| OLD | NEW |
|---|
| (Empty) | |
| 1 diff --git a/third_party/tlslite/tlslite/TLSConnection.py b/third_party/tlslite/
tlslite/TLSConnection.py |
| 2 index d2270a9..4df4f68 100644 |
| 3 --- a/third_party/tlslite/tlslite/TLSConnection.py |
| 4 +++ b/third_party/tlslite/tlslite/TLSConnection.py |
| 5 @@ -937,7 +937,8 @@ class TLSConnection(TLSRecordLayer): |
| 6 certChain=None, privateKey=None, reqCert=False, |
| 7 sessionCache=None, settings=None, checker=None, |
| 8 reqCAs=None, tlsIntolerant=0, |
| 9 - signedCertTimestamps=None): |
| 10 + signedCertTimestamps=None, |
| 11 + OCSPResponse=None): |
| 12 """Perform a handshake in the role of server. |
| 13 |
| 14 This function performs an SSL or TLS handshake. Depending on |
| 15 @@ -1013,6 +1014,15 @@ class TLSConnection(TLSRecordLayer): |
| 16 binary 8-bit string) that will be sent as a TLS extension whenever |
| 17 the client announces support for the extension. |
| 18 |
| 19 + @type OCSPResponse: str |
| 20 + @param OCSPResponse: An OCSP response (as a binary 8-bit string) that |
| 21 + will be sent stapled in the handshake whenever the client announces |
| 22 + support for the status_request extension. |
| 23 + Note that the response is sent independent of the ClientHello extension |
| 24 + contents, and is thus only meant for testing environments. Real OCSP |
| 25 + stapling is more complicated as it requires choosing a suitable respons
e |
| 26 + based on the ClientHello extension contents. |
| 27 + |
| 28 @raise socket.error: If a socket error occurs. |
| 29 @raise tlslite.errors.TLSAbruptCloseError: If the socket is closed |
| 30 without a preceding alert. |
| 31 @@ -1022,7 +1032,8 @@ class TLSConnection(TLSRecordLayer): |
| 32 """ |
| 33 for result in self.handshakeServerAsync(sharedKeyDB, verifierDB, |
| 34 certChain, privateKey, reqCert, sessionCache, settings, |
| 35 - checker, reqCAs, tlsIntolerant, signedCertTimestamps): |
| 36 + checker, reqCAs, tlsIntolerant, signedCertTimestamps, |
| 37 + OCSPResponse): |
| 38 pass |
| 39 |
| 40 |
| 41 @@ -1030,7 +1041,8 @@ class TLSConnection(TLSRecordLayer): |
| 42 certChain=None, privateKey=None, reqCert=False, |
| 43 sessionCache=None, settings=None, checker=None, |
| 44 reqCAs=None, tlsIntolerant=0, |
| 45 - signedCertTimestamps=None): |
| 46 + signedCertTimestamps=None, |
| 47 + OCSPResponse=None): |
| 48 """Start a server handshake operation on the TLS connection. |
| 49 |
| 50 This function returns a generator which behaves similarly to |
| 51 @@ -1049,7 +1061,8 @@ class TLSConnection(TLSRecordLayer): |
| 52 sessionCache=sessionCache, settings=settings, |
| 53 reqCAs=reqCAs, |
| 54 tlsIntolerant=tlsIntolerant, |
| 55 - signedCertTimestamps=signedCertTimestamps) |
| 56 + signedCertTimestamps=signedCertTimestamps, |
| 57 + OCSPResponse=OCSPResponse) |
| 58 for result in self._handshakeWrapperAsync(handshaker, checker): |
| 59 yield result |
| 60 |
| 61 @@ -1057,7 +1070,8 @@ class TLSConnection(TLSRecordLayer): |
| 62 def _handshakeServerAsyncHelper(self, sharedKeyDB, verifierDB, |
| 63 certChain, privateKey, reqCert, |
| 64 sessionCache, settings, reqCAs, |
| 65 - tlsIntolerant, signedCertTimestamps): |
| 66 + tlsIntolerant, signedCertTimestamps, |
| 67 + OCSPResponse): |
| 68 |
| 69 self._handshakeStart(client=False) |
| 70 |
| 71 @@ -1428,10 +1442,14 @@ class TLSConnection(TLSRecordLayer): |
| 72 sessionID, cipherSuite, certificateType) |
| 73 serverHello.channel_id = clientHello.channel_id |
| 74 if clientHello.support_signed_cert_timestamps: |
| 75 - serverHello.signed_cert_timestamps = signedCertTimestamps |
| 76 + serverHello.signed_cert_timestamps = signedCertTimestamps |
| 77 + serverHello.status_request = (clientHello.status_request and |
| 78 + OCSPResponse) |
| 79 doingChannelID = clientHello.channel_id |
| 80 msgs.append(serverHello) |
| 81 msgs.append(Certificate(certificateType).create(serverCertChain)) |
| 82 + if clientHello.status_request and OCSPResponse: |
| 83 + msgs.append(CertificateStatus().create(OCSPResponse)) |
| 84 if reqCert and reqCAs: |
| 85 msgs.append(CertificateRequest().create([], reqCAs)) |
| 86 elif reqCert: |
| 87 diff --git a/third_party/tlslite/tlslite/constants.py b/third_party/tlslite/tlsl
ite/constants.py |
| 88 index b5a345a..cef56a0 100644 |
| 89 --- a/third_party/tlslite/tlslite/constants.py |
| 90 +++ b/third_party/tlslite/tlslite/constants.py |
| 91 @@ -22,6 +22,7 @@ class HandshakeType: |
| 92 certificate_verify = 15 |
| 93 client_key_exchange = 16 |
| 94 finished = 20 |
| 95 + certificate_status = 22 |
| 96 encrypted_extensions = 203 |
| 97 |
| 98 class ContentType: |
| 99 @@ -31,7 +32,11 @@ class ContentType: |
| 100 application_data = 23 |
| 101 all = (20,21,22,23) |
| 102 |
| 103 +class CertificateStatusType: |
| 104 + ocsp = 1 |
| 105 + |
| 106 class ExtensionType: |
| 107 + status_request = 5 # OCSP stapling |
| 108 signed_cert_timestamps = 18 # signed_certificate_timestamp in RFC 6962 |
| 109 channel_id = 30031 |
| 110 |
| 111 diff --git a/third_party/tlslite/tlslite/messages.py b/third_party/tlslite/tlsli
te/messages.py |
| 112 index 296f422..497ef60 100644 |
| 113 --- a/third_party/tlslite/tlslite/messages.py |
| 114 +++ b/third_party/tlslite/tlslite/messages.py |
| 115 @@ -132,6 +132,7 @@ class ClientHello(HandshakeMsg): |
| 116 self.srp_username = None # a string |
| 117 self.channel_id = False |
| 118 self.support_signed_cert_timestamps = False |
| 119 + self.status_request = False |
| 120 |
| 121 def create(self, version, random, session_id, cipher_suites, |
| 122 certificate_types=None, srp_username=None): |
| 123 @@ -182,6 +183,19 @@ class ClientHello(HandshakeMsg): |
| 124 if extLength: |
| 125 raise SyntaxError() |
| 126 self.support_signed_cert_timestamps = True |
| 127 + elif extType == ExtensionType.status_request: |
| 128 + # Extension contents are currently ignored. |
| 129 + # According to RFC 6066, this is not strictly forbidden |
| 130 + # (although it is suboptimal): |
| 131 + # Servers that receive a client hello containing the |
| 132 + # "status_request" extension MAY return a suitable |
| 133 + # certificate status response to the client along with |
| 134 + # their certificate. If OCSP is requested, they |
| 135 + # SHOULD use the information contained in the extension |
| 136 + # when selecting an OCSP responder and SHOULD include |
| 137 + # request_extensions in the OCSP request. |
| 138 + p.getFixBytes(extLength) |
| 139 + self.status_request = True |
| 140 else: |
| 141 p.getFixBytes(extLength) |
| 142 soFar += 4 + extLength |
| 143 @@ -230,6 +244,7 @@ class ServerHello(HandshakeMsg): |
| 144 self.compression_method = 0 |
| 145 self.channel_id = False |
| 146 self.signed_cert_timestamps = None |
| 147 + self.status_request = False |
| 148 |
| 149 def create(self, version, random, session_id, cipher_suite, |
| 150 certificate_type): |
| 151 @@ -282,6 +297,9 @@ class ServerHello(HandshakeMsg): |
| 152 if self.signed_cert_timestamps: |
| 153 extLength += 4 + len(self.signed_cert_timestamps) |
| 154 |
| 155 + if self.status_request: |
| 156 + extLength += 4 |
| 157 + |
| 158 if extLength != 0: |
| 159 w.add(extLength, 2) |
| 160 |
| 161 @@ -299,6 +317,10 @@ class ServerHello(HandshakeMsg): |
| 162 w.add(ExtensionType.signed_cert_timestamps, 2) |
| 163 w.addVarSeq(stringToBytes(self.signed_cert_timestamps), 1, 2) |
| 164 |
| 165 + if self.status_request: |
| 166 + w.add(ExtensionType.status_request, 2) |
| 167 + w.add(0, 2) |
| 168 + |
| 169 return HandshakeMsg.postWrite(self, w, trial) |
| 170 |
| 171 class Certificate(HandshakeMsg): |
| 172 @@ -367,6 +389,37 @@ class Certificate(HandshakeMsg): |
| 173 raise AssertionError() |
| 174 return HandshakeMsg.postWrite(self, w, trial) |
| 175 |
| 176 +class CertificateStatus(HandshakeMsg): |
| 177 + def __init__(self): |
| 178 + self.contentType = ContentType.handshake |
| 179 + |
| 180 + def create(self, ocsp_response): |
| 181 + self.ocsp_response = ocsp_response |
| 182 + return self |
| 183 + |
| 184 + # Defined for the sake of completeness, even though we currently only |
| 185 + # support sending the status message (server-side), not requesting |
| 186 + # or receiving it (client-side). |
| 187 + def parse(self, p): |
| 188 + p.startLengthCheck(3) |
| 189 + status_type = p.get(1) |
| 190 + # Only one type is specified, so hardwire it. |
| 191 + if status_type != CertificateStatusType.ocsp: |
| 192 + raise SyntaxError() |
| 193 + ocsp_response = p.getVarBytes(3) |
| 194 + if not ocsp_response: |
| 195 + # Can't be empty |
| 196 + raise SyntaxError() |
| 197 + self.ocsp_response = ocsp_response |
| 198 + return self |
| 199 + |
| 200 + def write(self, trial=False): |
| 201 + w = HandshakeMsg.preWrite(self, HandshakeType.certificate_status, |
| 202 + trial) |
| 203 + w.add(CertificateStatusType.ocsp, 1) |
| 204 + w.addVarSeq(stringToBytes(self.ocsp_response), 1, 3) |
| 205 + return HandshakeMsg.postWrite(self, w, trial) |
| 206 + |
| 207 class CertificateRequest(HandshakeMsg): |
| 208 def __init__(self): |
| 209 self.contentType = ContentType.handshake |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 92443002:
Extract Certificate Transparency SCTs from stapled OCSP responses (Closed)
Base URL: https://chromium.googlesource.com/chromium/src.git@extract_scts