diff options
author | Jack Lloyd <[email protected]> | 2018-01-07 16:57:55 -0500 |
---|---|---|
committer | Jack Lloyd <[email protected]> | 2018-01-27 13:38:30 -0500 |
commit | d708030ecb20cebc548fced882141cc7f03a8ac1 (patch) | |
tree | 11b8a2f26639fc5245ee24adc790d23457735b48 /src/lib/tls | |
parent | e5cf7992ff53c3fbe4beb106d3fd80b8845957b7 (diff) |
For TLS client auth add callback giving list of trusted CA names
Fixes #1261
Diffstat (limited to 'src/lib/tls')
-rw-r--r-- | src/lib/tls/credentials_manager.cpp | 11 | ||||
-rw-r--r-- | src/lib/tls/credentials_manager.h | 25 | ||||
-rw-r--r-- | src/lib/tls/tls_client.cpp | 7 | ||||
-rw-r--r-- | src/lib/tls/tls_messages.h | 2 |
4 files changed, 40 insertions, 5 deletions
diff --git a/src/lib/tls/credentials_manager.cpp b/src/lib/tls/credentials_manager.cpp index 9a7e25ddf..158d6f77c 100644 --- a/src/lib/tls/credentials_manager.cpp +++ b/src/lib/tls/credentials_manager.cpp @@ -59,6 +59,15 @@ bool Credentials_Manager::srp_verifier(const std::string&, return false; } +std::vector<X509_Certificate> Credentials_Manager::find_cert_chain( + const std::vector<std::string>& key_types, + const std::vector<X509_DN>&, + const std::string& type, + const std::string& context) + { + return cert_chain(key_types, type, context); + } + std::vector<X509_Certificate> Credentials_Manager::cert_chain( const std::vector<std::string>&, const std::string&, @@ -74,7 +83,7 @@ std::vector<X509_Certificate> Credentials_Manager::cert_chain_single_type( { std::vector<std::string> cert_types; cert_types.push_back(cert_key_type); - return cert_chain(cert_types, type, context); + return find_cert_chain(cert_types, std::vector<X509_DN>(), type, context); } Private_Key* Credentials_Manager::private_key_for(const X509_Certificate&, diff --git a/src/lib/tls/credentials_manager.h b/src/lib/tls/credentials_manager.h index e544fd51d..627894a87 100644 --- a/src/lib/tls/credentials_manager.h +++ b/src/lib/tls/credentials_manager.h @@ -16,6 +16,7 @@ namespace Botan { +class X509_DN; class BigInt; /** @@ -55,6 +56,30 @@ class BOTAN_PUBLIC_API(2,0) Credentials_Manager * "DSA", "ECDSA", etc), or empty if there * is no preference by the caller. * + * @param acceptable_CAs the CAs the requestor will accept (possibly empty) + * @param type specifies the type of operation occurring + * @param context specifies a context relative to type. + */ + virtual std::vector<X509_Certificate> find_cert_chain( + const std::vector<std::string>& cert_key_types, + const std::vector<X509_DN>& acceptable_CAs, + const std::string& type, + const std::string& context); + + /** + * Return a cert chain we can use, ordered from leaf to root, + * or else an empty vector. + * + * This virtual function is deprecated, and will be removed in a + * future release. Use (and override) find_cert_chain instead. + * + * It is assumed that the caller can get the private key of the + * leaf with private_key_for + * + * @param cert_key_types specifies the key types desired ("RSA", + * "DSA", "ECDSA", etc), or empty if there + * is no preference by the caller. + * * @param type specifies the type of operation occurring * * @param context specifies a context relative to type. diff --git a/src/lib/tls/tls_client.cpp b/src/lib/tls/tls_client.cpp index 5f84481ac..4647e11cb 100644 --- a/src/lib/tls/tls_client.cpp +++ b/src/lib/tls/tls_client.cpp @@ -522,9 +522,10 @@ void Client::process_handshake_msg(const Handshake_State* active_state, const auto& types = state.cert_req()->acceptable_cert_types(); std::vector<X509_Certificate> client_certs = - m_creds.cert_chain(types, - "tls-client", - m_info.hostname()); + m_creds.find_cert_chain(types, + state.cert_req()->acceptable_CAs(), + "tls-client", + m_info.hostname()); state.client_certs(new Certificate(state.handshake_io(), state.hash(), diff --git a/src/lib/tls/tls_messages.h b/src/lib/tls/tls_messages.h index 75e65fa7f..cd06517d7 100644 --- a/src/lib/tls/tls_messages.h +++ b/src/lib/tls/tls_messages.h @@ -412,7 +412,7 @@ class BOTAN_UNSTABLE_API Certificate_Req final : public Handshake_Message const std::vector<std::string>& acceptable_cert_types() const { return m_cert_key_types; } - std::vector<X509_DN> acceptable_CAs() const { return m_names; } + const std::vector<X509_DN>& acceptable_CAs() const { return m_names; } std::vector<std::pair<std::string, std::string> > supported_algos() const { return m_supported_algos; } |