Merge Chromium + Blink git repositories
[chromium-blink-merge.git] / third_party / tlslite / patches / certificate_request.patch
blobcdfa72b37b5f144b2aac680f133b82ffebe84ed2
1 diff --git a/third_party/tlslite/tlslite/messages.py b/third_party/tlslite/tlslite/messages.py
2 index e1be195..f2e2cfc 100644
3 --- a/third_party/tlslite/tlslite/messages.py
4 +++ b/third_party/tlslite/tlslite/messages.py
5 @@ -460,7 +460,7 @@ class CertificateRequest(HandshakeMsg):
6 self.version = version
7 self.supported_signature_algs = []
9 - def create(self, certificate_types, certificate_authorities, sig_algs=()):
10 + def create(self, certificate_types, certificate_authorities, sig_algs):
11 self.certificate_types = certificate_types
12 self.certificate_authorities = certificate_authorities
13 self.supported_signature_algs = sig_algs
14 @@ -470,7 +470,8 @@ class CertificateRequest(HandshakeMsg):
15 p.startLengthCheck(3)
16 self.certificate_types = p.getVarList(1, 1)
17 if self.version >= (3,3):
18 - self.supported_signature_algs = p.getVarList(2, 2)
19 + self.supported_signature_algs = \
20 + [(b >> 8, b & 0xff) for b in p.getVarList(2, 2)]
21 ca_list_length = p.get(2)
22 index = 0
23 self.certificate_authorities = []
24 @@ -485,7 +486,10 @@ class CertificateRequest(HandshakeMsg):
25 w = Writer()
26 w.addVarSeq(self.certificate_types, 1, 1)
27 if self.version >= (3,3):
28 - w.addVarSeq(self.supported_signature_algs, 2, 2)
29 + w.add(2 * len(self.supported_signature_algs), 2)
30 + for (hash, signature) in self.supported_signature_algs:
31 + w.add(hash, 1)
32 + w.add(signature, 1)
33 caLength = 0
34 #determine length
35 for ca_dn in self.certificate_authorities:
36 @@ -646,22 +650,30 @@ class ClientKeyExchange(HandshakeMsg):
37 return self.postWrite(w)
39 class CertificateVerify(HandshakeMsg):
40 - def __init__(self):
41 + def __init__(self, version):
42 HandshakeMsg.__init__(self, HandshakeType.certificate_verify)
43 + self.version = version
44 + self.signature_algorithm = None
45 self.signature = bytearray(0)
47 - def create(self, signature):
48 + def create(self, signature_algorithm, signature):
49 + self.signature_algorithm = signature_algorithm
50 self.signature = signature
51 return self
53 def parse(self, p):
54 p.startLengthCheck(3)
55 + if self.version >= (3,3):
56 + self.signature_algorithm = (p.get(1), p.get(1))
57 self.signature = p.getVarBytes(2)
58 p.stopLengthCheck()
59 return self
61 def write(self):
62 w = Writer()
63 + if self.version >= (3,3):
64 + w.add(self.signature_algorithm[0], 1)
65 + w.add(self.signature_algorithm[1], 1)
66 w.addVarSeq(self.signature, 1, 2)
67 return self.postWrite(w)
69 diff --git a/third_party/tlslite/tlslite/tlsconnection.py b/third_party/tlslite/tlslite/tlsconnection.py
70 index cb743fe..3d97e97 100644
71 --- a/third_party/tlslite/tlslite/tlsconnection.py
72 +++ b/third_party/tlslite/tlslite/tlsconnection.py
73 @@ -956,6 +956,7 @@ class TLSConnection(TLSRecordLayer):
74 #If client authentication was requested and we have a
75 #private key, send CertificateVerify
76 if certificateRequest and privateKey:
77 + signatureAlgorithm = None
78 if self.version == (3,0):
79 masterSecret = calcMasterSecret(self.version,
80 premasterSecret,
81 @@ -966,12 +967,15 @@ class TLSConnection(TLSRecordLayer):
82 verifyBytes = self._handshake_md5.digest() + \
83 self._handshake_sha.digest()
84 elif self.version == (3,3):
85 - verifyBytes = self._handshake_sha256.digest()
86 + # TODO: Signature algorithm negotiation not supported.
87 + signatureAlgorithm = (HashAlgorithm.sha1, SignatureAlgorithm.rsa)
88 + verifyBytes = self._handshake_sha.digest()
89 + verifyBytes = RSAKey.addPKCS1SHA1Prefix(verifyBytes)
90 if self.fault == Fault.badVerifyMessage:
91 verifyBytes[0] = ((verifyBytes[0]+1) % 256)
92 signedBytes = privateKey.sign(verifyBytes)
93 - certificateVerify = CertificateVerify()
94 - certificateVerify.create(signedBytes)
95 + certificateVerify = CertificateVerify(self.version)
96 + certificateVerify.create(signatureAlgorithm, signedBytes)
97 for result in self._sendMsg(certificateVerify):
98 yield result
99 yield (premasterSecret, serverCertChain, clientCertChain, tackExt)
100 @@ -1640,8 +1644,11 @@ class TLSConnection(TLSRecordLayer):
101 #Apple's Secure Transport library rejects empty certificate_types,
102 #so default to rsa_sign.
103 reqCertTypes = reqCertTypes or [ClientCertificateType.rsa_sign]
104 + #Only SHA-1 + RSA is supported.
105 + sigAlgs = [(HashAlgorithm.sha1, SignatureAlgorithm.rsa)]
106 msgs.append(CertificateRequest(self.version).create(reqCertTypes,
107 - reqCAs))
108 + reqCAs,
109 + sigAlgs))
110 msgs.append(ServerHelloDone())
111 for result in self._sendMsgs(msgs):
112 yield result
113 @@ -1713,7 +1720,8 @@ class TLSConnection(TLSRecordLayer):
114 verifyBytes = self._handshake_md5.digest() + \
115 self._handshake_sha.digest()
116 elif self.version == (3,3):
117 - verifyBytes = self._handshake_sha256.digest()
118 + verifyBytes = self._handshake_sha.digest()
119 + verifyBytes = RSAKey.addPKCS1SHA1Prefix(verifyBytes)
120 for result in self._getMsg(ContentType.handshake,
121 HandshakeType.certificate_verify):
122 if result in (0,1): yield result
123 diff --git a/third_party/tlslite/tlslite/tlsrecordlayer.py b/third_party/tlslite/tlslite/tlsrecordlayer.py
124 index eda11e6..a09499d 100644
125 --- a/third_party/tlslite/tlslite/tlsrecordlayer.py
126 +++ b/third_party/tlslite/tlslite/tlsrecordlayer.py
127 @@ -804,7 +804,7 @@ class TLSRecordLayer(object):
128 elif subType == HandshakeType.certificate_request:
129 yield CertificateRequest(self.version).parse(p)
130 elif subType == HandshakeType.certificate_verify:
131 - yield CertificateVerify().parse(p)
132 + yield CertificateVerify(self.version).parse(p)
133 elif subType == HandshakeType.server_key_exchange:
134 yield ServerKeyExchange(constructorType,
135 self.version).parse(p)