OLD | NEW |
(Empty) | |
| 1 diff --git a/third_party/tlslite/tlslite/messages.py b/third_party/tlslite/tlsli
te/messages.py |
| 2 index e1be195..f2e2cfc 100644 |
| 3 --- a/third_party/tlslite/tlslite/messages.py |
| 4 +++ b/third_party/tlslite/tlslite/messages.py |
| 5 @@ -460,7 +460,7 @@ class CertificateRequest(HandshakeMsg): |
| 6 self.version = version |
| 7 self.supported_signature_algs = [] |
| 8 |
| 9 - def create(self, certificate_types, certificate_authorities, sig_algs=()): |
| 10 + def create(self, certificate_types, certificate_authorities, sig_algs): |
| 11 self.certificate_types = certificate_types |
| 12 self.certificate_authorities = certificate_authorities |
| 13 self.supported_signature_algs = sig_algs |
| 14 @@ -470,7 +470,8 @@ class CertificateRequest(HandshakeMsg): |
| 15 p.startLengthCheck(3) |
| 16 self.certificate_types = p.getVarList(1, 1) |
| 17 if self.version >= (3,3): |
| 18 - self.supported_signature_algs = p.getVarList(2, 2) |
| 19 + self.supported_signature_algs = \ |
| 20 + [(b >> 8, b & 0xff) for b in p.getVarList(2, 2)] |
| 21 ca_list_length = p.get(2) |
| 22 index = 0 |
| 23 self.certificate_authorities = [] |
| 24 @@ -485,7 +486,10 @@ class CertificateRequest(HandshakeMsg): |
| 25 w = Writer() |
| 26 w.addVarSeq(self.certificate_types, 1, 1) |
| 27 if self.version >= (3,3): |
| 28 - w.addVarSeq(self.supported_signature_algs, 2, 2) |
| 29 + w.add(2 * len(self.supported_signature_algs), 2) |
| 30 + for (hash, signature) in self.supported_signature_algs: |
| 31 + w.add(hash, 1) |
| 32 + w.add(signature, 1) |
| 33 caLength = 0 |
| 34 #determine length |
| 35 for ca_dn in self.certificate_authorities: |
| 36 @@ -646,22 +650,30 @@ class ClientKeyExchange(HandshakeMsg): |
| 37 return self.postWrite(w) |
| 38 |
| 39 class CertificateVerify(HandshakeMsg): |
| 40 - def __init__(self): |
| 41 + def __init__(self, version): |
| 42 HandshakeMsg.__init__(self, HandshakeType.certificate_verify) |
| 43 + self.version = version |
| 44 + self.signature_algorithm = None |
| 45 self.signature = bytearray(0) |
| 46 |
| 47 - def create(self, signature): |
| 48 + def create(self, signature_algorithm, signature): |
| 49 + self.signature_algorithm = signature_algorithm |
| 50 self.signature = signature |
| 51 return self |
| 52 |
| 53 def parse(self, p): |
| 54 p.startLengthCheck(3) |
| 55 + if self.version >= (3,3): |
| 56 + self.signature_algorithm = (p.get(1), p.get(1)) |
| 57 self.signature = p.getVarBytes(2) |
| 58 p.stopLengthCheck() |
| 59 return self |
| 60 |
| 61 def write(self): |
| 62 w = Writer() |
| 63 + if self.version >= (3,3): |
| 64 + w.add(self.signature_algorithm[0], 1) |
| 65 + w.add(self.signature_algorithm[1], 1) |
| 66 w.addVarSeq(self.signature, 1, 2) |
| 67 return self.postWrite(w) |
| 68 |
| 69 diff --git a/third_party/tlslite/tlslite/tlsconnection.py b/third_party/tlslite/
tlslite/tlsconnection.py |
| 70 index cb743fe..3d97e97 100644 |
| 71 --- a/third_party/tlslite/tlslite/tlsconnection.py |
| 72 +++ b/third_party/tlslite/tlslite/tlsconnection.py |
| 73 @@ -956,6 +956,7 @@ class TLSConnection(TLSRecordLayer): |
| 74 #If client authentication was requested and we have a |
| 75 #private key, send CertificateVerify |
| 76 if certificateRequest and privateKey: |
| 77 + signatureAlgorithm = None |
| 78 if self.version == (3,0): |
| 79 masterSecret = calcMasterSecret(self.version, |
| 80 premasterSecret, |
| 81 @@ -966,12 +967,15 @@ class TLSConnection(TLSRecordLayer): |
| 82 verifyBytes = self._handshake_md5.digest() + \ |
| 83 self._handshake_sha.digest() |
| 84 elif self.version == (3,3): |
| 85 - verifyBytes = self._handshake_sha256.digest() |
| 86 + # TODO: Signature algorithm negotiation not supported. |
| 87 + signatureAlgorithm = (HashAlgorithm.sha1, SignatureAlgorithm.rs
a) |
| 88 + verifyBytes = self._handshake_sha.digest() |
| 89 + verifyBytes = RSAKey.addPKCS1SHA1Prefix(verifyBytes) |
| 90 if self.fault == Fault.badVerifyMessage: |
| 91 verifyBytes[0] = ((verifyBytes[0]+1) % 256) |
| 92 signedBytes = privateKey.sign(verifyBytes) |
| 93 - certificateVerify = CertificateVerify() |
| 94 - certificateVerify.create(signedBytes) |
| 95 + certificateVerify = CertificateVerify(self.version) |
| 96 + certificateVerify.create(signatureAlgorithm, signedBytes) |
| 97 for result in self._sendMsg(certificateVerify): |
| 98 yield result |
| 99 yield (premasterSecret, serverCertChain, clientCertChain, tackExt) |
| 100 @@ -1640,8 +1644,11 @@ class TLSConnection(TLSRecordLayer): |
| 101 #Apple's Secure Transport library rejects empty certificate_types, |
| 102 #so default to rsa_sign. |
| 103 reqCertTypes = reqCertTypes or [ClientCertificateType.rsa_sign] |
| 104 + #Only SHA-1 + RSA is supported. |
| 105 + sigAlgs = [(HashAlgorithm.sha1, SignatureAlgorithm.rsa)] |
| 106 msgs.append(CertificateRequest(self.version).create(reqCertTypes, |
| 107 - reqCAs)) |
| 108 + reqCAs, |
| 109 + sigAlgs)) |
| 110 msgs.append(ServerHelloDone()) |
| 111 for result in self._sendMsgs(msgs): |
| 112 yield result |
| 113 @@ -1713,7 +1720,8 @@ class TLSConnection(TLSRecordLayer): |
| 114 verifyBytes = self._handshake_md5.digest() + \ |
| 115 self._handshake_sha.digest() |
| 116 elif self.version == (3,3): |
| 117 - verifyBytes = self._handshake_sha256.digest() |
| 118 + verifyBytes = self._handshake_sha.digest() |
| 119 + verifyBytes = RSAKey.addPKCS1SHA1Prefix(verifyBytes) |
| 120 for result in self._getMsg(ContentType.handshake, |
| 121 HandshakeType.certificate_verify): |
| 122 if result in (0,1): yield result |
| 123 diff --git a/third_party/tlslite/tlslite/tlsrecordlayer.py b/third_party/tlslite
/tlslite/tlsrecordlayer.py |
| 124 index eda11e6..a09499d 100644 |
| 125 --- a/third_party/tlslite/tlslite/tlsrecordlayer.py |
| 126 +++ b/third_party/tlslite/tlslite/tlsrecordlayer.py |
| 127 @@ -804,7 +804,7 @@ class TLSRecordLayer(object): |
| 128 elif subType == HandshakeType.certificate_request: |
| 129 yield CertificateRequest(self.version).parse(p) |
| 130 elif subType == HandshakeType.certificate_verify: |
| 131 - yield CertificateVerify().parse(p) |
| 132 + yield CertificateVerify(self.version).parse(p) |
| 133 elif subType == HandshakeType.server_key_exchange: |
| 134 yield ServerKeyExchange(constructorType, |
| 135 self.version).parse(p) |
OLD | NEW |