From 65a3b914585cee20f1c8b213c82eaa2a5da0cb25 Mon Sep 17 00:00:00 2001 From: "davidben@chromium.org" Date: Sat, 21 Aug 2010 05:46:58 +0000 Subject: Reintegrate certificate selection in HttpNetworkTransaction DoLoop The HttpNetworkTransaction refactor intercepts the client auth handling and moves it out of DoLoop. Because HandleCertificateRequest often switches states, this caused a DCHECK and crash in some circumstances. This reintegrates it and adds unit tests to catch the DCHECK. We really want to test sending a legitimate certificate, as well as more checking interesting errors, but we cannot import temporary keys yet. We also add a patch for tlslite to send a non-empty certificate_types. Apple's SSL implementation raises a protocol error otherwise. BUG=52744,51132,52778 TEST=SSLClientSocketTest.ConnectClientAuth*,URLRequestTest.ClientAuthTest Review URL: http://codereview.chromium.org/3141026 git-svn-id: svn://svn.chromium.org/chrome/trunk/src@56983 0039d316-1c4b-4281-b951-d872f2087c98 --- third_party/tlslite/README.chromium | 4 +++ .../tlslite/patches/send_certificate_types.patch | 32 ++++++++++++++++++++++ third_party/tlslite/tlslite/constants.py | 6 ++++ third_party/tlslite/tlslite/messages.py | 6 ++-- 4 files changed, 46 insertions(+), 2 deletions(-) create mode 100644 third_party/tlslite/patches/send_certificate_types.patch (limited to 'third_party/tlslite') diff --git a/third_party/tlslite/README.chromium b/third_party/tlslite/README.chromium index 792d7e4..3fc9665 100644 --- a/third_party/tlslite/README.chromium +++ b/third_party/tlslite/README.chromium @@ -21,3 +21,7 @@ Local Modifications: of byte arrays, each containing a DER-encoded distinguished name. tlslite/TLSConnection.py was changed to take a list of such byte arrays when creating a TLS server that will request client authentication. +- patches/send_certificate_types.patch: tlslite/message.py was changed to + default to a certificate_types of [rsa_sign] in CertificateRequest. Apple's + Secure Transport library rejects an empty list and raises an SSL protocol + error. diff --git a/third_party/tlslite/patches/send_certificate_types.patch b/third_party/tlslite/patches/send_certificate_types.patch new file mode 100644 index 0000000..14b2935 --- /dev/null +++ b/third_party/tlslite/patches/send_certificate_types.patch @@ -0,0 +1,32 @@ +diff --git a/tlslite/constants.py b/tlslite/constants.py +index 8f2d559..04302c0 100644 +--- a/tlslite/constants.py ++++ b/tlslite/constants.py +@@ -5,6 +5,12 @@ class CertificateType: + openpgp = 1 + cryptoID = 2 + ++class ClientCertificateType: ++ rsa_sign = 1 ++ dss_sign = 2 ++ rsa_fixed_dh = 3 ++ dss_fixed_dh = 4 ++ + class HandshakeType: + hello_request = 0 + client_hello = 1 +diff --git a/tlslite/messages.py b/tlslite/messages.py +index 06c46b9..8bcec2c 100644 +--- a/tlslite/messages.py ++++ b/tlslite/messages.py +@@ -346,7 +346,9 @@ class Certificate(HandshakeMsg): + class CertificateRequest(HandshakeMsg): + def __init__(self): + self.contentType = ContentType.handshake +- self.certificate_types = [] ++ #Apple's implementation rejects empty certificate_types, so ++ #default to rsa_sign. ++ self.certificate_types = [ClientCertificateType.rsa_sign] + #treat as opaque bytes for now + self.certificate_authorities = createByteArraySequence([]) + diff --git a/third_party/tlslite/tlslite/constants.py b/third_party/tlslite/tlslite/constants.py index 8f2d559..04302c0 100644 --- a/third_party/tlslite/tlslite/constants.py +++ b/third_party/tlslite/tlslite/constants.py @@ -5,6 +5,12 @@ class CertificateType: openpgp = 1 cryptoID = 2 +class ClientCertificateType: + rsa_sign = 1 + dss_sign = 2 + rsa_fixed_dh = 3 + dss_fixed_dh = 4 + class HandshakeType: hello_request = 0 client_hello = 1 diff --git a/third_party/tlslite/tlslite/messages.py b/third_party/tlslite/tlslite/messages.py index fb4cc21..dc6ed32 100644 --- a/third_party/tlslite/tlslite/messages.py +++ b/third_party/tlslite/tlslite/messages.py @@ -346,7 +346,9 @@ class Certificate(HandshakeMsg): class CertificateRequest(HandshakeMsg): def __init__(self): self.contentType = ContentType.handshake - self.certificate_types = [] + #Apple's Secure Transport library rejects empty certificate_types, so + #default to rsa_sign. + self.certificate_types = [ClientCertificateType.rsa_sign] self.certificate_authorities = [] def create(self, certificate_types, certificate_authorities): @@ -579,4 +581,4 @@ class ApplicationData(Msg): return self def write(self): - return self.bytes \ No newline at end of file + return self.bytes -- cgit v1.1