| Index: third_party/tlslite/patches/signed_certificate_timestamps.patch
|
| diff --git a/third_party/tlslite/patches/signed_certificate_timestamps.patch b/third_party/tlslite/patches/signed_certificate_timestamps.patch
|
| new file mode 100644
|
| index 0000000000000000000000000000000000000000..8bfe118c69fd7b765265c6811c5ba95f380f9d99
|
| --- /dev/null
|
| +++ b/third_party/tlslite/patches/signed_certificate_timestamps.patch
|
| @@ -0,0 +1,133 @@
|
| +diff --git a/third_party/tlslite/tlslite/TLSConnection.py b/third_party/tlslite/tlslite/TLSConnection.py
|
| +index e882e2c..3f6b736 100644
|
| +--- a/third_party/tlslite/tlslite/TLSConnection.py
|
| ++++ b/third_party/tlslite/tlslite/TLSConnection.py
|
| +@@ -936,7 +936,8 @@ class TLSConnection(TLSRecordLayer):
|
| + def handshakeServer(self, sharedKeyDB=None, verifierDB=None,
|
| + certChain=None, privateKey=None, reqCert=False,
|
| + sessionCache=None, settings=None, checker=None,
|
| +- reqCAs=None, tlsIntolerant=0):
|
| ++ reqCAs=None, tlsIntolerant=0,
|
| ++ signedCertTimestamps=None):
|
| + """Perform a handshake in the role of server.
|
| +
|
| + This function performs an SSL or TLS handshake. Depending on
|
| +@@ -1016,14 +1017,15 @@ class TLSConnection(TLSRecordLayer):
|
| + """
|
| + for result in self.handshakeServerAsync(sharedKeyDB, verifierDB,
|
| + certChain, privateKey, reqCert, sessionCache, settings,
|
| +- checker, reqCAs, tlsIntolerant):
|
| ++ checker, reqCAs, tlsIntolerant, signedCertTimestamps):
|
| + pass
|
| +
|
| +
|
| + def handshakeServerAsync(self, sharedKeyDB=None, verifierDB=None,
|
| + certChain=None, privateKey=None, reqCert=False,
|
| + sessionCache=None, settings=None, checker=None,
|
| +- reqCAs=None, tlsIntolerant=0):
|
| ++ reqCAs=None, tlsIntolerant=0,
|
| ++ signedCertTimestamps=None):
|
| + """Start a server handshake operation on the TLS connection.
|
| +
|
| + This function returns a generator which behaves similarly to
|
| +@@ -1041,14 +1043,16 @@ class TLSConnection(TLSRecordLayer):
|
| + privateKey=privateKey, reqCert=reqCert,
|
| + sessionCache=sessionCache, settings=settings,
|
| + reqCAs=reqCAs,
|
| +- tlsIntolerant=tlsIntolerant)
|
| ++ tlsIntolerant=tlsIntolerant,
|
| ++ signedCertTimestamps=signedCertTimestamps)
|
| + for result in self._handshakeWrapperAsync(handshaker, checker):
|
| + yield result
|
| +
|
| +
|
| + def _handshakeServerAsyncHelper(self, sharedKeyDB, verifierDB,
|
| +- certChain, privateKey, reqCert, sessionCache,
|
| +- settings, reqCAs, tlsIntolerant):
|
| ++ certChain, privateKey, reqCert,
|
| ++ sessionCache, settings, reqCAs,
|
| ++ tlsIntolerant, signedCertTimestamps):
|
| +
|
| + self._handshakeStart(client=False)
|
| +
|
| +@@ -1060,6 +1064,9 @@ class TLSConnection(TLSRecordLayer):
|
| + raise ValueError("Caller passed a privateKey but no certChain")
|
| + if reqCAs and not reqCert:
|
| + raise ValueError("Caller passed reqCAs but not reqCert")
|
| ++ if signedCertTimestamps and not certChain:
|
| ++ raise ValueError("Caller passed signedCertTimestamps but no "
|
| ++ "certChain")
|
| +
|
| + if not settings:
|
| + settings = HandshakeSettings()
|
| +@@ -1415,6 +1422,8 @@ class TLSConnection(TLSRecordLayer):
|
| + self.version, serverRandom,
|
| + sessionID, cipherSuite, certificateType)
|
| + serverHello.channel_id = clientHello.channel_id
|
| ++ if clientHello.signed_cert_timestamps:
|
| ++ serverHello.signed_cert_timestamps = signedCertTimestamps
|
| + doingChannelID = clientHello.channel_id
|
| + msgs.append(serverHello)
|
| + msgs.append(Certificate(certificateType).create(serverCertChain))
|
| +diff --git a/third_party/tlslite/tlslite/constants.py b/third_party/tlslite/tlslite/constants.py
|
| +index e357dd0..4e150bd 100644
|
| +--- a/third_party/tlslite/tlslite/constants.py
|
| ++++ b/third_party/tlslite/tlslite/constants.py
|
| +@@ -32,6 +32,7 @@ class ContentType:
|
| + all = (20,21,22,23)
|
| +
|
| + class ExtensionType:
|
| ++ signed_cert_timestamps = 18 # signed_certificate_timestamp extension
|
| + channel_id = 30031
|
| +
|
| + class AlertLevel:
|
| +diff --git a/third_party/tlslite/tlslite/messages.py b/third_party/tlslite/tlslite/messages.py
|
| +index fa4d817..3eb2e52 100644
|
| +--- a/third_party/tlslite/tlslite/messages.py
|
| ++++ b/third_party/tlslite/tlslite/messages.py
|
| +@@ -131,6 +131,7 @@ class ClientHello(HandshakeMsg):
|
| + self.compression_methods = [] # a list of 8-bit values
|
| + self.srp_username = None # a string
|
| + self.channel_id = False
|
| ++ self.signed_cert_timestamps = False
|
| +
|
| + def create(self, version, random, session_id, cipher_suites,
|
| + certificate_types=None, srp_username=None):
|
| +@@ -177,6 +178,8 @@ class ClientHello(HandshakeMsg):
|
| + self.certificate_types = p.getVarList(1, 1)
|
| + elif extType == ExtensionType.channel_id:
|
| + self.channel_id = True
|
| ++ elif extType == ExtensionType.signed_cert_timestamps:
|
| ++ self.signed_cert_timestamps = True
|
| + else:
|
| + p.getFixBytes(extLength)
|
| + soFar += 4 + extLength
|
| +@@ -224,6 +227,7 @@ class ServerHello(HandshakeMsg):
|
| + self.certificate_type = CertificateType.x509
|
| + self.compression_method = 0
|
| + self.channel_id = False
|
| ++ self.signed_cert_timestamps = None
|
| +
|
| + def create(self, version, random, session_id, cipher_suite,
|
| + certificate_type):
|
| +@@ -273,6 +277,9 @@ class ServerHello(HandshakeMsg):
|
| + if self.channel_id:
|
| + extLength += 4
|
| +
|
| ++ if self.signed_cert_timestamps:
|
| ++ extLength += 4 + len(self.signed_cert_timestamps)
|
| ++
|
| + if extLength != 0:
|
| + w.add(extLength, 2)
|
| +
|
| +@@ -286,6 +293,10 @@ class ServerHello(HandshakeMsg):
|
| + w.add(ExtensionType.channel_id, 2)
|
| + w.add(0, 2)
|
| +
|
| ++ if self.signed_cert_timestamps:
|
| ++ w.add(ExtensionType.signed_cert_timestamps, 2)
|
| ++ w.addVarSeq(stringToBytes(self.signed_cert_timestamps), 1, 2)
|
| ++
|
| + return HandshakeMsg.postWrite(self, w, trial)
|
| +
|
| + class Certificate(HandshakeMsg):
|
|
|
Chromium Code Reviews
Issue 83333003:
Add support for fetching Certificate Transparency SCTs over a TLS extension (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@master