Populate cert_key_types on OpenSSL.

third_party/tlslite/tlslite/tlsconnection.py

Index: third_party/tlslite/tlslite/tlsconnection.py
diff --git a/third_party/tlslite/tlslite/tlsconnection.py b/third_party/tlslite/tlslite/tlsconnection.py
index e6f7820dc6f0f0badd98222ce5b8f6a3a6c24e8c..044ad5969a73bed819c3036a6983383119c8ec23 100644
--- a/third_party/tlslite/tlslite/tlsconnection.py
+++ b/third_party/tlslite/tlslite/tlsconnection.py
@@ -1062,7 +1062,7 @@ class TLSConnection(TLSRecordLayer):
     def handshakeServer(self, verifierDB=None,
                         certChain=None, privateKey=None, reqCert=False,
                         sessionCache=None, settings=None, checker=None,
-                        reqCAs = None, 
+                        reqCAs = None, reqCertTypes = None,
                         tacks=None, activationFlags=0,
                         nextProtos=None, anon=False,
                         tlsIntolerant=None, signedCertTimestamps=None,
@@ -1130,6 +1130,10 @@ class TLSConnection(TLSRecordLayer):
         will be sent along with a certificate request. This does not affect
         verification.        
 
+        @type reqCertTypes: list of int
+        @param reqCertTypes: A list of certificate_type values to be sent
+        along with a certificate request. This does not affect verification.
+
         @type nextProtos: list of strings.
         @param nextProtos: A list of upper layer protocols to expose to the
         clients through the Next-Protocol Negotiation Extension, 
@@ -1169,7 +1173,7 @@ class TLSConnection(TLSRecordLayer):
         """
         for result in self.handshakeServerAsync(verifierDB,
                 certChain, privateKey, reqCert, sessionCache, settings,
-                checker, reqCAs, 
+                checker, reqCAs, reqCertTypes,
                 tacks=tacks, activationFlags=activationFlags, 
                 nextProtos=nextProtos, anon=anon, tlsIntolerant=tlsIntolerant,
                 signedCertTimestamps=signedCertTimestamps,
@@ -1180,7 +1184,7 @@ class TLSConnection(TLSRecordLayer):
     def handshakeServerAsync(self, verifierDB=None,
                              certChain=None, privateKey=None, reqCert=False,
                              sessionCache=None, settings=None, checker=None,
-                             reqCAs=None, 
+                             reqCAs=None, reqCertTypes=None,
                              tacks=None, activationFlags=0,
                              nextProtos=None, anon=False,
                              tlsIntolerant=None,
@@ -1203,7 +1207,7 @@ class TLSConnection(TLSRecordLayer):
             verifierDB=verifierDB, certChain=certChain,
             privateKey=privateKey, reqCert=reqCert,
             sessionCache=sessionCache, settings=settings, 
-            reqCAs=reqCAs, 
+            reqCAs=reqCAs, reqCertTypes=reqCertTypes,
             tacks=tacks, activationFlags=activationFlags, 
             nextProtos=nextProtos, anon=anon,
             tlsIntolerant=tlsIntolerant,
@@ -1216,7 +1220,7 @@ class TLSConnection(TLSRecordLayer):
 
     def _handshakeServerAsyncHelper(self, verifierDB,
                              certChain, privateKey, reqCert, sessionCache,
-                             settings, reqCAs, 
+                             settings, reqCAs, reqCertTypes,
                              tacks, activationFlags, 
                              nextProtos, anon,
                              tlsIntolerant, signedCertTimestamps, fallbackSCSV,
@@ -1232,6 +1236,8 @@ class TLSConnection(TLSRecordLayer):
             raise ValueError("Caller passed a privateKey but no certChain")
         if reqCAs and not reqCert:
             raise ValueError("Caller passed reqCAs but not reqCert")            
+        if reqCertTypes and not reqCert:
+            raise ValueError("Caller passed reqCertTypes but not reqCert")
         if certChain and not isinstance(certChain, X509CertChain):
             raise ValueError("Unrecognized certificate type")
         if activationFlags and not tacks:
@@ -1320,7 +1326,7 @@ class TLSConnection(TLSRecordLayer):
                 assert(False)
             for result in self._serverCertKeyExchange(clientHello, serverHello, 
                                         certChain, keyExchange,
-                                        reqCert, reqCAs, cipherSuite,
+                                        reqCert, reqCAs, reqCertTypes, cipherSuite,
                                         settings, ocspResponse):
                 if result in (0,1): yield result
                 else: break
@@ -1597,7 +1603,7 @@ class TLSConnection(TLSRecordLayer):
 
     def _serverCertKeyExchange(self, clientHello, serverHello, 
                                 serverCertChain, keyExchange,
-                                reqCert, reqCAs, cipherSuite,
+                                reqCert, reqCAs, reqCertTypes, cipherSuite,
                                 settings, ocspResponse):
         #Send ServerHello, Certificate[, ServerKeyExchange]
         #[, CertificateRequest], ServerHelloDone
@@ -1613,11 +1619,12 @@ class TLSConnection(TLSRecordLayer):
         serverKeyExchange = keyExchange.makeServerKeyExchange()
         if serverKeyExchange is not None:
             msgs.append(serverKeyExchange)
-        if reqCert and reqCAs:
-            msgs.append(CertificateRequest().create(\
-                [ClientCertificateType.rsa_sign], reqCAs))
-        elif reqCert:
-            msgs.append(CertificateRequest())
+        if reqCert:
+            reqCAs = reqCAs or []
+            #Apple's Secure Transport library rejects empty certificate_types,
+            #so default to rsa_sign.
+            reqCertTypes = reqCertTypes or [ClientCertificateType.rsa_sign]
+            msgs.append(CertificateRequest().create(reqCertTypes, reqCAs))
         msgs.append(ServerHelloDone())
         for result in self._sendMsgs(msgs):
             yield result