OLD | NEW |
(Empty) | |
| 1 diff --git a/third_party/tlslite/tlslite/api.py b/third_party/tlslite/tlslite/ap
i.py |
| 2 index faef6cb..562fb81 100644 |
| 3 --- a/third_party/tlslite/tlslite/api.py |
| 4 +++ b/third_party/tlslite/tlslite/api.py |
| 5 @@ -2,7 +2,8 @@ |
| 6 # See the LICENSE file for legal information regarding use of this file. |
| 7 |
| 8 __version__ = "0.4.6" |
| 9 -from .constants import AlertLevel, AlertDescription, Fault |
| 10 +from .constants import AlertLevel, AlertDescription, ClientCertificateType, \ |
| 11 + Fault |
| 12 from .errors import * |
| 13 from .checker import Checker |
| 14 from .handshakesettings import HandshakeSettings |
| 15 diff --git a/third_party/tlslite/tlslite/constants.py b/third_party/tlslite/tlsl
ite/constants.py |
| 16 index 30d1f9f..457b339 100644 |
| 17 --- a/third_party/tlslite/tlslite/constants.py |
| 18 +++ b/third_party/tlslite/tlslite/constants.py |
| 19 @@ -14,10 +14,14 @@ class CertificateType: |
| 20 openpgp = 1 |
| 21 |
| 22 class ClientCertificateType: |
| 23 + # http://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-p
arameters-2 |
| 24 rsa_sign = 1 |
| 25 dss_sign = 2 |
| 26 rsa_fixed_dh = 3 |
| 27 dss_fixed_dh = 4 |
| 28 + ecdsa_sign = 64 |
| 29 + rsa_fixed_ecdh = 65 |
| 30 + ecdsa_fixed_ecdh = 66 |
| 31 |
| 32 class HandshakeType: |
| 33 hello_request = 0 |
| 34 diff --git a/third_party/tlslite/tlslite/messages.py b/third_party/tlslite/tlsli
te/messages.py |
| 35 index 550b387..c8a913c 100644 |
| 36 --- a/third_party/tlslite/tlslite/messages.py |
| 37 +++ b/third_party/tlslite/tlslite/messages.py |
| 38 @@ -454,9 +454,7 @@ class CertificateStatus(HandshakeMsg): |
| 39 class CertificateRequest(HandshakeMsg): |
| 40 def __init__(self): |
| 41 HandshakeMsg.__init__(self, HandshakeType.certificate_request) |
| 42 - #Apple's Secure Transport library rejects empty certificate_types, so |
| 43 - #default to rsa_sign. |
| 44 - self.certificate_types = [ClientCertificateType.rsa_sign] |
| 45 + self.certificate_types = [] |
| 46 self.certificate_authorities = [] |
| 47 |
| 48 def create(self, certificate_types, certificate_authorities): |
| 49 diff --git a/third_party/tlslite/tlslite/tlsconnection.py b/third_party/tlslite/
tlslite/tlsconnection.py |
| 50 index e6f7820..044ad59 100644 |
| 51 --- a/third_party/tlslite/tlslite/tlsconnection.py |
| 52 +++ b/third_party/tlslite/tlslite/tlsconnection.py |
| 53 @@ -1062,7 +1062,7 @@ class TLSConnection(TLSRecordLayer): |
| 54 def handshakeServer(self, verifierDB=None, |
| 55 certChain=None, privateKey=None, reqCert=False, |
| 56 sessionCache=None, settings=None, checker=None, |
| 57 - reqCAs = None, |
| 58 + reqCAs = None, reqCertTypes = None, |
| 59 tacks=None, activationFlags=0, |
| 60 nextProtos=None, anon=False, |
| 61 tlsIntolerant=None, signedCertTimestamps=None, |
| 62 @@ -1130,6 +1130,10 @@ class TLSConnection(TLSRecordLayer): |
| 63 will be sent along with a certificate request. This does not affect |
| 64 verification. |
| 65 |
| 66 + @type reqCertTypes: list of int |
| 67 + @param reqCertTypes: A list of certificate_type values to be sent |
| 68 + along with a certificate request. This does not affect verification. |
| 69 + |
| 70 @type nextProtos: list of strings. |
| 71 @param nextProtos: A list of upper layer protocols to expose to the |
| 72 clients through the Next-Protocol Negotiation Extension, |
| 73 @@ -1169,7 +1173,7 @@ class TLSConnection(TLSRecordLayer): |
| 74 """ |
| 75 for result in self.handshakeServerAsync(verifierDB, |
| 76 certChain, privateKey, reqCert, sessionCache, settings, |
| 77 - checker, reqCAs, |
| 78 + checker, reqCAs, reqCertTypes, |
| 79 tacks=tacks, activationFlags=activationFlags, |
| 80 nextProtos=nextProtos, anon=anon, tlsIntolerant=tlsIntolerant, |
| 81 signedCertTimestamps=signedCertTimestamps, |
| 82 @@ -1180,7 +1184,7 @@ class TLSConnection(TLSRecordLayer): |
| 83 def handshakeServerAsync(self, verifierDB=None, |
| 84 certChain=None, privateKey=None, reqCert=False, |
| 85 sessionCache=None, settings=None, checker=None, |
| 86 - reqCAs=None, |
| 87 + reqCAs=None, reqCertTypes=None, |
| 88 tacks=None, activationFlags=0, |
| 89 nextProtos=None, anon=False, |
| 90 tlsIntolerant=None, |
| 91 @@ -1203,7 +1207,7 @@ class TLSConnection(TLSRecordLayer): |
| 92 verifierDB=verifierDB, certChain=certChain, |
| 93 privateKey=privateKey, reqCert=reqCert, |
| 94 sessionCache=sessionCache, settings=settings, |
| 95 - reqCAs=reqCAs, |
| 96 + reqCAs=reqCAs, reqCertTypes=reqCertTypes, |
| 97 tacks=tacks, activationFlags=activationFlags, |
| 98 nextProtos=nextProtos, anon=anon, |
| 99 tlsIntolerant=tlsIntolerant, |
| 100 @@ -1216,7 +1220,7 @@ class TLSConnection(TLSRecordLayer): |
| 101 |
| 102 def _handshakeServerAsyncHelper(self, verifierDB, |
| 103 certChain, privateKey, reqCert, sessionCache, |
| 104 - settings, reqCAs, |
| 105 + settings, reqCAs, reqCertTypes, |
| 106 tacks, activationFlags, |
| 107 nextProtos, anon, |
| 108 tlsIntolerant, signedCertTimestamps, fallbackSCSV, |
| 109 @@ -1232,6 +1236,8 @@ class TLSConnection(TLSRecordLayer): |
| 110 raise ValueError("Caller passed a privateKey but no certChain") |
| 111 if reqCAs and not reqCert: |
| 112 raise ValueError("Caller passed reqCAs but not reqCert")
|
| 113 + if reqCertTypes and not reqCert: |
| 114 + raise ValueError("Caller passed reqCertTypes but not reqCert") |
| 115 if certChain and not isinstance(certChain, X509CertChain): |
| 116 raise ValueError("Unrecognized certificate type") |
| 117 if activationFlags and not tacks: |
| 118 @@ -1320,7 +1326,7 @@ class TLSConnection(TLSRecordLayer): |
| 119 assert(False) |
| 120 for result in self._serverCertKeyExchange(clientHello, serverHello,
|
| 121 certChain, keyExchange, |
| 122 - reqCert, reqCAs, cipherSuite, |
| 123 + reqCert, reqCAs, reqCertTypes, cipherSu
ite, |
| 124 settings, ocspResponse): |
| 125 if result in (0,1): yield result |
| 126 else: break |
| 127 @@ -1597,7 +1603,7 @@ class TLSConnection(TLSRecordLayer): |
| 128 |
| 129 def _serverCertKeyExchange(self, clientHello, serverHello, |
| 130 serverCertChain, keyExchange, |
| 131 - reqCert, reqCAs, cipherSuite, |
| 132 + reqCert, reqCAs, reqCertTypes, cipherSuite, |
| 133 settings, ocspResponse): |
| 134 #Send ServerHello, Certificate[, ServerKeyExchange] |
| 135 #[, CertificateRequest], ServerHelloDone |
| 136 @@ -1613,11 +1619,12 @@ class TLSConnection(TLSRecordLayer): |
| 137 serverKeyExchange = keyExchange.makeServerKeyExchange() |
| 138 if serverKeyExchange is not None: |
| 139 msgs.append(serverKeyExchange) |
| 140 - if reqCert and reqCAs: |
| 141 - msgs.append(CertificateRequest().create(\ |
| 142 - [ClientCertificateType.rsa_sign], reqCAs)) |
| 143 - elif reqCert: |
| 144 - msgs.append(CertificateRequest()) |
| 145 + if reqCert: |
| 146 + reqCAs = reqCAs or [] |
| 147 + #Apple's Secure Transport library rejects empty certificate_types, |
| 148 + #so default to rsa_sign. |
| 149 + reqCertTypes = reqCertTypes or [ClientCertificateType.rsa_sign] |
| 150 + msgs.append(CertificateRequest().create(reqCertTypes, reqCAs)) |
| 151 msgs.append(ServerHelloDone()) |
| 152 for result in self._sendMsgs(msgs): |
| 153 yield result |
OLD | NEW |