prompt to update TOFU store on violations

author: tjp <tjp@ctrl-c.club> 2024-01-10 11:56:08 -0700
committer: tjp <tjp@ctrl-c.club> 2024-01-10 11:56:08 -0700
commit: cde393cdf50391ccac137a4cc6a9ed231ec3b6d1 (patch)
tree: f58eeca192af819ca419912e010ce86b4a5d00ae /tls.go
parent: 9b4b34baa338dfa4c90497a037d6b2a297351df4 (diff)
1 files changed, 15 insertions, 3 deletions
diff --git a/tls.go b/tls.go
index fa25441..d4452f2 100644
--- a/tls.go
+++ b/tls.go
@@ -8,7 +8,7 @@ import (
 	"crypto/x509"
 	"crypto/x509/pkix"
 	"encoding/hex"
-	"errors"
+	"fmt"
 	"math/big"
 	"os"
 	"time"
@@ -23,7 +23,15 @@ func tlsConfig(state *BrowserState) *tls.Config {
 
 var tofuStore map[string]string
 
-var ErrTOFUViolation = errors.New("certificate for this domain has changed")
+type TOFUViolation struct {
+	domain   string
+	expected string
+	got      string
+}
+
+func (tv *TOFUViolation) Error() string {
+	return fmt.Sprintf("certificate for domain %s has changed from %s to %s", tv.domain, tv.expected, tv.got)
+}
 
 var anonymousTLS = &tls.Config{
 	InsecureSkipVerify: true,
@@ -43,7 +51,11 @@ func tofuVerify(connState tls.ConnectionState) error {
 	}
 
 	if certhash != expected {
-		return ErrTOFUViolation
+		return &TOFUViolation{
+			domain:   connState.ServerName,
+			expected: expected,
+			got:      certhash,
+		}
 	}
 	return nil
 }
author	tjp <tjp@ctrl-c.club>	2024-01-10 11:56:08 -0700
committer	tjp <tjp@ctrl-c.club>	2024-01-10 11:56:08 -0700
commit	cde393cdf50391ccac137a4cc6a9ed231ec3b6d1 (patch)
tree	f58eeca192af819ca419912e010ce86b4a5d00ae /tls.go
parent	9b4b34baa338dfa4c90497a037d6b2a297351df4 (diff)