|
|
@@ -175,16 +175,7 @@ func (c *Config) parseServerName() string {
|
|
|
|
|
|
func (c *Config) verifyPeerCert(rawCerts [][]byte, verifiedChains [][]*x509.Certificate) error {
|
|
|
if c.PinnedPeerCertificateChainSha256 != nil {
|
|
|
- var hashValue []byte
|
|
|
- for _, certValue := range rawCerts {
|
|
|
- out := sha256.Sum256(certValue)
|
|
|
- if hashValue == nil {
|
|
|
- hashValue = out[:]
|
|
|
- } else {
|
|
|
- newHashValue := sha256.Sum256(append(hashValue, out[:]...))
|
|
|
- hashValue = newHashValue[:]
|
|
|
- }
|
|
|
- }
|
|
|
+ hashValue := GenerateCertChainHash(rawCerts)
|
|
|
for _, v := range c.PinnedPeerCertificateChainSha256 {
|
|
|
if hmac.Equal(hashValue, v) {
|
|
|
return nil
|
|
|
@@ -195,6 +186,20 @@ func (c *Config) verifyPeerCert(rawCerts [][]byte, verifiedChains [][]*x509.Cert
|
|
|
return nil
|
|
|
}
|
|
|
|
|
|
+func GenerateCertChainHash(rawCerts [][]byte) []byte {
|
|
|
+ var hashValue []byte
|
|
|
+ for _, certValue := range rawCerts {
|
|
|
+ out := sha256.Sum256(certValue)
|
|
|
+ if hashValue == nil {
|
|
|
+ hashValue = out[:]
|
|
|
+ } else {
|
|
|
+ newHashValue := sha256.Sum256(append(hashValue, out[:]...))
|
|
|
+ hashValue = newHashValue[:]
|
|
|
+ }
|
|
|
+ }
|
|
|
+ return hashValue
|
|
|
+}
|
|
|
+
|
|
|
// GetTLSConfig converts this Config into tls.Config.
|
|
|
func (c *Config) GetTLSConfig(opts ...Option) *tls.Config {
|
|
|
root, err := c.getCertPool()
|
Shelikhoo