| diff --git a/third_party/tlslite/tlslite/api.py b/third_party/tlslite/tlslite/api.py |
| index fa6a18c..aabcc14 100644 |
| --- a/third_party/tlslite/tlslite/api.py |
| +++ b/third_party/tlslite/tlslite/api.py |
| @@ -2,7 +2,8 @@ |
| # See the LICENSE file for legal information regarding use of this file. |
| |
| __version__ = "0.4.8" |
| -from .constants import AlertLevel, AlertDescription, Fault |
| +from .constants import AlertLevel, AlertDescription, ClientCertificateType, \ |
| + Fault |
| from .errors import * |
| from .checker import Checker |
| from .handshakesettings import HandshakeSettings |
| diff --git a/third_party/tlslite/tlslite/constants.py b/third_party/tlslite/tlslite/constants.py |
| index d2d50c5..7ee70be 100644 |
| --- a/third_party/tlslite/tlslite/constants.py |
| +++ b/third_party/tlslite/tlslite/constants.py |
| @@ -15,10 +15,14 @@ class CertificateType: |
| openpgp = 1 |
| |
| class ClientCertificateType: |
| + # http://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-2 |
| rsa_sign = 1 |
| dss_sign = 2 |
| rsa_fixed_dh = 3 |
| dss_fixed_dh = 4 |
| + ecdsa_sign = 64 |
| + rsa_fixed_ecdh = 65 |
| + ecdsa_fixed_ecdh = 66 |
| |
| class HandshakeType: |
| hello_request = 0 |
| diff --git a/third_party/tlslite/tlslite/messages.py b/third_party/tlslite/tlslite/messages.py |
| index 8b77ee6..e1be195 100644 |
| --- a/third_party/tlslite/tlslite/messages.py |
| +++ b/third_party/tlslite/tlslite/messages.py |
| @@ -455,17 +455,14 @@ class CertificateStatus(HandshakeMsg): |
| class CertificateRequest(HandshakeMsg): |
| def __init__(self, version): |
| HandshakeMsg.__init__(self, HandshakeType.certificate_request) |
| - #Apple's Secure Transport library rejects empty certificate_types, so |
| - #default to rsa_sign. |
| - self.certificate_types = [ClientCertificateType.rsa_sign] |
| + self.certificate_types = [] |
| self.certificate_authorities = [] |
| self.version = version |
| self.supported_signature_algs = [] |
| |
| - def create(self, certificate_types, certificate_authorities, sig_algs=(), version=(3,0)): |
| + def create(self, certificate_types, certificate_authorities, sig_algs=()): |
| self.certificate_types = certificate_types |
| self.certificate_authorities = certificate_authorities |
| - self.version = version |
| self.supported_signature_algs = sig_algs |
| return self |
| |
| diff --git a/third_party/tlslite/tlslite/tlsconnection.py b/third_party/tlslite/tlslite/tlsconnection.py |
| index f6d13d4..f8547d5 100644 |
| --- a/third_party/tlslite/tlslite/tlsconnection.py |
| +++ b/third_party/tlslite/tlslite/tlsconnection.py |
| @@ -1070,7 +1070,7 @@ class TLSConnection(TLSRecordLayer): |
| def handshakeServer(self, verifierDB=None, |
| certChain=None, privateKey=None, reqCert=False, |
| sessionCache=None, settings=None, checker=None, |
| - reqCAs = None, |
| + reqCAs = None, reqCertTypes = None, |
| tacks=None, activationFlags=0, |
| nextProtos=None, anon=False, |
| tlsIntolerant=None, signedCertTimestamps=None, |
| @@ -1138,6 +1138,10 @@ class TLSConnection(TLSRecordLayer): |
| will be sent along with a certificate request. This does not affect |
| verification. |
| |
| + @type reqCertTypes: list of int |
| + @param reqCertTypes: A list of certificate_type values to be sent |
| + along with a certificate request. This does not affect verification. |
| + |
| @type nextProtos: list of strings. |
| @param nextProtos: A list of upper layer protocols to expose to the |
| clients through the Next-Protocol Negotiation Extension, |
| @@ -1177,7 +1181,7 @@ class TLSConnection(TLSRecordLayer): |
| """ |
| for result in self.handshakeServerAsync(verifierDB, |
| certChain, privateKey, reqCert, sessionCache, settings, |
| - checker, reqCAs, |
| + checker, reqCAs, reqCertTypes, |
| tacks=tacks, activationFlags=activationFlags, |
| nextProtos=nextProtos, anon=anon, tlsIntolerant=tlsIntolerant, |
| signedCertTimestamps=signedCertTimestamps, |
| @@ -1188,7 +1192,7 @@ class TLSConnection(TLSRecordLayer): |
| def handshakeServerAsync(self, verifierDB=None, |
| certChain=None, privateKey=None, reqCert=False, |
| sessionCache=None, settings=None, checker=None, |
| - reqCAs=None, |
| + reqCAs=None, reqCertTypes=None, |
| tacks=None, activationFlags=0, |
| nextProtos=None, anon=False, |
| tlsIntolerant=None, |
| @@ -1211,7 +1215,7 @@ class TLSConnection(TLSRecordLayer): |
| verifierDB=verifierDB, certChain=certChain, |
| privateKey=privateKey, reqCert=reqCert, |
| sessionCache=sessionCache, settings=settings, |
| - reqCAs=reqCAs, |
| + reqCAs=reqCAs, reqCertTypes=reqCertTypes, |
| tacks=tacks, activationFlags=activationFlags, |
| nextProtos=nextProtos, anon=anon, |
| tlsIntolerant=tlsIntolerant, |
| @@ -1224,7 +1228,7 @@ class TLSConnection(TLSRecordLayer): |
| |
| def _handshakeServerAsyncHelper(self, verifierDB, |
| certChain, privateKey, reqCert, sessionCache, |
| - settings, reqCAs, |
| + settings, reqCAs, reqCertTypes, |
| tacks, activationFlags, |
| nextProtos, anon, |
| tlsIntolerant, signedCertTimestamps, fallbackSCSV, |
| @@ -1240,6 +1244,8 @@ class TLSConnection(TLSRecordLayer): |
| raise ValueError("Caller passed a privateKey but no certChain") |
| if reqCAs and not reqCert: |
| raise ValueError("Caller passed reqCAs but not reqCert") |
| + if reqCertTypes and not reqCert: |
| + raise ValueError("Caller passed reqCertTypes but not reqCert") |
| if certChain and not isinstance(certChain, X509CertChain): |
| raise ValueError("Unrecognized certificate type") |
| if activationFlags and not tacks: |
| @@ -1328,7 +1334,7 @@ class TLSConnection(TLSRecordLayer): |
| assert(False) |
| for result in self._serverCertKeyExchange(clientHello, serverHello, |
| certChain, keyExchange, |
| - reqCert, reqCAs, cipherSuite, |
| + reqCert, reqCAs, reqCertTypes, cipherSuite, |
| settings, ocspResponse): |
| if result in (0,1): yield result |
| else: break |
| @@ -1607,7 +1613,7 @@ class TLSConnection(TLSRecordLayer): |
| |
| def _serverCertKeyExchange(self, clientHello, serverHello, |
| serverCertChain, keyExchange, |
| - reqCert, reqCAs, cipherSuite, |
| + reqCert, reqCAs, reqCertTypes, cipherSuite, |
| settings, ocspResponse): |
| #Send ServerHello, Certificate[, ServerKeyExchange] |
| #[, CertificateRequest], ServerHelloDone |
| @@ -1623,11 +1629,13 @@ class TLSConnection(TLSRecordLayer): |
| serverKeyExchange = keyExchange.makeServerKeyExchange() |
| if serverKeyExchange is not None: |
| msgs.append(serverKeyExchange) |
| - if reqCert and reqCAs: |
| - msgs.append(CertificateRequest().create(\ |
| - [ClientCertificateType.rsa_sign], reqCAs)) |
| - elif reqCert: |
| - msgs.append(CertificateRequest(self.version)) |
| + if reqCert: |
| + reqCAs = reqCAs or [] |
| + #Apple's Secure Transport library rejects empty certificate_types, |
| + #so default to rsa_sign. |
| + reqCertTypes = reqCertTypes or [ClientCertificateType.rsa_sign] |
| + msgs.append(CertificateRequest(self.version).create(reqCertTypes, |
| + reqCAs)) |
| msgs.append(ServerHelloDone()) |
| for result in self._sendMsgs(msgs): |
| yield result |