http: check https certificate against host name

Fixes #1093. R=agl, agl1 CC=golang-dev https://golang.org/cl/2115045

http: check https certificate against host name
Fixes #1093. R=agl, agl1 CC=golang-dev https://golang.org/cl/2115045
a4514c42 · Russ Cox · eddddf04 · a4514c42 · a4514c42 · a4514c42
Commit a4514c42 authored Sep 12, 2010 by Russ Cox
Showing with 45 additions and 10 deletions

conn.go src/pkg/crypto/tls/conn.go +7 -0

x509.go src/pkg/crypto/x509/x509.go +23 -5

x509_test.go src/pkg/crypto/x509/x509_test.go +2 -2

client.go src/pkg/http/client.go +13 -3

No files found.
--- a/src/pkg/crypto/tls/conn.go
+++ b/src/pkg/crypto/tls/conn.go
@@ -670,3 +670,10 @@ func (c *Conn) PeerCertificates() []*x509.Certificate {
 	return c.peerCertificates
 }
+// VerifyHostname checks that the peer certificate chain is valid for
+// connecting to host.  If so, it returns nil; if not, it returns an os.Error
+// describing the problem.
+func (c *Conn) VerifyHostname(host string) os.Error {
+	return c.PeerCertificates()[0].VerifyHostname(host)
+}
--- a/src/pkg/crypto/x509/x509.go
+++ b/src/pkg/crypto/x509/x509.go
@@ -426,19 +426,37 @@ func matchHostnames(pattern, host string) bool {
 	return true
 }
-// IsValidForHost returns true iff c is a valid certificate for the given host.
+type HostnameError struct {
-func (c *Certificate) IsValidForHost(h string) bool {
+	Certificate *Certificate
+	Host        string
+}
+func (h *HostnameError) String() string {
+	var valid string
+	c := h.Certificate
+	if len(c.DNSNames) > 0 {
+		valid = strings.Join(c.DNSNames, ", ")
+	} else {
+		valid = c.Subject.CommonName
+	}
+	return "certificate is valid for " + valid + ", not " + h.Host
+}
+// VerifyHostname returns nil if c is a valid certificate for the named host.
+// Otherwise it returns an os.Error describing the mismatch.
+func (c *Certificate) VerifyHostname(h string) os.Error {
 	if len(c.DNSNames) > 0 {
 		for _, match := range c.DNSNames {
 			if matchHostnames(match, h) {
-				return true
+				return nil
 			}
 		}
 		// If Subject Alt Name is given, we ignore the common name.
-		return false
+	} else if matchHostnames(c.Subject.CommonName, h) {
+		return nil
 	}
-	return matchHostnames(c.Subject.CommonName, h)
+	return &HostnameError{c, h}
 }
 type UnhandledCriticalExtension struct{}

--- a/src/pkg/crypto/x509/x509_test.go
+++ b/src/pkg/crypto/x509/x509_test.go
@@ -96,8 +96,8 @@ func TestCertificateParse(t *testing.T) {
 		t.Error(err)
 	}
-	if !certs[0].IsValidForHost("mail.google.com") {
+	if err := certs[0].VerifyHostname("mail.google.com"); err != nil {
-		t.Errorf("cert not valid for host")
+		t.Error(err)
 	}
 }

--- a/src/pkg/http/client.go
+++ b/src/pkg/http/client.go
@@ -59,11 +59,21 @@ func send(req *Request) (resp *Response, err os.Error) {
 	var conn io.ReadWriteCloser
 	if req.URL.Scheme == "http" {
 		conn, err = net.Dial("tcp", "", addr)
+		if err != nil {
+			return nil, err
+		}
 	} else { // https
 		conn, err = tls.Dial("tcp", "", addr)
-	}
+		if err != nil {
-	if err != nil {
+			return nil, err
-		return nil, err
+		}
+		h := req.URL.Host
+		if hasPort(h) {
+			h = h[0:strings.LastIndex(h, ":")]
+		}
+		if err := conn.(*tls.Conn).VerifyHostname(h); err != nil {
+			return nil, err
+		}
 	}
 	err = req.Write(conn)