From cf8f87c832273ea2d70ed00be7130e36884e370c Mon Sep 17 00:00:00 2001
From: lloyd <lloyd@randombit.net>
Date: Tue, 13 Nov 2012 19:25:35 +0000
Subject: Change Credentials_Manager::trusted_certificate_authorities to return
 a list of Certificate_Stores instead of a list of actual certs, allowing for
 instance the ability to reference a DB cert store without actually pulling
 all the certs into memory.

Add Certificate_Store::all_subjects which returns the DNs of all
contained certificates.
---
 src/tls/msg_cert_req.cpp  | 13 ++++---------
 src/tls/tls_messages.h    |  2 +-
 src/tls/tls_seq_numbers.h |  1 +
 src/tls/tls_server.cpp    | 12 +++++++++++-
 4 files changed, 17 insertions(+), 11 deletions(-)

(limited to 'src/tls')

diff --git a/src/tls/msg_cert_req.cpp b/src/tls/msg_cert_req.cpp
index 4104025cf..23d59c6d4 100644
--- a/src/tls/msg_cert_req.cpp
+++ b/src/tls/msg_cert_req.cpp
@@ -54,16 +54,11 @@ byte cert_type_name_to_code(const std::string& name)
 Certificate_Req::Certificate_Req(Handshake_IO& io,
                                  Handshake_Hash& hash,
                                  const Policy& policy,
-                                 const std::vector<X509_Certificate>& ca_certs,
-                                 Protocol_Version version)
+                                 const std::vector<X509_DN>& ca_certs,
+                                 Protocol_Version version) :
+   m_names(ca_certs),
+   m_cert_key_types({ "RSA", "DSA", "ECDSA" })
    {
-   for(size_t i = 0; i != ca_certs.size(); ++i)
-      m_names.push_back(ca_certs[i].subject_dn());
-
-   m_cert_key_types.push_back("RSA");
-   m_cert_key_types.push_back("DSA");
-   m_cert_key_types.push_back("ECDSA");
-
    if(version.supports_negotiable_signature_algorithms())
       {
       std::vector<std::string> hashes = policy.allowed_signature_hashes();
diff --git a/src/tls/tls_messages.h b/src/tls/tls_messages.h
index 52ff52c12..557677c4a 100644
--- a/src/tls/tls_messages.h
+++ b/src/tls/tls_messages.h
@@ -356,7 +356,7 @@ class Certificate_Req : public Handshake_Message
       Certificate_Req(Handshake_IO& io,
                       Handshake_Hash& hash,
                       const Policy& policy,
-                      const std::vector<X509_Certificate>& allowed_cas,
+                      const std::vector<X509_DN>& allowed_cas,
                       Protocol_Version version);
 
       Certificate_Req(const std::vector<byte>& buf,
diff --git a/src/tls/tls_seq_numbers.h b/src/tls/tls_seq_numbers.h
index 4a8a0fab8..87edf3130 100644
--- a/src/tls/tls_seq_numbers.h
+++ b/src/tls/tls_seq_numbers.h
@@ -8,6 +8,7 @@
 #ifndef BOTAN_TLS_SEQ_NUMBERS_H__
 #define BOTAN_TLS_SEQ_NUMBERS_H__
 
+#include <botan/types.h>
 #include <stdexcept>
 
 namespace Botan {
diff --git a/src/tls/tls_server.cpp b/src/tls/tls_server.cpp
index b91dfc9aa..380d3d5b1 100644
--- a/src/tls/tls_server.cpp
+++ b/src/tls/tls_server.cpp
@@ -534,9 +534,19 @@ void Server::process_handshake_msg(const Handshake_State* active_state,
                );
             }
 
-         std::vector<X509_Certificate> client_auth_CAs =
+         auto trusted_CAs =
             m_creds.trusted_certificate_authorities("tls-server", sni_hostname);
 
+         std::vector<X509_DN> client_auth_CAs;
+
+         for(auto store : trusted_CAs)
+            {
+            auto subjects = store->all_subjects();
+            client_auth_CAs.insert(client_auth_CAs.end(),
+                                   subjects.begin(),
+                                   subjects.end());
+            }
+
          if(!client_auth_CAs.empty() && state.ciphersuite().sig_algo() != "")
             {
             state.cert_req(
-- 
cgit v1.2.3