1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
|
diff --git a/third_party/tlslite/tlslite/api.py b/third_party/tlslite/tlslite/api.py
index faef6cb..562fb81 100644
--- a/third_party/tlslite/tlslite/api.py
+++ b/third_party/tlslite/tlslite/api.py
@@ -2,7 +2,8 @@
# See the LICENSE file for legal information regarding use of this file.
__version__ = "0.4.6"
-from .constants import AlertLevel, AlertDescription, Fault
+from .constants import AlertLevel, AlertDescription, ClientCertificateType, \
+ Fault
from .errors import *
from .checker import Checker
from .handshakesettings import HandshakeSettings
diff --git a/third_party/tlslite/tlslite/constants.py b/third_party/tlslite/tlslite/constants.py
index 30d1f9f..457b339 100644
--- a/third_party/tlslite/tlslite/constants.py
+++ b/third_party/tlslite/tlslite/constants.py
@@ -14,10 +14,14 @@ class CertificateType:
openpgp = 1
class ClientCertificateType:
+ # http://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-2
rsa_sign = 1
dss_sign = 2
rsa_fixed_dh = 3
dss_fixed_dh = 4
+ ecdsa_sign = 64
+ rsa_fixed_ecdh = 65
+ ecdsa_fixed_ecdh = 66
class HandshakeType:
hello_request = 0
diff --git a/third_party/tlslite/tlslite/messages.py b/third_party/tlslite/tlslite/messages.py
index 550b387..c8a913c 100644
--- a/third_party/tlslite/tlslite/messages.py
+++ b/third_party/tlslite/tlslite/messages.py
@@ -454,9 +454,7 @@ class CertificateStatus(HandshakeMsg):
class CertificateRequest(HandshakeMsg):
def __init__(self):
HandshakeMsg.__init__(self, HandshakeType.certificate_request)
- #Apple's Secure Transport library rejects empty certificate_types, so
- #default to rsa_sign.
- self.certificate_types = [ClientCertificateType.rsa_sign]
+ self.certificate_types = []
self.certificate_authorities = []
def create(self, certificate_types, certificate_authorities):
diff --git a/third_party/tlslite/tlslite/tlsconnection.py b/third_party/tlslite/tlslite/tlsconnection.py
index e6f7820..044ad59 100644
--- a/third_party/tlslite/tlslite/tlsconnection.py
+++ b/third_party/tlslite/tlslite/tlsconnection.py
@@ -1062,7 +1062,7 @@ class TLSConnection(TLSRecordLayer):
def handshakeServer(self, verifierDB=None,
certChain=None, privateKey=None, reqCert=False,
sessionCache=None, settings=None, checker=None,
- reqCAs = None,
+ reqCAs = None, reqCertTypes = None,
tacks=None, activationFlags=0,
nextProtos=None, anon=False,
tlsIntolerant=None, signedCertTimestamps=None,
@@ -1130,6 +1130,10 @@ class TLSConnection(TLSRecordLayer):
will be sent along with a certificate request. This does not affect
verification.
+ @type reqCertTypes: list of int
+ @param reqCertTypes: A list of certificate_type values to be sent
+ along with a certificate request. This does not affect verification.
+
@type nextProtos: list of strings.
@param nextProtos: A list of upper layer protocols to expose to the
clients through the Next-Protocol Negotiation Extension,
@@ -1169,7 +1173,7 @@ class TLSConnection(TLSRecordLayer):
"""
for result in self.handshakeServerAsync(verifierDB,
certChain, privateKey, reqCert, sessionCache, settings,
- checker, reqCAs,
+ checker, reqCAs, reqCertTypes,
tacks=tacks, activationFlags=activationFlags,
nextProtos=nextProtos, anon=anon, tlsIntolerant=tlsIntolerant,
signedCertTimestamps=signedCertTimestamps,
@@ -1180,7 +1184,7 @@ class TLSConnection(TLSRecordLayer):
def handshakeServerAsync(self, verifierDB=None,
certChain=None, privateKey=None, reqCert=False,
sessionCache=None, settings=None, checker=None,
- reqCAs=None,
+ reqCAs=None, reqCertTypes=None,
tacks=None, activationFlags=0,
nextProtos=None, anon=False,
tlsIntolerant=None,
@@ -1203,7 +1207,7 @@ class TLSConnection(TLSRecordLayer):
verifierDB=verifierDB, certChain=certChain,
privateKey=privateKey, reqCert=reqCert,
sessionCache=sessionCache, settings=settings,
- reqCAs=reqCAs,
+ reqCAs=reqCAs, reqCertTypes=reqCertTypes,
tacks=tacks, activationFlags=activationFlags,
nextProtos=nextProtos, anon=anon,
tlsIntolerant=tlsIntolerant,
@@ -1216,7 +1220,7 @@ class TLSConnection(TLSRecordLayer):
def _handshakeServerAsyncHelper(self, verifierDB,
certChain, privateKey, reqCert, sessionCache,
- settings, reqCAs,
+ settings, reqCAs, reqCertTypes,
tacks, activationFlags,
nextProtos, anon,
tlsIntolerant, signedCertTimestamps, fallbackSCSV,
@@ -1232,6 +1236,8 @@ class TLSConnection(TLSRecordLayer):
raise ValueError("Caller passed a privateKey but no certChain")
if reqCAs and not reqCert:
raise ValueError("Caller passed reqCAs but not reqCert")
+ if reqCertTypes and not reqCert:
+ raise ValueError("Caller passed reqCertTypes but not reqCert")
if certChain and not isinstance(certChain, X509CertChain):
raise ValueError("Unrecognized certificate type")
if activationFlags and not tacks:
@@ -1320,7 +1326,7 @@ class TLSConnection(TLSRecordLayer):
assert(False)
for result in self._serverCertKeyExchange(clientHello, serverHello,
certChain, keyExchange,
- reqCert, reqCAs, cipherSuite,
+ reqCert, reqCAs, reqCertTypes, cipherSuite,
settings, ocspResponse):
if result in (0,1): yield result
else: break
@@ -1597,7 +1603,7 @@ class TLSConnection(TLSRecordLayer):
def _serverCertKeyExchange(self, clientHello, serverHello,
serverCertChain, keyExchange,
- reqCert, reqCAs, cipherSuite,
+ reqCert, reqCAs, reqCertTypes, cipherSuite,
settings, ocspResponse):
#Send ServerHello, Certificate[, ServerKeyExchange]
#[, CertificateRequest], ServerHelloDone
@@ -1613,11 +1619,12 @@ class TLSConnection(TLSRecordLayer):
serverKeyExchange = keyExchange.makeServerKeyExchange()
if serverKeyExchange is not None:
msgs.append(serverKeyExchange)
- if reqCert and reqCAs:
- msgs.append(CertificateRequest().create(\
- [ClientCertificateType.rsa_sign], reqCAs))
- elif reqCert:
- msgs.append(CertificateRequest())
+ if reqCert:
+ reqCAs = reqCAs or []
+ #Apple's Secure Transport library rejects empty certificate_types,
+ #so default to rsa_sign.
+ reqCertTypes = reqCertTypes or [ClientCertificateType.rsa_sign]
+ msgs.append(CertificateRequest().create(reqCertTypes, reqCAs))
msgs.append(ServerHelloDone())
for result in self._sendMsgs(msgs):
yield result
|
