ -10780,7 +10780,7 @@
testType: clientTest,
name: "Ed25519DefaultDisable-NoAccept",
config: Config{
- Chain: &ed25519Certificate,
+ Credential: &ed25519Certificate,
Bugs: ProtocolBugs{
IgnorePeerSignatureAlgorithmPreferences: true,
},
@@ -10795,7 +10795,7 @@
testCases = append(testCases, testCase{
name: "VerifyPreferences-Advertised",
config: Config{
- Chain: &rsaCertificate,
+ Credential: &rsaCertificate,
SignSignatureAlgorithms: []signatureAlgorithm{
signatureRSAPSSWithSHA256,
signatureRSAPSSWithSHA384,
@@ -10813,7 +10813,7 @@
testCases = append(testCases, testCase{
name: "VerifyPreferences-NoCommonAlgorithms",
config: Config{
- Chain: &rsaCertificate,
+ Credential: &rsaCertificate,
SignSignatureAlgorithms: []signatureAlgorithm{
signatureRSAPSSWithSHA256,
signatureRSAPSSWithSHA512,
@@ -10830,7 +10830,7 @@
testCases = append(testCases, testCase{
name: "VerifyPreferences-Enforced",
config: Config{
- Chain: &rsaCertificate,
+ Credential: &rsaCertificate,
SignSignatureAlgorithms: []signatureAlgorithm{
signatureRSAPSSWithSHA256,
signatureRSAPSSWithSHA512,
@@ -10852,7 +10852,7 @@
testCases = append(testCases, testCase{
name: "VerifyPreferences-Ed25519",
config: Config{
- Chain: &ed25519Certificate,
+ Credential: &ed25519Certificate,
},
flags: []string{
"-verify-prefs", strconv.Itoa(int(signatureEd25519)),
@@ -10905,7 +10905,7 @@
name: prefix + "NoVerify-RSA_PKCS1_MD5_SHA1",
config: Config{
MaxVersion: ver.version,
- Chain: &rsaCertificate,
+ Credential: &rsaCertificate,
Bugs: ProtocolBugs{
IgnorePeerSignatureAlgorithmPreferences: true,
AlwaysSignAsLegacyVersion: true,
@@ -13082,7 +13082,7 @@
protocol: protocol,
name: "ClientCertificate" + suffix,
config: Config{
- Chain: &rsaCertificate,
+ Credential: &rsaCertificate,
MaxVersion: VersionTLS12,
},
flags: []string{"-require-any-client-certificate"},
@@ -13096,7 +13096,7 @@
protocol: protocol,
name: "CertificateVerify" + suffix,
config: Config{
- Chain: &rsaCertificate,
+ Credential: &rsaCertificate,
MaxVersion: VersionTLS12,
},
flags: []string{"-require-any-client-certificate"},
@@ -13272,7 +13272,7 @@
protocol: protocol,
name: "TLS13-ClientCertificate" + suffix,
config: Config{
- Chain: &rsaCertificate,
+ Credential: &rsaCertificate,
MaxVersion: VersionTLS13,
},
flags: []string{"-require-any-client-certificate"},
@@ -13286,7 +13286,7 @@
protocol: protocol,
name: "TLS13-ClientCertificateVerify" + suffix,
config: Config{
- Chain: &rsaCertificate,
+ Credential: &rsaCertificate,
MaxVersion: VersionTLS13,
},
flags: []string{"-require-any-client-certificate"},
@@ -14284,11 +14284,11 @@
name: "EarlyData-RejectTicket-Client-TLS13",
config: Config{
MaxVersion: VersionTLS13,
- Chain: &rsaCertificate,
+ Credential: &rsaCertificate,
},
resumeConfig: &Config{
MaxVersion: VersionTLS13,
- Chain: &ecdsaP256Certificate,
+ Credential: &ecdsaP256Certificate,
SessionTicketsDisabled: true,
},
resumeSession: true,
@@ -14379,11 +14379,11 @@
name: "EarlyData-HRR-RejectTicket-Client-TLS13",
config: Config{
MaxVersion: VersionTLS13,
- Chain: &rsaCertificate,
+ Credential: &rsaCertificate,
},
resumeConfig: &Config{
MaxVersion: VersionTLS13,
- Chain: &ecdsaP256Certificate,
+ Credential: &ecdsaP256Certificate,
SessionTicketsDisabled: true,
Bugs: ProtocolBugs{
SendHelloRetryRequestCookie: []byte{1, 2, 3, 4},
@@ -15035,7 +15035,7 @@
config: Config{
MinVersion: VersionTLS13,
MaxVersion: VersionTLS13,
- Chain: &rsaChainCertificate,
+ Credential: &rsaChainCertificate,
Bugs: ProtocolBugs{
SkipCertificateVerify: true,
},
@@ -15057,7 +15057,7 @@
config: Config{
MinVersion: VersionTLS13,
MaxVersion: VersionTLS13,
- Chain: &rsaChainCertificate,
+ Credential: &rsaChainCertificate,
Bugs: ProtocolBugs{
SkipCertificateVerify: true,
},
@@ -15423,7 +15423,7 @@
config: Config{
MinVersion: ver.version,
MaxVersion: ver.version,
- Chain: &rsaChainCertificate,
+ Credential: &rsaChainCertificate,
ClientAuth: RequireAnyClientCert,
},
expectations: connectionExpectations{
@@ -15441,7 +15441,7 @@
config: Config{
MinVersion: ver.version,
MaxVersion: ver.version,
- Chain: &rsaChainCertificate,
+ Credential: &rsaChainCertificate,
},
expectations: connectionExpectations{
peerCertificate: &rsaChainCertificate,
@@ -15460,7 +15460,7 @@
config: Config{
MinVersion: ver.version,
MaxVersion: ver.version,
- Chain: &garbageCertificate,
+ Credential: &garbageCertificate,
},
shouldFail: true,
expectedError: ":CANNOT_PARSE_LEAF_CERT:",
@@ -15473,7 +15473,7 @@
config: Config{
MinVersion: ver.version,
MaxVersion: ver.version,
- Chain: &garbageCertificate,
+ Credential: &garbageCertificate,
},
flags: []string{"-require-any-client-certificate"},
shouldFail: true,
@@ -15510,7 +15510,7 @@
config: Config{
MinVersion: ver.version,
MaxVersion: ver.version,
- Chain: &rsaCertificate,
+ Credential: &rsaCertificate,
},
flags: []string{
"-verify-peer",
@@ -15531,7 +15531,7 @@
config: Config{
MinVersion: ver.version,
MaxVersion: ver.version,
- Chain: &rsaCertificate,
+ Credential: &rsaCertificate,
},
flags: []string{
"-verify-peer",
@@ -15551,7 +15551,7 @@
config: Config{
MinVersion: ver.version,
MaxVersion: ver.version,
- Chain: &rsaCertificate,
+ Credential: &rsaCertificate,
},
flags: []string{
"-verify-peer",
@@ -15599,7 +15599,7 @@
config: Config{
MinVersion: ver.version,
MaxVersion: ver.version,
- Chain: &cert,
+ Credential: &cert,
},
shouldFail: true,
expectedError: ":KEY_USAGE_BIT_INCORRECT:",
@@ -15611,7 +15611,7 @@
config: Config{
MinVersion: ver.version,
MaxVersion: ver.version,
- Chain: &cert,
+ Credential: &cert,
},
flags: []string{"-require-any-client-certificate"},
shouldFail: true,
@@ -15674,7 +15674,7 @@
config: Config{
MinVersion: ver.version,
MaxVersion: ver.version,
- Chain: &encCert,
+ Credential: &encCert,
CipherSuites: dsSuites,
},
shouldFail: true,
@@ -15687,7 +15687,7 @@
config: Config{
MinVersion: ver.version,
MaxVersion: ver.version,
- Chain: &dsCert,
+ Credential: &dsCert,
CipherSuites: dsSuites,
},
})
@@ -15700,7 +15700,7 @@
config: Config{
MinVersion: ver.version,
MaxVersion: ver.version,
- Chain: &encCert,
+ Credential: &encCert,
CipherSuites: encSuites,
},
})
@@ -15711,7 +15711,7 @@
config: Config{
MinVersion: ver.version,
MaxVersion: ver.version,
- Chain: &dsCert,
+ Credential: &dsCert,
CipherSuites: encSuites,
},
shouldFail: true,
@@ -15725,7 +15725,7 @@
config: Config{
MinVersion: ver.version,
MaxVersion: ver.version,
- Chain: &dsCert,
+ Credential: &dsCert,
CipherSuites: encSuites,
},
flags: []string{"-expect-key-usage-invalid", "-ignore-rsa-key-usage"},
@@ -15737,7 +15737,7 @@
config: Config{
MinVersion: ver.version,
MaxVersion: ver.version,
- Chain: &encCert,
+ Credential: &encCert,
CipherSuites: dsSuites,
},
flags: []string{"-expect-key-usage-invalid", "-ignore-rsa-key-usage"},
@@ -15752,7 +15752,7 @@
config: Config{
MinVersion: ver.version,
MaxVersion: ver.version,
- Chain: &encCert,
+ Credential: &encCert,
CipherSuites: dsSuites,
},
flags: []string{"-ignore-rsa-key-usage"},
@@ -15768,7 +15768,7 @@
config: Config{
MinVersion: ver.version,
MaxVersion: ver.version,
- Chain: &encCert,
+ Credential: &encCert,
},
shouldFail: true,
expectedError: ":KEY_USAGE_BIT_INCORRECT:",
@@ -15781,7 +15781,7 @@
config: Config{
MinVersion: ver.version,
MaxVersion: ver.version,
- Chain: &dsCert,
+ Credential: &dsCert,
},
flags: []string{"-require-any-client-certificate"},
})
@@ -17367,7 +17367,7 @@
protocol: protocol,
name: prefix + "ECH-Server-ClientAuth",
config: Config{
- Chain: &rsaCertificate,
+ Credential: &rsaCertificate,
ClientECHConfig: echConfig.ECHConfig,
},
flags: []string{
@@ -17386,7 +17386,7 @@
protocol: protocol,
name: prefix + "ECH-Server-Decline-ClientAuth",
config: Config{
- Chain: &rsaCertificate,
+ Credential: &rsaCertificate,
ClientECHConfig: echConfig.ECHConfig,
Bugs: ProtocolBugs{
ExpectECHRetryConfigs: CreateECHConfigList(echConfig1.ECHConfig.Raw),
@@ -19078,7 +19078,7 @@
config: Config{
MinVersion: VersionTLS13,
MaxVersion: VersionTLS13,
- Chain: &rsaCertificate,
+ Credential: &rsaCertificate,
},
flags: []string{
"-allow-hint-mismatch",
@@ -19290,7 +19290,7 @@
isWPACipherSuite = true
}
- var cert CertificateChain
+ var cert Credential
if hasComponent(suite.name, "ECDSA") {
cert = ecdsaP384Certificate
} else {
@@ -19338,7 +19338,7 @@
MinVersion: VersionTLS12,
MaxVersion: maxVersion,
CipherSuites: []uint16{suite.id},
- Chain: &cert,
+ Credential: &cert,
},
flags: []string{
policy.flag,
@@ -19491,7 +19491,7 @@
MinVersion: VersionTLS12,
MaxVersion: maxVersion,
SignSignatureAlgorithms: []signatureAlgorithm{sigalg.id},
- Chain: sigalg.cert,
+ Credential: sigalg.cert,
},
flags: []string{
policy.flag,
diff --git a/ssl/test/runner/tls.go b/ssl/test/runner/tls.go
index d283e77..b2b35a3 100644
--- a/ssl/test/runner/tls.go
+++ b/ssl/test/runner/tls.go
@@ -73,7 +73,7 @@
// The configuration config must be non-nil and must have
// at least one certificate.
func Listen(network, laddr string, config *Config) (net.Listener, error) {
- if config == nil || config.Chain == nil {
+ if config == nil || config.Credential == nil {
return nil, errors.New("tls.Listen: no certificates in configuration")
}
l, err := net.Listen(network, laddr)
@@ -173,7 +173,7 @@
// LoadX509KeyPair reads and parses a public/private key pair from a pair of
// files. The files must contain PEM encoded data.
-func LoadX509KeyPair(certFile, keyFile string) (cert CertificateChain, err error) {
+func LoadX509KeyPair(certFile, keyFile string) (cert Credential, err error) {
certPEMBlock, err := os.ReadFile(certFile)
if err != nil {
return
@@ -187,7 +187,7 @@
// X509KeyPair parses a public/private key pair from a pair of
// PEM encoded data.
-func X509KeyPair(certPEMBlock, keyPEMBlock []byte) (cert CertificateChain, err error) {
+func X509KeyPair(certPEMBlock, keyPEMBlock []byte) (cert Credential, err error) {
var certDERBlock *pem.Block
for {
certDERBlock, certPEMBlock = pem.Decode(certPEMBlock)
