diff options
| author | davidben@chromium.org <davidben@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2010-08-21 05:46:58 +0000 |
|---|---|---|
| committer | davidben@chromium.org <davidben@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2010-08-21 05:46:58 +0000 |
| commit | 65a3b914585cee20f1c8b213c82eaa2a5da0cb25 (patch) | |
| tree | 1464c826e4dd82fb68e769119964c6a6383d609a /third_party/tlslite | |
| parent | b3992377f4e52a205164d4da5dc7e465e749a57e (diff) | |
| download | chromium_src-65a3b914585cee20f1c8b213c82eaa2a5da0cb25.zip chromium_src-65a3b914585cee20f1c8b213c82eaa2a5da0cb25.tar.gz chromium_src-65a3b914585cee20f1c8b213c82eaa2a5da0cb25.tar.bz2 | |
Reintegrate certificate selection in HttpNetworkTransaction DoLoop
The HttpNetworkTransaction refactor intercepts the client auth
handling and moves it out of DoLoop. Because HandleCertificateRequest
often switches states, this caused a DCHECK and crash in some
circumstances.
This reintegrates it and adds unit tests to catch the DCHECK. We really
want to test sending a legitimate certificate, as well as more
checking interesting errors, but we cannot import temporary keys yet.
We also add a patch for tlslite to send a non-empty certificate_types.
Apple's SSL implementation raises a protocol error otherwise.
BUG=52744,51132,52778
TEST=SSLClientSocketTest.ConnectClientAuth*,URLRequestTest.ClientAuthTest
Review URL: http://codereview.chromium.org/3141026
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@56983 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'third_party/tlslite')
| -rw-r--r-- | third_party/tlslite/README.chromium | 4 | ||||
| -rw-r--r-- | third_party/tlslite/patches/send_certificate_types.patch | 32 | ||||
| -rw-r--r-- | third_party/tlslite/tlslite/constants.py | 6 | ||||
| -rw-r--r-- | third_party/tlslite/tlslite/messages.py | 6 |
4 files changed, 46 insertions, 2 deletions
diff --git a/third_party/tlslite/README.chromium b/third_party/tlslite/README.chromium index 792d7e4..3fc9665 100644 --- a/third_party/tlslite/README.chromium +++ b/third_party/tlslite/README.chromium @@ -21,3 +21,7 @@ Local Modifications: of byte arrays, each containing a DER-encoded distinguished name. tlslite/TLSConnection.py was changed to take a list of such byte arrays when creating a TLS server that will request client authentication. +- patches/send_certificate_types.patch: tlslite/message.py was changed to + default to a certificate_types of [rsa_sign] in CertificateRequest. Apple's + Secure Transport library rejects an empty list and raises an SSL protocol + error. diff --git a/third_party/tlslite/patches/send_certificate_types.patch b/third_party/tlslite/patches/send_certificate_types.patch new file mode 100644 index 0000000..14b2935 --- /dev/null +++ b/third_party/tlslite/patches/send_certificate_types.patch @@ -0,0 +1,32 @@ +diff --git a/tlslite/constants.py b/tlslite/constants.py +index 8f2d559..04302c0 100644 +--- a/tlslite/constants.py ++++ b/tlslite/constants.py +@@ -5,6 +5,12 @@ class CertificateType: + openpgp = 1 + cryptoID = 2 + ++class ClientCertificateType: ++ rsa_sign = 1 ++ dss_sign = 2 ++ rsa_fixed_dh = 3 ++ dss_fixed_dh = 4 ++ + class HandshakeType: + hello_request = 0 + client_hello = 1 +diff --git a/tlslite/messages.py b/tlslite/messages.py +index 06c46b9..8bcec2c 100644 +--- a/tlslite/messages.py ++++ b/tlslite/messages.py +@@ -346,7 +346,9 @@ class Certificate(HandshakeMsg): + class CertificateRequest(HandshakeMsg): + def __init__(self): + self.contentType = ContentType.handshake +- self.certificate_types = [] ++ #Apple's implementation rejects empty certificate_types, so ++ #default to rsa_sign. ++ self.certificate_types = [ClientCertificateType.rsa_sign] + #treat as opaque bytes for now + self.certificate_authorities = createByteArraySequence([]) + diff --git a/third_party/tlslite/tlslite/constants.py b/third_party/tlslite/tlslite/constants.py index 8f2d559..04302c0 100644 --- a/third_party/tlslite/tlslite/constants.py +++ b/third_party/tlslite/tlslite/constants.py @@ -5,6 +5,12 @@ class CertificateType: openpgp = 1 cryptoID = 2 +class ClientCertificateType: + rsa_sign = 1 + dss_sign = 2 + rsa_fixed_dh = 3 + dss_fixed_dh = 4 + class HandshakeType: hello_request = 0 client_hello = 1 diff --git a/third_party/tlslite/tlslite/messages.py b/third_party/tlslite/tlslite/messages.py index fb4cc21..dc6ed32 100644 --- a/third_party/tlslite/tlslite/messages.py +++ b/third_party/tlslite/tlslite/messages.py @@ -346,7 +346,9 @@ class Certificate(HandshakeMsg): class CertificateRequest(HandshakeMsg): def __init__(self): self.contentType = ContentType.handshake - self.certificate_types = [] + #Apple's Secure Transport library rejects empty certificate_types, so + #default to rsa_sign. + self.certificate_types = [ClientCertificateType.rsa_sign] self.certificate_authorities = [] def create(self, certificate_types, certificate_authorities): @@ -579,4 +581,4 @@ class ApplicationData(Msg): return self def write(self): - return self.bytes
\ No newline at end of file + return self.bytes |