]> Cypherpunks.ru repositories - gostls13.git/commitdiff
projects / gostls13.git / commitdiff
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 0000f0b)
crypto/x509: add Detail to Expired errors
authorW. Trevor King <wking@tremily.us>
Wed, 2 Oct 2019 17:49:49 +0000 (17:49 +0000)
committerFilippo Valsorda <filippo@golang.org>
Wed, 2 Oct 2019 19:23:07 +0000 (19:23 +0000)
Because errors like:

    certificate has expired or is not yet valid

make it difficult to distinguish between "certificate has expired" and
"my local clock is skewed".  Including our idea of the local time
makes it easier to identify the clock-skew case, and including the
violated certificate constraint saves folks the trouble of looking it
up in the target certificate.

Change-Id: I52e0e71705ee36f6afde1bb5a47b9b42ed5ead5b
GitHub-Last-Rev: db2ca4029c1e0b17363772d9824e3042d5501d48
GitHub-Pull-Request: golang/go#34646
Reviewed-on: https://go-review.googlesource.com/c/go/+/198046
Reviewed-by: Filippo Valsorda <filippo@golang.org>
Run-TryBot: Filippo Valsorda <filippo@golang.org>
TryBot-Result: Gobot Gobot <gobot@golang.org>

src/crypto/x509/verify.go patch | blob | history

diff --git a/src/crypto/x509/verify.go b/src/crypto/x509/verify.go
index 3b5b3576bddc72cf34f00424887eafee3e23d81c..c8bad642f0eb286adf81d3f1e8f4d24d9acb8064 100644 (file)
--- a/src/crypto/x509/verify.go
+++ b/src/crypto/x509/verify.go
@@ -80,7 +80,7 @@ func (e CertificateInvalidError) Error() string {
        case NotAuthorizedToSign:
                return "x509: certificate is not authorized to sign other certificates"
        case Expired:
-               return "x509: certificate has expired or is not yet valid"
+               return "x509: certificate has expired or is not yet valid: " + e.Detail
        case CANotAuthorizedForThisName:
                return "x509: a root or intermediate certificate is not authorized to sign for this name: " + e.Detail
        case CANotAuthorizedForExtKeyUsage:
@@ -576,8 +576,18 @@ func (c *Certificate) isValid(certType int, currentChain []*Certificate, opts *V
        if now.IsZero() {
                now = time.Now()
        }
-       if now.Before(c.NotBefore) || now.After(c.NotAfter) {
-               return CertificateInvalidError{c, Expired, ""}
+       if now.Before(c.NotBefore) {
+               return CertificateInvalidError{
+                       Cert: c,
+                       Reason: Expired,
+                       Detail: fmt.Sprintf("current time %s is before %s", now.Format(time.RFC3339), c.NotBefore.Format(time.RFC3339)),
+               }
+       } else if now.After(c.NotAfter) {
+               return CertificateInvalidError{
+                       Cert: c,
+                       Reason: Expired,
+                       Detail: fmt.Sprintf("current time %s is after %s", now.Format(time.RFC3339), c.NotAfter.Format(time.RFC3339)),
+               }
        }
 
        maxConstraintComparisons := opts.MaxConstraintComparisions
Go GOST TLS 1.3