Populate cert_key_types on OpenSSL.

Add a test to ensure it gets plumbed through correctly. This also rolls third_party/openssl to r270417: ------------------------------------------------------------------------ r269864 | davidben@chromium.org | 2014-05-12 16:21:12 -0400 (Mon, 12 May 2014) | 7 lines Add SSL_get_client_certificate_types. Exposes the certificate_types parameter in a CertificateRequest. BUG=165446 Review URL: https://codereview.chromium.org/254723002 ------------------------------------------------------------------------ r270417 | davidben@chromium.org | 2014-05-14 12:27:52 -0400 (Wed, 14 May 2014) | 10 lines Refactor ssl3_send_client_verify. The original logic was a confusing spaghetti and mixed up initialization for all the different cases together. Tidy it up in preparation for having to adjust this logic later to support asynchronous crypto operations. BUG=none R=agl@chromium.org Review URL: https://codereview.chromium.org//284693002 ------------------------------------------------------------------------ BUG=165446 Review URL: https://codereview.chromium.org/257513008 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@271765 0039d316-1c4b-4281-b951-d872f2087c98
author: davidben@chromium.org <davidben@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> 2014-05-20 21:51:44 +0000
committer: davidben@chromium.org <davidben@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> 2014-05-20 21:51:44 +0000
commit: c078770418d4be5f03f8b034629a0565aa835676 (patch)
tree: 153498003655fdd3a8d939c4953a2fc1d6a4d0b8 /third_party/tlslite
parent: e36de1252da64a0efcfaf0306d8d7206c101065c (diff)
download: chromium_src-c078770418d4be5f03f8b034629a0565aa835676.zip
chromium_src-c078770418d4be5f03f8b034629a0565aa835676.tar.gz
chromium_src-c078770418d4be5f03f8b034629a0565aa835676.tar.bz2
6 files changed, 181 insertions, 16 deletions
diff --git a/third_party/tlslite/README.chromium b/third_party/tlslite/README.chromium
index 28dded0..029c2db 100644
--- a/third_party/tlslite/README.chromium
+++ b/third_party/tlslite/README.chromium
@@ -31,3 +31,5 @@ Local Modifications:
 - patches/fix_test_file.patch: Fix #! line in random test file to appease our
   presubmit checks.
 - patches/dhe_rsa.patch: Implement DHE_RSA-based cipher suites.
+- patches/req_cert_types.patch: Add a reqCertTypes parameter to populate the
+  certificate_types field of CertificateRequest.
diff --git a/third_party/tlslite/patches/req_cert_types.patch b/third_party/tlslite/patches/req_cert_types.patch
new file mode 100644
index 0000000..2774e77
--- /dev/null
+++ b/third_party/tlslite/patches/req_cert_types.patch
@@ -0,0 +1,153 @@
+diff --git a/third_party/tlslite/tlslite/api.py b/third_party/tlslite/tlslite/api.py
+index faef6cb..562fb81 100644
+--- a/third_party/tlslite/tlslite/api.py
++++ b/third_party/tlslite/tlslite/api.py
+@@ -2,7 +2,8 @@
+ # See the LICENSE file for legal information regarding use of this file.
+ 
+ __version__ = "0.4.6"
+-from .constants import AlertLevel, AlertDescription, Fault
++from .constants import AlertLevel, AlertDescription, ClientCertificateType, \
++                       Fault
+ from .errors import *
+ from .checker import Checker
+ from .handshakesettings import HandshakeSettings
+diff --git a/third_party/tlslite/tlslite/constants.py b/third_party/tlslite/tlslite/constants.py
+index 30d1f9f..457b339 100644
+--- a/third_party/tlslite/tlslite/constants.py
++++ b/third_party/tlslite/tlslite/constants.py
+@@ -14,10 +14,14 @@ class CertificateType:
+     openpgp = 1
+ 
+ class ClientCertificateType:
++    # http://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-2
+     rsa_sign = 1
+     dss_sign = 2
+     rsa_fixed_dh = 3
+     dss_fixed_dh = 4
++    ecdsa_sign = 64
++    rsa_fixed_ecdh = 65
++    ecdsa_fixed_ecdh = 66
+  
+ class HandshakeType:
+     hello_request = 0
+diff --git a/third_party/tlslite/tlslite/messages.py b/third_party/tlslite/tlslite/messages.py
+index 550b387..c8a913c 100644
+--- a/third_party/tlslite/tlslite/messages.py
++++ b/third_party/tlslite/tlslite/messages.py
+@@ -454,9 +454,7 @@ class CertificateStatus(HandshakeMsg):
+ class CertificateRequest(HandshakeMsg):
+     def __init__(self):
+         HandshakeMsg.__init__(self, HandshakeType.certificate_request)
+-        #Apple's Secure Transport library rejects empty certificate_types, so
+-        #default to rsa_sign.
+-        self.certificate_types = [ClientCertificateType.rsa_sign]
++        self.certificate_types = []
+         self.certificate_authorities = []
+ 
+     def create(self, certificate_types, certificate_authorities):
+diff --git a/third_party/tlslite/tlslite/tlsconnection.py b/third_party/tlslite/tlslite/tlsconnection.py
+index e6f7820..044ad59 100644
+--- a/third_party/tlslite/tlslite/tlsconnection.py
++++ b/third_party/tlslite/tlslite/tlsconnection.py
+@@ -1062,7 +1062,7 @@ class TLSConnection(TLSRecordLayer):
+     def handshakeServer(self, verifierDB=None,
+                         certChain=None, privateKey=None, reqCert=False,
+                         sessionCache=None, settings=None, checker=None,
+-                        reqCAs = None, 
++                        reqCAs = None, reqCertTypes = None,
+                         tacks=None, activationFlags=0,
+                         nextProtos=None, anon=False,
+                         tlsIntolerant=None, signedCertTimestamps=None,
+@@ -1130,6 +1130,10 @@ class TLSConnection(TLSRecordLayer):
+         will be sent along with a certificate request. This does not affect
+         verification.        
+ 
++        @type reqCertTypes: list of int
++        @param reqCertTypes: A list of certificate_type values to be sent
++        along with a certificate request. This does not affect verification.
++
+         @type nextProtos: list of strings.
+         @param nextProtos: A list of upper layer protocols to expose to the
+         clients through the Next-Protocol Negotiation Extension, 
+@@ -1169,7 +1173,7 @@ class TLSConnection(TLSRecordLayer):
+         """
+         for result in self.handshakeServerAsync(verifierDB,
+                 certChain, privateKey, reqCert, sessionCache, settings,
+-                checker, reqCAs, 
++                checker, reqCAs, reqCertTypes,
+                 tacks=tacks, activationFlags=activationFlags, 
+                 nextProtos=nextProtos, anon=anon, tlsIntolerant=tlsIntolerant,
+                 signedCertTimestamps=signedCertTimestamps,
+@@ -1180,7 +1184,7 @@ class TLSConnection(TLSRecordLayer):
+     def handshakeServerAsync(self, verifierDB=None,
+                              certChain=None, privateKey=None, reqCert=False,
+                              sessionCache=None, settings=None, checker=None,
+-                             reqCAs=None, 
++                             reqCAs=None, reqCertTypes=None,
+                              tacks=None, activationFlags=0,
+                              nextProtos=None, anon=False,
+                              tlsIntolerant=None,
+@@ -1203,7 +1207,7 @@ class TLSConnection(TLSRecordLayer):
+             verifierDB=verifierDB, certChain=certChain,
+             privateKey=privateKey, reqCert=reqCert,
+             sessionCache=sessionCache, settings=settings, 
+-            reqCAs=reqCAs, 
++            reqCAs=reqCAs, reqCertTypes=reqCertTypes,
+             tacks=tacks, activationFlags=activationFlags, 
+             nextProtos=nextProtos, anon=anon,
+             tlsIntolerant=tlsIntolerant,
+@@ -1216,7 +1220,7 @@ class TLSConnection(TLSRecordLayer):
+ 
+     def _handshakeServerAsyncHelper(self, verifierDB,
+                              certChain, privateKey, reqCert, sessionCache,
+-                             settings, reqCAs, 
++                             settings, reqCAs, reqCertTypes,
+                              tacks, activationFlags, 
+                              nextProtos, anon,
+                              tlsIntolerant, signedCertTimestamps, fallbackSCSV,
+@@ -1232,6 +1236,8 @@ class TLSConnection(TLSRecordLayer):
+             raise ValueError("Caller passed a privateKey but no certChain")
+         if reqCAs and not reqCert:
+             raise ValueError("Caller passed reqCAs but not reqCert")            
++        if reqCertTypes and not reqCert:
++            raise ValueError("Caller passed reqCertTypes but not reqCert")
+         if certChain and not isinstance(certChain, X509CertChain):
+             raise ValueError("Unrecognized certificate type")
+         if activationFlags and not tacks:
+@@ -1320,7 +1326,7 @@ class TLSConnection(TLSRecordLayer):
+                 assert(False)
+             for result in self._serverCertKeyExchange(clientHello, serverHello, 
+                                         certChain, keyExchange,
+-                                        reqCert, reqCAs, cipherSuite,
++                                        reqCert, reqCAs, reqCertTypes, cipherSuite,
+                                         settings, ocspResponse):
+                 if result in (0,1): yield result
+                 else: break
+@@ -1597,7 +1603,7 @@ class TLSConnection(TLSRecordLayer):
+ 
+     def _serverCertKeyExchange(self, clientHello, serverHello, 
+                                 serverCertChain, keyExchange,
+-                                reqCert, reqCAs, cipherSuite,
++                                reqCert, reqCAs, reqCertTypes, cipherSuite,
+                                 settings, ocspResponse):
+         #Send ServerHello, Certificate[, ServerKeyExchange]
+         #[, CertificateRequest], ServerHelloDone
+@@ -1613,11 +1619,12 @@ class TLSConnection(TLSRecordLayer):
+         serverKeyExchange = keyExchange.makeServerKeyExchange()
+         if serverKeyExchange is not None:
+             msgs.append(serverKeyExchange)
+-        if reqCert and reqCAs:
+-            msgs.append(CertificateRequest().create(\
+-                [ClientCertificateType.rsa_sign], reqCAs))
+-        elif reqCert:
+-            msgs.append(CertificateRequest())
++        if reqCert:
++            reqCAs = reqCAs or []
++            #Apple's Secure Transport library rejects empty certificate_types,
++            #so default to rsa_sign.
++            reqCertTypes = reqCertTypes or [ClientCertificateType.rsa_sign]
++            msgs.append(CertificateRequest().create(reqCertTypes, reqCAs))
+         msgs.append(ServerHelloDone())
+         for result in self._sendMsgs(msgs):
+             yield result
diff --git a/third_party/tlslite/tlslite/api.py b/third_party/tlslite/tlslite/api.py
index faef6cb..562fb81 100644
--- a/third_party/tlslite/tlslite/api.py
+++ b/third_party/tlslite/tlslite/api.py
@@ -2,7 +2,8 @@
 # See the LICENSE file for legal information regarding use of this file.
 
 __version__ = "0.4.6"
-from .constants import AlertLevel, AlertDescription, Fault
+from .constants import AlertLevel, AlertDescription, ClientCertificateType, \
+                       Fault
 from .errors import *
 from .checker import Checker
 from .handshakesettings import HandshakeSettings
diff --git a/third_party/tlslite/tlslite/constants.py b/third_party/tlslite/tlslite/constants.py
index 30d1f9f..457b339 100644
--- a/third_party/tlslite/tlslite/constants.py
+++ b/third_party/tlslite/tlslite/constants.py
@@ -14,10 +14,14 @@ class CertificateType:
     openpgp = 1
 
 class ClientCertificateType:
+    # http://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-2
     rsa_sign = 1
     dss_sign = 2
     rsa_fixed_dh = 3
     dss_fixed_dh = 4
+    ecdsa_sign = 64
+    rsa_fixed_ecdh = 65
+    ecdsa_fixed_ecdh = 66
  
 class HandshakeType:
     hello_request = 0
diff --git a/third_party/tlslite/tlslite/messages.py b/third_party/tlslite/tlslite/messages.py
index 550b387..c8a913c 100644
--- a/third_party/tlslite/tlslite/messages.py
+++ b/third_party/tlslite/tlslite/messages.py
@@ -454,9 +454,7 @@ class CertificateStatus(HandshakeMsg):
 class CertificateRequest(HandshakeMsg):
     def __init__(self):
         HandshakeMsg.__init__(self, HandshakeType.certificate_request)
-        #Apple's Secure Transport library rejects empty certificate_types, so
-        #default to rsa_sign.
-        self.certificate_types = [ClientCertificateType.rsa_sign]
+        self.certificate_types = []
         self.certificate_authorities = []
 
     def create(self, certificate_types, certificate_authorities):
diff --git a/third_party/tlslite/tlslite/tlsconnection.py b/third_party/tlslite/tlslite/tlsconnection.py
index e6f7820..044ad59 100644
--- a/third_party/tlslite/tlslite/tlsconnection.py
+++ b/third_party/tlslite/tlslite/tlsconnection.py
@@ -1062,7 +1062,7 @@ class TLSConnection(TLSRecordLayer):
     def handshakeServer(self, verifierDB=None,
                         certChain=None, privateKey=None, reqCert=False,
                         sessionCache=None, settings=None, checker=None,
-                        reqCAs = None, 
+                        reqCAs = None, reqCertTypes = None,
                         tacks=None, activationFlags=0,
                         nextProtos=None, anon=False,
                         tlsIntolerant=None, signedCertTimestamps=None,
@@ -1130,6 +1130,10 @@ class TLSConnection(TLSRecordLayer):
         will be sent along with a certificate request. This does not affect
         verification.        
 
+        @type reqCertTypes: list of int
+        @param reqCertTypes: A list of certificate_type values to be sent
+        along with a certificate request. This does not affect verification.
+
         @type nextProtos: list of strings.
         @param nextProtos: A list of upper layer protocols to expose to the
         clients through the Next-Protocol Negotiation Extension, 
@@ -1169,7 +1173,7 @@ class TLSConnection(TLSRecordLayer):
         """
         for result in self.handshakeServerAsync(verifierDB,
                 certChain, privateKey, reqCert, sessionCache, settings,
-                checker, reqCAs, 
+                checker, reqCAs, reqCertTypes,
                 tacks=tacks, activationFlags=activationFlags, 
                 nextProtos=nextProtos, anon=anon, tlsIntolerant=tlsIntolerant,
                 signedCertTimestamps=signedCertTimestamps,
@@ -1180,7 +1184,7 @@ class TLSConnection(TLSRecordLayer):
     def handshakeServerAsync(self, verifierDB=None,
                              certChain=None, privateKey=None, reqCert=False,
                              sessionCache=None, settings=None, checker=None,
-                             reqCAs=None, 
+                             reqCAs=None, reqCertTypes=None,
                              tacks=None, activationFlags=0,
                              nextProtos=None, anon=False,
                              tlsIntolerant=None,
@@ -1203,7 +1207,7 @@ class TLSConnection(TLSRecordLayer):
             verifierDB=verifierDB, certChain=certChain,
             privateKey=privateKey, reqCert=reqCert,
             sessionCache=sessionCache, settings=settings, 
-            reqCAs=reqCAs, 
+            reqCAs=reqCAs, reqCertTypes=reqCertTypes,
             tacks=tacks, activationFlags=activationFlags, 
             nextProtos=nextProtos, anon=anon,
             tlsIntolerant=tlsIntolerant,
@@ -1216,7 +1220,7 @@ class TLSConnection(TLSRecordLayer):
 
     def _handshakeServerAsyncHelper(self, verifierDB,
                              certChain, privateKey, reqCert, sessionCache,
-                             settings, reqCAs, 
+                             settings, reqCAs, reqCertTypes,
                              tacks, activationFlags, 
                              nextProtos, anon,
                              tlsIntolerant, signedCertTimestamps, fallbackSCSV,
@@ -1232,6 +1236,8 @@ class TLSConnection(TLSRecordLayer):
             raise ValueError("Caller passed a privateKey but no certChain")
         if reqCAs and not reqCert:
             raise ValueError("Caller passed reqCAs but not reqCert")            
+        if reqCertTypes and not reqCert:
+            raise ValueError("Caller passed reqCertTypes but not reqCert")
         if certChain and not isinstance(certChain, X509CertChain):
             raise ValueError("Unrecognized certificate type")
         if activationFlags and not tacks:
@@ -1320,7 +1326,7 @@ class TLSConnection(TLSRecordLayer):
                 assert(False)
             for result in self._serverCertKeyExchange(clientHello, serverHello, 
                                         certChain, keyExchange,
-                                        reqCert, reqCAs, cipherSuite,
+                                        reqCert, reqCAs, reqCertTypes, cipherSuite,
                                         settings, ocspResponse):
                 if result in (0,1): yield result
                 else: break
@@ -1597,7 +1603,7 @@ class TLSConnection(TLSRecordLayer):
 
     def _serverCertKeyExchange(self, clientHello, serverHello, 
                                 serverCertChain, keyExchange,
-                                reqCert, reqCAs, cipherSuite,
+                                reqCert, reqCAs, reqCertTypes, cipherSuite,
                                 settings, ocspResponse):
         #Send ServerHello, Certificate[, ServerKeyExchange]
         #[, CertificateRequest], ServerHelloDone
@@ -1613,11 +1619,12 @@ class TLSConnection(TLSRecordLayer):
         serverKeyExchange = keyExchange.makeServerKeyExchange()
         if serverKeyExchange is not None:
             msgs.append(serverKeyExchange)
-        if reqCert and reqCAs:
-            msgs.append(CertificateRequest().create(\
-                [ClientCertificateType.rsa_sign], reqCAs))
-        elif reqCert:
-            msgs.append(CertificateRequest())
+        if reqCert:
+            reqCAs = reqCAs or []
+            #Apple's Secure Transport library rejects empty certificate_types,
+            #so default to rsa_sign.
+            reqCertTypes = reqCertTypes or [ClientCertificateType.rsa_sign]
+            msgs.append(CertificateRequest().create(reqCertTypes, reqCAs))
         msgs.append(ServerHelloDone())
         for result in self._sendMsgs(msgs):
             yield result
author	davidben@chromium.org <davidben@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>	2014-05-20 21:51:44 +0000
committer	davidben@chromium.org <davidben@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98>	2014-05-20 21:51:44 +0000
commit	c078770418d4be5f03f8b034629a0565aa835676 (patch)
tree	153498003655fdd3a8d939c4953a2fc1d6a4d0b8 /third_party/tlslite
parent	e36de1252da64a0efcfaf0306d8d7206c101065c (diff)
download	chromium_src-c078770418d4be5f03f8b034629a0565aa835676.zip chromium_src-c078770418d4be5f03f8b034629a0565aa835676.tar.gz chromium_src-c078770418d4be5f03f8b034629a0565aa835676.tar.bz2