Implement Token Binding Negotiation in tlslite

third_party/tlslite/tlslite/handshakesettings.py

 # Authors: 
 #   Trevor Perrin
 #   Dave Baggett (Arcode Corporation) - cleanup handling of constants
 #   Yngve Pettersen (ported by Paul Sokolovsky) - TLS 1.2
 #
 # See the LICENSE file for legal information regarding use of this file.
 
 """Class for setting handshake parameters."""
 
 from .constants import CertificateType
@@ skipping 97 matching lines @@
     @type useExperimentalTackExtension: bool
     @ivar useExperimentalTackExtension: Whether to enabled TACK support.
 
     @type alertAfterHandshake: bool
     @ivar alertAfterHandshake: If true, the server will send a fatal
     alert immediately after the handshake completes.
 
     @type enableExtendedMasterSecret: bool
     @ivar enableExtendedMasterSecret: If true, the server supports the extended
     master secret TLS extension and will negotiated it with supporting clients.
+
+    @type supportedTokenBindingParams: list
+    @ivar supportedTokenBindingParams: A list of token binding parameters that
+    the server supports when negotiating token binding. List values are integers
+    corresponding to the TokenBindingKeyParameters enum in the Token Binding
+    Negotiation spec (draft-ietf-tokbind-negotiation-00). Values are in server's
+    preference order, with most preferred params first.
     
     Note that TACK support is not standardized by IETF and uses a temporary
     TLS Extension number, so should NOT be used in production software.
     """
     def __init__(self):
         self.minKeySize = 1023
         self.maxKeySize = 8193
         self.cipherNames = CIPHER_NAMES
         self.macNames = MAC_NAMES
         self.keyExchangeNames = KEY_EXCHANGE_NAMES
         self.cipherImplementations = CIPHER_IMPLEMENTATIONS
         self.certificateTypes = CERTIFICATE_TYPES
         self.minVersion = (3,1)
         self.maxVersion = (3,3)
         self.tlsIntolerant = None
         self.tlsIntoleranceType = 'alert'
         self.useExperimentalTackExtension = False
         self.alertAfterHandshake = False
         self.enableExtendedMasterSecret = True
+        self.supportedTokenBindingParams = []
 
     # Validates the min/max fields, and certificateTypes
     # Filters out unsupported cipherNames and cipherImplementations
     def _filter(self):
         other = HandshakeSettings()
         other.minKeySize = self.minKeySize
         other.maxKeySize = self.maxKeySize
         other.cipherNames = self.cipherNames
         other.macNames = self.macNames
         other.keyExchangeNames = self.keyExchangeNames
         other.cipherImplementations = self.cipherImplementations
         other.certificateTypes = self.certificateTypes
         other.minVersion = self.minVersion
         other.maxVersion = self.maxVersion
         other.tlsIntolerant = self.tlsIntolerant
         other.tlsIntoleranceType = self.tlsIntoleranceType
         other.alertAfterHandshake = self.alertAfterHandshake
         other.enableExtendedMasterSecret = self.enableExtendedMasterSecret
+        other.supportedTokenBindingParams = self.supportedTokenBindingParams
 
         if not cipherfactory.tripleDESPresent:
             other.cipherNames = [e for e in self.cipherNames if e != "3des"]
         if len(other.cipherNames)==0:
             raise ValueError("No supported ciphers")
         if len(other.certificateTypes)==0:
             raise ValueError("No supported certificate types")
 
         if not cryptomath.m2cryptoLoaded:
             other.cipherImplementations = \
@@ skipping 44 matching lines @@
         return other
 
     def _getCertificateTypes(self):
         l = []
         for ct in self.certificateTypes:
             if ct == "x509":
                 l.append(CertificateType.x509)
             else:
                 raise AssertionError()
         return l