Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(219)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: third_party/tlslite/patches/certificate_request.patch

Issue 858373002: Update third_party/tlslite to 0.4.8. (Closed) Base URL: https://chromium.googlesource.com/chromium/src.git@master
Patch Set: Finish fixing client auth Created 5 years, 11 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « third_party/tlslite/README.chromium ('k') | third_party/tlslite/patches/channel_id.patch » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: third_party/tlslite/patches/certificate_request.patch
diff --git a/third_party/tlslite/patches/certificate_request.patch b/third_party/tlslite/patches/certificate_request.patch
new file mode 100644
index 0000000000000000000000000000000000000000..cdfa72b37b5f144b2aac680f133b82ffebe84ed2
--- /dev/null
+++ b/third_party/tlslite/patches/certificate_request.patch
@@ -0,0 +1,135 @@
+diff --git a/third_party/tlslite/tlslite/messages.py b/third_party/tlslite/tlslite/messages.py
+index e1be195..f2e2cfc 100644
+--- a/third_party/tlslite/tlslite/messages.py
++++ b/third_party/tlslite/tlslite/messages.py
+@@ -460,7 +460,7 @@ class CertificateRequest(HandshakeMsg):
+ self.version = version
+ self.supported_signature_algs = []
+
+- def create(self, certificate_types, certificate_authorities, sig_algs=()):
++ def create(self, certificate_types, certificate_authorities, sig_algs):
+ self.certificate_types = certificate_types
+ self.certificate_authorities = certificate_authorities
+ self.supported_signature_algs = sig_algs
+@@ -470,7 +470,8 @@ class CertificateRequest(HandshakeMsg):
+ p.startLengthCheck(3)
+ self.certificate_types = p.getVarList(1, 1)
+ if self.version >= (3,3):
+- self.supported_signature_algs = p.getVarList(2, 2)
++ self.supported_signature_algs = \
++ [(b >> 8, b & 0xff) for b in p.getVarList(2, 2)]
+ ca_list_length = p.get(2)
+ index = 0
+ self.certificate_authorities = []
+@@ -485,7 +486,10 @@ class CertificateRequest(HandshakeMsg):
+ w = Writer()
+ w.addVarSeq(self.certificate_types, 1, 1)
+ if self.version >= (3,3):
+- w.addVarSeq(self.supported_signature_algs, 2, 2)
++ w.add(2 * len(self.supported_signature_algs), 2)
++ for (hash, signature) in self.supported_signature_algs:
++ w.add(hash, 1)
++ w.add(signature, 1)
+ caLength = 0
+ #determine length
+ for ca_dn in self.certificate_authorities:
+@@ -646,22 +650,30 @@ class ClientKeyExchange(HandshakeMsg):
+ return self.postWrite(w)
+
+ class CertificateVerify(HandshakeMsg):
+- def __init__(self):
++ def __init__(self, version):
+ HandshakeMsg.__init__(self, HandshakeType.certificate_verify)
++ self.version = version
++ self.signature_algorithm = None
+ self.signature = bytearray(0)
+
+- def create(self, signature):
++ def create(self, signature_algorithm, signature):
++ self.signature_algorithm = signature_algorithm
+ self.signature = signature
+ return self
+
+ def parse(self, p):
+ p.startLengthCheck(3)
++ if self.version >= (3,3):
++ self.signature_algorithm = (p.get(1), p.get(1))
+ self.signature = p.getVarBytes(2)
+ p.stopLengthCheck()
+ return self
+
+ def write(self):
+ w = Writer()
++ if self.version >= (3,3):
++ w.add(self.signature_algorithm[0], 1)
++ w.add(self.signature_algorithm[1], 1)
+ w.addVarSeq(self.signature, 1, 2)
+ return self.postWrite(w)
+
+diff --git a/third_party/tlslite/tlslite/tlsconnection.py b/third_party/tlslite/tlslite/tlsconnection.py
+index cb743fe..3d97e97 100644
+--- a/third_party/tlslite/tlslite/tlsconnection.py
++++ b/third_party/tlslite/tlslite/tlsconnection.py
+@@ -956,6 +956,7 @@ class TLSConnection(TLSRecordLayer):
+ #If client authentication was requested and we have a
+ #private key, send CertificateVerify
+ if certificateRequest and privateKey:
++ signatureAlgorithm = None
+ if self.version == (3,0):
+ masterSecret = calcMasterSecret(self.version,
+ premasterSecret,
+@@ -966,12 +967,15 @@ class TLSConnection(TLSRecordLayer):
+ verifyBytes = self._handshake_md5.digest() + \
+ self._handshake_sha.digest()
+ elif self.version == (3,3):
+- verifyBytes = self._handshake_sha256.digest()
++ # TODO: Signature algorithm negotiation not supported.
++ signatureAlgorithm = (HashAlgorithm.sha1, SignatureAlgorithm.rsa)
++ verifyBytes = self._handshake_sha.digest()
++ verifyBytes = RSAKey.addPKCS1SHA1Prefix(verifyBytes)
+ if self.fault == Fault.badVerifyMessage:
+ verifyBytes[0] = ((verifyBytes[0]+1) % 256)
+ signedBytes = privateKey.sign(verifyBytes)
+- certificateVerify = CertificateVerify()
+- certificateVerify.create(signedBytes)
++ certificateVerify = CertificateVerify(self.version)
++ certificateVerify.create(signatureAlgorithm, signedBytes)
+ for result in self._sendMsg(certificateVerify):
+ yield result
+ yield (premasterSecret, serverCertChain, clientCertChain, tackExt)
+@@ -1640,8 +1644,11 @@ class TLSConnection(TLSRecordLayer):
+ #Apple's Secure Transport library rejects empty certificate_types,
+ #so default to rsa_sign.
+ reqCertTypes = reqCertTypes or [ClientCertificateType.rsa_sign]
++ #Only SHA-1 + RSA is supported.
++ sigAlgs = [(HashAlgorithm.sha1, SignatureAlgorithm.rsa)]
+ msgs.append(CertificateRequest(self.version).create(reqCertTypes,
+- reqCAs))
++ reqCAs,
++ sigAlgs))
+ msgs.append(ServerHelloDone())
+ for result in self._sendMsgs(msgs):
+ yield result
+@@ -1713,7 +1720,8 @@ class TLSConnection(TLSRecordLayer):
+ verifyBytes = self._handshake_md5.digest() + \
+ self._handshake_sha.digest()
+ elif self.version == (3,3):
+- verifyBytes = self._handshake_sha256.digest()
++ verifyBytes = self._handshake_sha.digest()
++ verifyBytes = RSAKey.addPKCS1SHA1Prefix(verifyBytes)
+ for result in self._getMsg(ContentType.handshake,
+ HandshakeType.certificate_verify):
+ if result in (0,1): yield result
+diff --git a/third_party/tlslite/tlslite/tlsrecordlayer.py b/third_party/tlslite/tlslite/tlsrecordlayer.py
+index eda11e6..a09499d 100644
+--- a/third_party/tlslite/tlslite/tlsrecordlayer.py
++++ b/third_party/tlslite/tlslite/tlsrecordlayer.py
+@@ -804,7 +804,7 @@ class TLSRecordLayer(object):
+ elif subType == HandshakeType.certificate_request:
+ yield CertificateRequest(self.version).parse(p)
+ elif subType == HandshakeType.certificate_verify:
+- yield CertificateVerify().parse(p)
++ yield CertificateVerify(self.version).parse(p)
+ elif subType == HandshakeType.server_key_exchange:
+ yield ServerKeyExchange(constructorType,
+ self.version).parse(p)
« no previous file with comments | « third_party/tlslite/README.chromium ('k') | third_party/tlslite/patches/channel_id.patch » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698