@@ -2,6 +2,7 @@ package proxy
22
33import (
44 "crypto/tls"
5+ "crypto/x509"
56 "crypto/x509/pkix"
67 "encoding/asn1"
78 "encoding/hex"
@@ -108,12 +109,12 @@ func (p *Proxy) ServeHTTP(w http.ResponseWriter, r *http.Request) {
108109 p .log .With ("duration" , duration ).Info ("[proxy-request] proxying complete" )
109110}
110111
111- func ( p * Proxy ) getMeasurementsFromTLS ( conn * tls. ConnectionState ) (atlsVariant variant.Variant , measurements map [uint32 ][]byte , err error ) {
112+ func GetMeasurementsFromTLS ( certs [] * x509. Certificate , validatorOIDs []asn1. ObjectIdentifier ) (atlsVariant variant.Variant , measurements map [uint32 ][]byte , err error ) {
112113 // In verifyEmbeddedReport which is used to validate the extensions, only the first matching extension is validated! Refuse to accept multiple
113114 var ATLSExtension * pkix.Extension = nil
114- for _ , cert := range conn . PeerCertificates {
115+ for _ , cert := range certs {
115116 for _ , ext := range cert .Extensions {
116- for _ , validatorOID := range p . validatorOIDs {
117+ for _ , validatorOID := range validatorOIDs {
117118 if ext .Id .Equal (validatorOID ) {
118119 if ATLSExtension != nil {
119120 return nil , nil , errors .New ("more than one ATLS extension provided, refusing to continue" )
@@ -142,7 +143,8 @@ func (p *Proxy) getMeasurementsFromTLS(conn *tls.ConnectionState) (atlsVariant v
142143}
143144
144145func (p * Proxy ) copyMeasurementsToHeader (conn * tls.ConnectionState , header * http.Header ) (int , error ) {
145- atlsVariant , extractedMeasurements , err := p .getMeasurementsFromTLS (conn )
146+ certs := conn .PeerCertificates
147+ atlsVariant , extractedMeasurements , err := GetMeasurementsFromTLS (certs , p .validatorOIDs )
146148 if err != nil {
147149 return http .StatusTeapot , err
148150 } else if extractedMeasurements == nil {
0 commit comments