aboutsummaryrefslogtreecommitdiffstats
path: root/src/lib/tls
diff options
context:
space:
mode:
authorJack Lloyd <[email protected]>2018-01-07 16:57:55 -0500
committerJack Lloyd <[email protected]>2018-01-27 13:38:30 -0500
commitd708030ecb20cebc548fced882141cc7f03a8ac1 (patch)
tree11b8a2f26639fc5245ee24adc790d23457735b48 /src/lib/tls
parente5cf7992ff53c3fbe4beb106d3fd80b8845957b7 (diff)
For TLS client auth add callback giving list of trusted CA names
Fixes #1261
Diffstat (limited to 'src/lib/tls')
-rw-r--r--src/lib/tls/credentials_manager.cpp11
-rw-r--r--src/lib/tls/credentials_manager.h25
-rw-r--r--src/lib/tls/tls_client.cpp7
-rw-r--r--src/lib/tls/tls_messages.h2
4 files changed, 40 insertions, 5 deletions
diff --git a/src/lib/tls/credentials_manager.cpp b/src/lib/tls/credentials_manager.cpp
index 9a7e25ddf..158d6f77c 100644
--- a/src/lib/tls/credentials_manager.cpp
+++ b/src/lib/tls/credentials_manager.cpp
@@ -59,6 +59,15 @@ bool Credentials_Manager::srp_verifier(const std::string&,
return false;
}
+std::vector<X509_Certificate> Credentials_Manager::find_cert_chain(
+ const std::vector<std::string>& key_types,
+ const std::vector<X509_DN>&,
+ const std::string& type,
+ const std::string& context)
+ {
+ return cert_chain(key_types, type, context);
+ }
+
std::vector<X509_Certificate> Credentials_Manager::cert_chain(
const std::vector<std::string>&,
const std::string&,
@@ -74,7 +83,7 @@ std::vector<X509_Certificate> Credentials_Manager::cert_chain_single_type(
{
std::vector<std::string> cert_types;
cert_types.push_back(cert_key_type);
- return cert_chain(cert_types, type, context);
+ return find_cert_chain(cert_types, std::vector<X509_DN>(), type, context);
}
Private_Key* Credentials_Manager::private_key_for(const X509_Certificate&,
diff --git a/src/lib/tls/credentials_manager.h b/src/lib/tls/credentials_manager.h
index e544fd51d..627894a87 100644
--- a/src/lib/tls/credentials_manager.h
+++ b/src/lib/tls/credentials_manager.h
@@ -16,6 +16,7 @@
namespace Botan {
+class X509_DN;
class BigInt;
/**
@@ -55,6 +56,30 @@ class BOTAN_PUBLIC_API(2,0) Credentials_Manager
* "DSA", "ECDSA", etc), or empty if there
* is no preference by the caller.
*
+ * @param acceptable_CAs the CAs the requestor will accept (possibly empty)
+ * @param type specifies the type of operation occurring
+ * @param context specifies a context relative to type.
+ */
+ virtual std::vector<X509_Certificate> find_cert_chain(
+ const std::vector<std::string>& cert_key_types,
+ const std::vector<X509_DN>& acceptable_CAs,
+ const std::string& type,
+ const std::string& context);
+
+ /**
+ * Return a cert chain we can use, ordered from leaf to root,
+ * or else an empty vector.
+ *
+ * This virtual function is deprecated, and will be removed in a
+ * future release. Use (and override) find_cert_chain instead.
+ *
+ * It is assumed that the caller can get the private key of the
+ * leaf with private_key_for
+ *
+ * @param cert_key_types specifies the key types desired ("RSA",
+ * "DSA", "ECDSA", etc), or empty if there
+ * is no preference by the caller.
+ *
* @param type specifies the type of operation occurring
*
* @param context specifies a context relative to type.
diff --git a/src/lib/tls/tls_client.cpp b/src/lib/tls/tls_client.cpp
index 5f84481ac..4647e11cb 100644
--- a/src/lib/tls/tls_client.cpp
+++ b/src/lib/tls/tls_client.cpp
@@ -522,9 +522,10 @@ void Client::process_handshake_msg(const Handshake_State* active_state,
const auto& types = state.cert_req()->acceptable_cert_types();
std::vector<X509_Certificate> client_certs =
- m_creds.cert_chain(types,
- "tls-client",
- m_info.hostname());
+ m_creds.find_cert_chain(types,
+ state.cert_req()->acceptable_CAs(),
+ "tls-client",
+ m_info.hostname());
state.client_certs(new Certificate(state.handshake_io(),
state.hash(),
diff --git a/src/lib/tls/tls_messages.h b/src/lib/tls/tls_messages.h
index 75e65fa7f..cd06517d7 100644
--- a/src/lib/tls/tls_messages.h
+++ b/src/lib/tls/tls_messages.h
@@ -412,7 +412,7 @@ class BOTAN_UNSTABLE_API Certificate_Req final : public Handshake_Message
const std::vector<std::string>& acceptable_cert_types() const
{ return m_cert_key_types; }
- std::vector<X509_DN> acceptable_CAs() const { return m_names; }
+ const std::vector<X509_DN>& acceptable_CAs() const { return m_names; }
std::vector<std::pair<std::string, std::string> > supported_algos() const
{ return m_supported_algos; }