diff options
author | davidben@chromium.org <davidben@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2014-05-20 21:51:44 +0000 |
---|---|---|
committer | davidben@chromium.org <davidben@chromium.org@0039d316-1c4b-4281-b951-d872f2087c98> | 2014-05-20 21:51:44 +0000 |
commit | c078770418d4be5f03f8b034629a0565aa835676 (patch) | |
tree | 153498003655fdd3a8d939c4953a2fc1d6a4d0b8 /third_party/tlslite | |
parent | e36de1252da64a0efcfaf0306d8d7206c101065c (diff) | |
download | chromium_src-c078770418d4be5f03f8b034629a0565aa835676.zip chromium_src-c078770418d4be5f03f8b034629a0565aa835676.tar.gz chromium_src-c078770418d4be5f03f8b034629a0565aa835676.tar.bz2 |
Populate cert_key_types on OpenSSL.
Add a test to ensure it gets plumbed through correctly.
This also rolls third_party/openssl to r270417:
------------------------------------------------------------------------
r269864 | davidben@chromium.org | 2014-05-12 16:21:12 -0400 (Mon, 12 May 2014) | 7 lines
Add SSL_get_client_certificate_types.
Exposes the certificate_types parameter in a CertificateRequest.
BUG=165446
Review URL: https://codereview.chromium.org/254723002
------------------------------------------------------------------------
r270417 | davidben@chromium.org | 2014-05-14 12:27:52 -0400 (Wed, 14 May 2014) | 10 lines
Refactor ssl3_send_client_verify.
The original logic was a confusing spaghetti and mixed up initialization for
all the different cases together. Tidy it up in preparation for having to
adjust this logic later to support asynchronous crypto operations.
BUG=none
R=agl@chromium.org
Review URL: https://codereview.chromium.org//284693002
------------------------------------------------------------------------
BUG=165446
Review URL: https://codereview.chromium.org/257513008
git-svn-id: svn://svn.chromium.org/chrome/trunk/src@271765 0039d316-1c4b-4281-b951-d872f2087c98
Diffstat (limited to 'third_party/tlslite')
-rw-r--r-- | third_party/tlslite/README.chromium | 2 | ||||
-rw-r--r-- | third_party/tlslite/patches/req_cert_types.patch | 153 | ||||
-rw-r--r-- | third_party/tlslite/tlslite/api.py | 3 | ||||
-rw-r--r-- | third_party/tlslite/tlslite/constants.py | 4 | ||||
-rw-r--r-- | third_party/tlslite/tlslite/messages.py | 4 | ||||
-rw-r--r-- | third_party/tlslite/tlslite/tlsconnection.py | 31 |
6 files changed, 181 insertions, 16 deletions
diff --git a/third_party/tlslite/README.chromium b/third_party/tlslite/README.chromium index 28dded0..029c2db 100644 --- a/third_party/tlslite/README.chromium +++ b/third_party/tlslite/README.chromium @@ -31,3 +31,5 @@ Local Modifications: - patches/fix_test_file.patch: Fix #! line in random test file to appease our presubmit checks. - patches/dhe_rsa.patch: Implement DHE_RSA-based cipher suites. +- patches/req_cert_types.patch: Add a reqCertTypes parameter to populate the + certificate_types field of CertificateRequest. diff --git a/third_party/tlslite/patches/req_cert_types.patch b/third_party/tlslite/patches/req_cert_types.patch new file mode 100644 index 0000000..2774e77 --- /dev/null +++ b/third_party/tlslite/patches/req_cert_types.patch @@ -0,0 +1,153 @@ +diff --git a/third_party/tlslite/tlslite/api.py b/third_party/tlslite/tlslite/api.py +index faef6cb..562fb81 100644 +--- a/third_party/tlslite/tlslite/api.py ++++ b/third_party/tlslite/tlslite/api.py +@@ -2,7 +2,8 @@ + # See the LICENSE file for legal information regarding use of this file. + + __version__ = "0.4.6" +-from .constants import AlertLevel, AlertDescription, Fault ++from .constants import AlertLevel, AlertDescription, ClientCertificateType, \ ++ Fault + from .errors import * + from .checker import Checker + from .handshakesettings import HandshakeSettings +diff --git a/third_party/tlslite/tlslite/constants.py b/third_party/tlslite/tlslite/constants.py +index 30d1f9f..457b339 100644 +--- a/third_party/tlslite/tlslite/constants.py ++++ b/third_party/tlslite/tlslite/constants.py +@@ -14,10 +14,14 @@ class CertificateType: + openpgp = 1 + + class ClientCertificateType: ++ # http://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-2 + rsa_sign = 1 + dss_sign = 2 + rsa_fixed_dh = 3 + dss_fixed_dh = 4 ++ ecdsa_sign = 64 ++ rsa_fixed_ecdh = 65 ++ ecdsa_fixed_ecdh = 66 + + class HandshakeType: + hello_request = 0 +diff --git a/third_party/tlslite/tlslite/messages.py b/third_party/tlslite/tlslite/messages.py +index 550b387..c8a913c 100644 +--- a/third_party/tlslite/tlslite/messages.py ++++ b/third_party/tlslite/tlslite/messages.py +@@ -454,9 +454,7 @@ class CertificateStatus(HandshakeMsg): + class CertificateRequest(HandshakeMsg): + def __init__(self): + HandshakeMsg.__init__(self, HandshakeType.certificate_request) +- #Apple's Secure Transport library rejects empty certificate_types, so +- #default to rsa_sign. +- self.certificate_types = [ClientCertificateType.rsa_sign] ++ self.certificate_types = [] + self.certificate_authorities = [] + + def create(self, certificate_types, certificate_authorities): +diff --git a/third_party/tlslite/tlslite/tlsconnection.py b/third_party/tlslite/tlslite/tlsconnection.py +index e6f7820..044ad59 100644 +--- a/third_party/tlslite/tlslite/tlsconnection.py ++++ b/third_party/tlslite/tlslite/tlsconnection.py +@@ -1062,7 +1062,7 @@ class TLSConnection(TLSRecordLayer): + def handshakeServer(self, verifierDB=None, + certChain=None, privateKey=None, reqCert=False, + sessionCache=None, settings=None, checker=None, +- reqCAs = None, ++ reqCAs = None, reqCertTypes = None, + tacks=None, activationFlags=0, + nextProtos=None, anon=False, + tlsIntolerant=None, signedCertTimestamps=None, +@@ -1130,6 +1130,10 @@ class TLSConnection(TLSRecordLayer): + will be sent along with a certificate request. This does not affect + verification. + ++ @type reqCertTypes: list of int ++ @param reqCertTypes: A list of certificate_type values to be sent ++ along with a certificate request. This does not affect verification. ++ + @type nextProtos: list of strings. + @param nextProtos: A list of upper layer protocols to expose to the + clients through the Next-Protocol Negotiation Extension, +@@ -1169,7 +1173,7 @@ class TLSConnection(TLSRecordLayer): + """ + for result in self.handshakeServerAsync(verifierDB, + certChain, privateKey, reqCert, sessionCache, settings, +- checker, reqCAs, ++ checker, reqCAs, reqCertTypes, + tacks=tacks, activationFlags=activationFlags, + nextProtos=nextProtos, anon=anon, tlsIntolerant=tlsIntolerant, + signedCertTimestamps=signedCertTimestamps, +@@ -1180,7 +1184,7 @@ class TLSConnection(TLSRecordLayer): + def handshakeServerAsync(self, verifierDB=None, + certChain=None, privateKey=None, reqCert=False, + sessionCache=None, settings=None, checker=None, +- reqCAs=None, ++ reqCAs=None, reqCertTypes=None, + tacks=None, activationFlags=0, + nextProtos=None, anon=False, + tlsIntolerant=None, +@@ -1203,7 +1207,7 @@ class TLSConnection(TLSRecordLayer): + verifierDB=verifierDB, certChain=certChain, + privateKey=privateKey, reqCert=reqCert, + sessionCache=sessionCache, settings=settings, +- reqCAs=reqCAs, ++ reqCAs=reqCAs, reqCertTypes=reqCertTypes, + tacks=tacks, activationFlags=activationFlags, + nextProtos=nextProtos, anon=anon, + tlsIntolerant=tlsIntolerant, +@@ -1216,7 +1220,7 @@ class TLSConnection(TLSRecordLayer): + + def _handshakeServerAsyncHelper(self, verifierDB, + certChain, privateKey, reqCert, sessionCache, +- settings, reqCAs, ++ settings, reqCAs, reqCertTypes, + tacks, activationFlags, + nextProtos, anon, + tlsIntolerant, signedCertTimestamps, fallbackSCSV, +@@ -1232,6 +1236,8 @@ class TLSConnection(TLSRecordLayer): + raise ValueError("Caller passed a privateKey but no certChain") + if reqCAs and not reqCert: + raise ValueError("Caller passed reqCAs but not reqCert") ++ if reqCertTypes and not reqCert: ++ raise ValueError("Caller passed reqCertTypes but not reqCert") + if certChain and not isinstance(certChain, X509CertChain): + raise ValueError("Unrecognized certificate type") + if activationFlags and not tacks: +@@ -1320,7 +1326,7 @@ class TLSConnection(TLSRecordLayer): + assert(False) + for result in self._serverCertKeyExchange(clientHello, serverHello, + certChain, keyExchange, +- reqCert, reqCAs, cipherSuite, ++ reqCert, reqCAs, reqCertTypes, cipherSuite, + settings, ocspResponse): + if result in (0,1): yield result + else: break +@@ -1597,7 +1603,7 @@ class TLSConnection(TLSRecordLayer): + + def _serverCertKeyExchange(self, clientHello, serverHello, + serverCertChain, keyExchange, +- reqCert, reqCAs, cipherSuite, ++ reqCert, reqCAs, reqCertTypes, cipherSuite, + settings, ocspResponse): + #Send ServerHello, Certificate[, ServerKeyExchange] + #[, CertificateRequest], ServerHelloDone +@@ -1613,11 +1619,12 @@ class TLSConnection(TLSRecordLayer): + serverKeyExchange = keyExchange.makeServerKeyExchange() + if serverKeyExchange is not None: + msgs.append(serverKeyExchange) +- if reqCert and reqCAs: +- msgs.append(CertificateRequest().create(\ +- [ClientCertificateType.rsa_sign], reqCAs)) +- elif reqCert: +- msgs.append(CertificateRequest()) ++ if reqCert: ++ reqCAs = reqCAs or [] ++ #Apple's Secure Transport library rejects empty certificate_types, ++ #so default to rsa_sign. ++ reqCertTypes = reqCertTypes or [ClientCertificateType.rsa_sign] ++ msgs.append(CertificateRequest().create(reqCertTypes, reqCAs)) + msgs.append(ServerHelloDone()) + for result in self._sendMsgs(msgs): + yield result diff --git a/third_party/tlslite/tlslite/api.py b/third_party/tlslite/tlslite/api.py index faef6cb..562fb81 100644 --- a/third_party/tlslite/tlslite/api.py +++ b/third_party/tlslite/tlslite/api.py @@ -2,7 +2,8 @@ # See the LICENSE file for legal information regarding use of this file. __version__ = "0.4.6" -from .constants import AlertLevel, AlertDescription, Fault +from .constants import AlertLevel, AlertDescription, ClientCertificateType, \ + Fault from .errors import * from .checker import Checker from .handshakesettings import HandshakeSettings diff --git a/third_party/tlslite/tlslite/constants.py b/third_party/tlslite/tlslite/constants.py index 30d1f9f..457b339 100644 --- a/third_party/tlslite/tlslite/constants.py +++ b/third_party/tlslite/tlslite/constants.py @@ -14,10 +14,14 @@ class CertificateType: openpgp = 1 class ClientCertificateType: + # http://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-2 rsa_sign = 1 dss_sign = 2 rsa_fixed_dh = 3 dss_fixed_dh = 4 + ecdsa_sign = 64 + rsa_fixed_ecdh = 65 + ecdsa_fixed_ecdh = 66 class HandshakeType: hello_request = 0 diff --git a/third_party/tlslite/tlslite/messages.py b/third_party/tlslite/tlslite/messages.py index 550b387..c8a913c 100644 --- a/third_party/tlslite/tlslite/messages.py +++ b/third_party/tlslite/tlslite/messages.py @@ -454,9 +454,7 @@ class CertificateStatus(HandshakeMsg): class CertificateRequest(HandshakeMsg): def __init__(self): HandshakeMsg.__init__(self, HandshakeType.certificate_request) - #Apple's Secure Transport library rejects empty certificate_types, so - #default to rsa_sign. - self.certificate_types = [ClientCertificateType.rsa_sign] + self.certificate_types = [] self.certificate_authorities = [] def create(self, certificate_types, certificate_authorities): diff --git a/third_party/tlslite/tlslite/tlsconnection.py b/third_party/tlslite/tlslite/tlsconnection.py index e6f7820..044ad59 100644 --- a/third_party/tlslite/tlslite/tlsconnection.py +++ b/third_party/tlslite/tlslite/tlsconnection.py @@ -1062,7 +1062,7 @@ class TLSConnection(TLSRecordLayer): def handshakeServer(self, verifierDB=None, certChain=None, privateKey=None, reqCert=False, sessionCache=None, settings=None, checker=None, - reqCAs = None, + reqCAs = None, reqCertTypes = None, tacks=None, activationFlags=0, nextProtos=None, anon=False, tlsIntolerant=None, signedCertTimestamps=None, @@ -1130,6 +1130,10 @@ class TLSConnection(TLSRecordLayer): will be sent along with a certificate request. This does not affect verification. + @type reqCertTypes: list of int + @param reqCertTypes: A list of certificate_type values to be sent + along with a certificate request. This does not affect verification. + @type nextProtos: list of strings. @param nextProtos: A list of upper layer protocols to expose to the clients through the Next-Protocol Negotiation Extension, @@ -1169,7 +1173,7 @@ class TLSConnection(TLSRecordLayer): """ for result in self.handshakeServerAsync(verifierDB, certChain, privateKey, reqCert, sessionCache, settings, - checker, reqCAs, + checker, reqCAs, reqCertTypes, tacks=tacks, activationFlags=activationFlags, nextProtos=nextProtos, anon=anon, tlsIntolerant=tlsIntolerant, signedCertTimestamps=signedCertTimestamps, @@ -1180,7 +1184,7 @@ class TLSConnection(TLSRecordLayer): def handshakeServerAsync(self, verifierDB=None, certChain=None, privateKey=None, reqCert=False, sessionCache=None, settings=None, checker=None, - reqCAs=None, + reqCAs=None, reqCertTypes=None, tacks=None, activationFlags=0, nextProtos=None, anon=False, tlsIntolerant=None, @@ -1203,7 +1207,7 @@ class TLSConnection(TLSRecordLayer): verifierDB=verifierDB, certChain=certChain, privateKey=privateKey, reqCert=reqCert, sessionCache=sessionCache, settings=settings, - reqCAs=reqCAs, + reqCAs=reqCAs, reqCertTypes=reqCertTypes, tacks=tacks, activationFlags=activationFlags, nextProtos=nextProtos, anon=anon, tlsIntolerant=tlsIntolerant, @@ -1216,7 +1220,7 @@ class TLSConnection(TLSRecordLayer): def _handshakeServerAsyncHelper(self, verifierDB, certChain, privateKey, reqCert, sessionCache, - settings, reqCAs, + settings, reqCAs, reqCertTypes, tacks, activationFlags, nextProtos, anon, tlsIntolerant, signedCertTimestamps, fallbackSCSV, @@ -1232,6 +1236,8 @@ class TLSConnection(TLSRecordLayer): raise ValueError("Caller passed a privateKey but no certChain") if reqCAs and not reqCert: raise ValueError("Caller passed reqCAs but not reqCert") + if reqCertTypes and not reqCert: + raise ValueError("Caller passed reqCertTypes but not reqCert") if certChain and not isinstance(certChain, X509CertChain): raise ValueError("Unrecognized certificate type") if activationFlags and not tacks: @@ -1320,7 +1326,7 @@ class TLSConnection(TLSRecordLayer): assert(False) for result in self._serverCertKeyExchange(clientHello, serverHello, certChain, keyExchange, - reqCert, reqCAs, cipherSuite, + reqCert, reqCAs, reqCertTypes, cipherSuite, settings, ocspResponse): if result in (0,1): yield result else: break @@ -1597,7 +1603,7 @@ class TLSConnection(TLSRecordLayer): def _serverCertKeyExchange(self, clientHello, serverHello, serverCertChain, keyExchange, - reqCert, reqCAs, cipherSuite, + reqCert, reqCAs, reqCertTypes, cipherSuite, settings, ocspResponse): #Send ServerHello, Certificate[, ServerKeyExchange] #[, CertificateRequest], ServerHelloDone @@ -1613,11 +1619,12 @@ class TLSConnection(TLSRecordLayer): serverKeyExchange = keyExchange.makeServerKeyExchange() if serverKeyExchange is not None: msgs.append(serverKeyExchange) - if reqCert and reqCAs: - msgs.append(CertificateRequest().create(\ - [ClientCertificateType.rsa_sign], reqCAs)) - elif reqCert: - msgs.append(CertificateRequest()) + if reqCert: + reqCAs = reqCAs or [] + #Apple's Secure Transport library rejects empty certificate_types, + #so default to rsa_sign. + reqCertTypes = reqCertTypes or [ClientCertificateType.rsa_sign] + msgs.append(CertificateRequest().create(reqCertTypes, reqCAs)) msgs.append(ServerHelloDone()) for result in self._sendMsgs(msgs): yield result |