Improve support for requesting client certs in tlslite

Currently, tlslite only supports the caller passing in a list of CAs pre-encoded for the TLS CertificateRequest message. This CL improves that, by providing a means of extracting the DER-encoded subject name from an X509 certificate, supplying a list of such names to tlslite's server routines, and having tlslite encode the list of CAs as part of the CertificateRequest. BUG=47656, 47658 TEST=net_unittests Review URL: http://codereview.chromium.org/3177015 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@56982 0039d316-1c4b-4281-b951-d872f2087c98
author: rsleevi@chromium.org <rsleevi@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> 2010-08-21 04:02:44 +0000
committer: rsleevi@chromium.org <rsleevi@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> 2010-08-21 04:02:44 +0000
commit: b3992377f4e52a205164d4da5dc7e465e749a57e (patch)
tree: 6f1b1f6216ffa5053edb6836be53d89475463a8f /net/tools
parent: bbf7e53f9a96ebd3a4f2835ea5ee561f03ef534e (diff)
download: chromium_src-b3992377f4e52a205164d4da5dc7e465e749a57e.zip
chromium_src-b3992377f4e52a205164d4da5dc7e465e749a57e.tar.gz
chromium_src-b3992377f4e52a205164d4da5dc7e465e749a57e.tar.bz2
1 files changed, 21 insertions, 4 deletions
diff --git a/net/tools/testserver/testserver.py b/net/tools/testserver/testserver.py
index c2fd51f..e38bfc7 100644
--- a/net/tools/testserver/testserver.py
+++ b/net/tools/testserver/testserver.py
@@ -62,7 +62,7 @@ class HTTPSServer(tlslite.api.TLSSocketServerMixIn, StoppableHTTPServer):
   """This is a specialization of StoppableHTTPerver that add https support."""
 
   def __init__(self, server_address, request_hander_class, cert_path,
-               ssl_client_auth):
+               ssl_client_auth, ssl_client_cas):
     s = open(cert_path).read()
     x509 = tlslite.api.X509()
     x509.parse(s)
@@ -70,6 +70,12 @@ class HTTPSServer(tlslite.api.TLSSocketServerMixIn, StoppableHTTPServer):
     s = open(cert_path).read()
     self.private_key = tlslite.api.parsePEMKey(s, private=True)
     self.ssl_client_auth = ssl_client_auth
+    self.ssl_client_cas = []
+    for ca_file in ssl_client_cas:
+        s = open(ca_file).read()
+        x509 = tlslite.api.X509()
+        x509.parse(s)
+        self.ssl_client_cas.append(x509.subject)
 
     self.session_cache = tlslite.api.SessionCache()
     StoppableHTTPServer.__init__(self, server_address, request_hander_class)
@@ -80,7 +86,8 @@ class HTTPSServer(tlslite.api.TLSSocketServerMixIn, StoppableHTTPServer):
       tlsConnection.handshakeServer(certChain=self.cert_chain,
                                     privateKey=self.private_key,
                                     sessionCache=self.session_cache,
-                                    reqCert=self.ssl_client_auth)
+                                    reqCert=self.ssl_client_auth,
+                                    reqCAs=self.ssl_client_cas)
       tlsConnection.ignoreAbruptClose = True
       return True
     except tlslite.api.TLSAbruptCloseError:
@@ -1227,10 +1234,16 @@ def main(options, args):
     if options.cert:
       # let's make sure the cert file exists.
       if not os.path.isfile(options.cert):
-        print 'specified cert file not found: ' + options.cert + ' exiting...'
+        print 'specified server cert file not found: ' + options.cert + \
+              ' exiting...'
         return
+      for ca_cert in options.ssl_client_ca:
+        if not os.path.isfile(ca_cert):
+          print 'specified trusted client CA file not found: ' + ca_cert + \
+                ' exiting...'
+          return
       server = HTTPSServer(('127.0.0.1', port), TestPageHandler, options.cert,
-                           options.ssl_client_auth)
+                           options.ssl_client_auth, options.ssl_client_ca)
       print 'HTTPS server started on port %d...' % port
     else:
       server = StoppableHTTPServer(('127.0.0.1', port), TestPageHandler)
@@ -1297,6 +1310,10 @@ if __name__ == '__main__':
                            'the server should use.')
   option_parser.add_option('', '--ssl-client-auth', action='store_true',
                            help='Require SSL client auth on every connection.')
+  option_parser.add_option('', '--ssl-client-ca', action='append', default=[],
+                           help='Specify that the client certificate request '
+                           'should indicate that it supports the CA contained '
+                           'in the specified certificate file')
   option_parser.add_option('', '--file-root-url', default='/files/',
                            help='Specify a root URL for files served.')
   option_parser.add_option('', '--never-die', default=False,
author	rsleevi@chromium.org <rsleevi@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>	2010-08-21 04:02:44 +0000
committer	rsleevi@chromium.org <rsleevi@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>	2010-08-21 04:02:44 +0000
commit	b3992377f4e52a205164d4da5dc7e465e749a57e (patch)
tree	6f1b1f6216ffa5053edb6836be53d89475463a8f /net/tools
parent	bbf7e53f9a96ebd3a4f2835ea5ee561f03ef534e (diff)
download	chromium_src-b3992377f4e52a205164d4da5dc7e465e749a57e.zip chromium_src-b3992377f4e52a205164d4da5dc7e465e749a57e.tar.gz chromium_src-b3992377f4e52a205164d4da5dc7e465e749a57e.tar.bz2