tris/DelegatedCredentials: typos

cloudflare · Aug 15, 2017 · 3755cb1 · 3755cb1
1 parent 5f3f963
commit 3755cb1
Show file tree

Hide file tree

Showing 4 changed files with 19 additions and 7 deletions.
diff --git a/common.go b/common.go
@@ -93,7 +93,7 @@ const (
 	extensionNextProtoNeg        uint16 = 13172 // not IANA assigned
 	extensionRenegotiationInfo   uint16 = 0xff01
 	extensionShortHeaders        uint16 = 0xff03 // Experimental
-	extensionDelegatedCredential uint16 = 99     // not IANA assigned yet - https://tools.ietf.org/html/draft-rescorla-tls-subcerts-01
+	extensionDelegatedCredential uint16 = 0xff99 // not IANA assigned yet - https://tools.ietf.org/html/draft-rescorla-tls-subcerts-01
 )
 
 // TLS signaling cipher suite values

diff --git a/delegated_credentials.go b/delegated_credentials.go
@@ -21,10 +21,12 @@ const (
 	CredentialsValidity time.Duration = 5 * time.Minute
 )
 
+var DelegatedCredentialsIdentifier = asn1.ObjectIdentifier{2, 5, 29, 99}
+
 type GetCertificate func(*ClientHelloInfo) (*Certificate, error)
 
 type DelegatedCredential struct {
-	ValidTime int64 // todo - change to Time?
+	ValidTime int64
 	PublicKey interface{}
 }
 
@@ -66,7 +68,7 @@ func selectVersion(versions []uint16) uint16 {
 			return VersionTLS12
 		}
 	}
-	return 0 // todo use errors
+	return 0
 }
 
 // Selects signature scheme based on the client's advertised schemes and the cert's capabilities
@@ -112,7 +114,7 @@ func createDelegatedCredential(certificate *x509.Certificate, scheme SignatureSc
 func isCertificateValidForDelegationUsage(certificate *x509.Certificate) bool {
 
 	for _, extension := range certificate.Extensions {
-		if extension.Id.Equal(asn1.ObjectIdentifier{2, 5, 29, 99}) { // TODO: change this to constant?
+		if extension.Id.Equal(DelegatedCredentialsIdentifier) {
 			return true
 		}
 	}

diff --git a/delegated_credentials_test.go b/delegated_credentials_test.go
@@ -31,9 +31,21 @@ func TestDelCredGetCertificateFunctionWithInvalidSignatureScheme(t *testing.T) {
 	_, err := getCertificateFn(clientHelloInfo)
 	expectError(err, "No valid signature scheme", t)
 
+	clientHelloInfo.SignatureSchemes = []SignatureScheme{PKCS1WithSHA256} // hash ok, but incompatible with EC
+	_, err = getCertificateFn(clientHelloInfo)
+	expectError(err, "No valid signature scheme", t)
+
 	clientHelloInfo.SignatureSchemes = []SignatureScheme{PKCS1WithSHA384}
 	_, err = getCertificateFn(clientHelloInfo)
 	expectError(err, "No valid signature scheme", t)
+
+	clientHelloInfo.SignatureSchemes = []SignatureScheme{ECDSAWithP521AndSHA512}
+	_, err = getCertificateFn(clientHelloInfo)
+	expectError(err, "No valid signature scheme", t)
+
+	clientHelloInfo.SignatureSchemes = []SignatureScheme{ECDSAWithP256AndSHA256}
+	_, err = getCertificateFn(clientHelloInfo)
+	expectError(err, "", t)
 }
 
 func TestDelCredGetCertificateFunctionWithInvalidCertificate(t *testing.T) {

diff --git a/handshake_messages.go b/handshake_messages.go
@@ -4,9 +4,7 @@
 
 package tls
 
-import (
-	"bytes"
-)
+import "bytes"
 
 type clientHelloMsg struct {
 	raw                          []byte