third_party/tlslite/patches/ca_request.patch


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176

Only in chromium: patches
diff -aur tlslite-0.3.8/tlslite/TLSConnection.py chromium/tlslite/TLSConnection.py
--- tlslite-0.3.8/tlslite/TLSConnection.py	2004-10-06 01:55:37.000000000 -0400
+++ chromium/tlslite/TLSConnection.py	2010-08-18 22:17:30.962786700 -0400
@@ -931,7 +931,8 @@
 
     def handshakeServer(self, sharedKeyDB=None, verifierDB=None,
                         certChain=None, privateKey=None, reqCert=False,
-                        sessionCache=None, settings=None, checker=None):
+                        sessionCache=None, settings=None, checker=None,
+                        reqCAs=None):
         """Perform a handshake in the role of server.
 
         This function performs an SSL or TLS handshake.  Depending on
@@ -997,6 +998,11 @@
         invoked to examine the other party's authentication
         credentials, if the handshake completes succesfully.
 
+        @type reqCAs: list of L{array.array} of unsigned bytes
+        @param reqCAs: A collection of DER-encoded DistinguishedNames that
+        will be sent along with a certificate request. This does not affect
+        verification.
+
         @raise socket.error: If a socket error occurs.
         @raise tlslite.errors.TLSAbruptCloseError: If the socket is closed
         without a preceding alert.
@@ -1006,13 +1012,14 @@
         """
         for result in self.handshakeServerAsync(sharedKeyDB, verifierDB,
                 certChain, privateKey, reqCert, sessionCache, settings,
-                checker):
+                checker, reqCAs):
             pass
 
 
     def handshakeServerAsync(self, sharedKeyDB=None, verifierDB=None,
                              certChain=None, privateKey=None, reqCert=False,
-                             sessionCache=None, settings=None, checker=None):
+                             sessionCache=None, settings=None, checker=None,
+                             reqCAs=None):
         """Start a server handshake operation on the TLS connection.
 
         This function returns a generator which behaves similarly to
@@ -1028,14 +1035,15 @@
             sharedKeyDB=sharedKeyDB,
             verifierDB=verifierDB, certChain=certChain,
             privateKey=privateKey, reqCert=reqCert,
-            sessionCache=sessionCache, settings=settings)
+            sessionCache=sessionCache, settings=settings,
+            reqCAs=reqCAs)
         for result in self._handshakeWrapperAsync(handshaker, checker):
             yield result
 
 
     def _handshakeServerAsyncHelper(self, sharedKeyDB, verifierDB,
                              certChain, privateKey, reqCert, sessionCache,
-                             settings):
+                             settings, reqCAs):
 
         self._handshakeStart(client=False)
 
@@ -1045,6 +1053,8 @@
             raise ValueError("Caller passed a certChain but no privateKey")
         if privateKey and not certChain:
             raise ValueError("Caller passed a privateKey but no certChain")
+        if reqCAs and not reqCert:
+            raise ValueError("Caller passed reqCAs but not reqCert")
 
         if not settings:
             settings = HandshakeSettings()
@@ -1380,7 +1390,9 @@
             msgs.append(ServerHello().create(self.version, serverRandom,
                         sessionID, cipherSuite, certificateType))
             msgs.append(Certificate(certificateType).create(serverCertChain))
-            if reqCert:
+            if reqCert and reqCAs:
+                msgs.append(CertificateRequest().create([], reqCAs))
+            elif reqCert:
                 msgs.append(CertificateRequest())
             msgs.append(ServerHelloDone())
             for result in self._sendMsgs(msgs):
diff -aur tlslite-0.3.8/tlslite/X509.py chromium/tlslite/X509.py
--- tlslite-0.3.8/tlslite/X509.py	2004-03-19 21:43:19.000000000 -0400
+++ chromium/tlslite/X509.py	2010-08-18 22:17:30.967787000 -0400
@@ -13,11 +13,15 @@
 
     @type publicKey: L{tlslite.utils.RSAKey.RSAKey}
     @ivar publicKey: The subject public key from the certificate.
+
+    @type subject: L{array.array} of unsigned bytes
+    @ivar subject: The DER-encoded ASN.1 subject distinguished name.
     """
 
     def __init__(self):
         self.bytes = createByteArraySequence([])
         self.publicKey = None
+        self.subject = None
 
     def parse(self, s):
         """Parse a PEM-encoded X.509 certificate.
@@ -63,6 +67,10 @@
         else:
             subjectPublicKeyInfoIndex = 5
 
+        #Get the subject
+        self.subject = tbsCertificateP.getChildBytes(\
+                           subjectPublicKeyInfoIndex - 1)
+
         #Get the subjectPublicKeyInfo
         subjectPublicKeyInfoP = tbsCertificateP.getChild(\
                                     subjectPublicKeyInfoIndex)
diff -aur tlslite-0.3.8/tlslite/messages.py chromium/tlslite/messages.py
--- tlslite-0.3.8/tlslite/messages.py	2004-10-06 01:01:24.000000000 -0400
+++ chromium/tlslite/messages.py	2010-08-18 22:17:30.976787500 -0400
@@ -338,8 +338,7 @@
     def __init__(self):
         self.contentType = ContentType.handshake
         self.certificate_types = []
-        #treat as opaque bytes for now
-        self.certificate_authorities = createByteArraySequence([])
+        self.certificate_authorities = []
 
     def create(self, certificate_types, certificate_authorities):
         self.certificate_types = certificate_types
@@ -349,7 +348,13 @@
     def parse(self, p):
         p.startLengthCheck(3)
         self.certificate_types = p.getVarList(1, 1)
-        self.certificate_authorities = p.getVarBytes(2)
+        ca_list_length = p.get(2)
+        index = 0
+        self.certificate_authorities = []
+        while index != ca_list_length:
+          ca_bytes = p.getVarBytes(2)
+          self.certificate_authorities.append(ca_bytes)
+          index += len(ca_bytes)+2
         p.stopLengthCheck()
         return self
 
@@ -357,7 +362,14 @@
         w = HandshakeMsg.preWrite(self, HandshakeType.certificate_request,
                                   trial)
         w.addVarSeq(self.certificate_types, 1, 1)
-        w.addVarSeq(self.certificate_authorities, 1, 2)
+        caLength = 0
+        #determine length
+        for ca_dn in self.certificate_authorities:
+            caLength += len(ca_dn)+2
+        w.add(caLength, 2)
+        #add bytes
+        for ca_dn in self.certificate_authorities:
+            w.addVarSeq(ca_dn, 1, 2)
         return HandshakeMsg.postWrite(self, w, trial)
 
 class ServerKeyExchange(HandshakeMsg):
diff -aur tlslite-0.3.8/tlslite/utils/ASN1Parser.py chromium/tlslite/utils/ASN1Parser.py
--- tlslite-0.3.8/tlslite/utils/ASN1Parser.py	2004-10-06 01:02:40.000000000 -0400
+++ chromium/tlslite/utils/ASN1Parser.py	2010-08-18 22:17:30.979787700 -0400
@@ -16,13 +16,16 @@
 
     #Assuming this is a sequence...
     def getChild(self, which):
+        return ASN1Parser(self.getChildBytes(which))
+
+    def getChildBytes(self, which):
         p = Parser(self.value)
         for x in range(which+1):
             markIndex = p.index
             p.get(1) #skip Type
             length = self._getASN1Length(p)
             p.getFixBytes(length)
-        return ASN1Parser(p.bytes[markIndex : p.index])
+        return p.bytes[markIndex : p.index]
 
     #Decode the ASN.1 DER length field
     def _getASN1Length(self, p):