Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Client authentication #192

Merged
merged 26 commits into from
Jan 20, 2015
Merged

Client authentication #192

merged 26 commits into from
Jan 20, 2015

Conversation

hannesm
Copy link
Member

@hannesm hannesm commented Oct 3, 2014

this builds on top of SNI! It might not yet be ready for merging (esp. the modification to echo_client should not be merged). any comments are welcome (addresses first half of #171)

@hannesm
Copy link
Member Author

hannesm commented Oct 6, 2014

this contains the server side as well, and works locally with openssl (both sides, s_client and s_server), the whole PR now fixes #171 🎉

This was referenced Oct 6, 2014
Closed
Closed
@hannesm hannesm changed the title Client authentication (only client side so far) Client authentication Oct 6, 2014
@hannesm hannesm force-pushed the client_auth branch 2 times, most recently from b796ef6 to 46f7593 Compare October 31, 2014 12:29
@hannesm hannesm mentioned this pull request Jan 2, 2015
Closed
@hannesm
move signature to handshake_common
89dd7a7
@hannesm
introduce AwaitCertificateRequestOrServerHelloDone client handshake s…
674e731 
…tate and transitions
@hannesm
allow client to be configured with own certificates
ddfc7b8 
Conflicts:
	lib/config.ml
	lib/config.mli
@hannesm
add CertificateVerify
9b9d583
@hannesm
only support None or Single certificate in client configuration
eade537
@hannesm
export parse_certificate_request and parse_certificate_request_1_2
b137dc5 
once again, the format is slightly different in TLS_1_2
 (signature and hash algorithms are included)
also fix parsing of cas, especially:
 ``(calength + 2) <> len buf`` instead of ``calength <> (len buf) + 2``
@hannesm
remove record type and adjust tls_handshake sum type,
8a53112 
now that we export parse_certificate_request(_1_2)
@hannesm
handle CertificateVerify assembly
7baf4b9
@hannesm
remember in session_data whether client_authentication is demanded
2e1acc8
@hannesm
transport hash * sig list option in AwaitServerHelloDone for optional…
9dd3354 
… CertificateVerify
@hannesm
style
a093c0f
@hannesm
adjust answer_server_hello_done signature to include the hash * sig l…
b43982a 
…ist option
@hannesm
implement certificate_request handler:
5aeb0eb 
 - parse message depending on protocol_version
 - require RSA_SIGN to be included in types
 - set client_auth field to true
 - set own_certificate and own_private_key for further use

adjust server_hello_done handler
 - send certificate and certificateVerify message (if requested and demanded and provided)
 - send empty certificate if certificaterequest occured and no certificate was found
 - no certificateverify -> continue handshake as usual
@hannesm
parse certificateverify message
0236903
@hannesm
default for assemble_list now to produce a buffer (with list length e…
ac3c9ff 
…ncoded); if none_if_empty provided, return a 0-length buffer
@hannesm
asemble certificate_request
2da97a8
@hannesm
provide assemble_certificate_request and assemble_certificate_request…
853d5b0 
…_1_2
@hannesm
move validate_chain and peer_rsa_key to handshake_common
3769f9a
@hannesm
move verify_digitally_signed to handshake_common
fd2742c
@hannesm
accept authenticator in server config
b539ca3
@hannesm
server handshake states dealing with client authentication
ecab133
@hannesm
provide client authentication functionality:
b95c398 
 - if authenticator is configured, ask for a client certificate (send CertificateRequest)
 - if certificate is provided by client, validate the chain (using the authenticator)
 - verify the signature (using the client certificate key) of the CertificateVerify message
 - store client certificate in session.peer_certificate (and trust anchor in session.trust_anchor)

the application still needs to decide whether the session.peer_certificate is good for it (it might be empty!!!)
@hannesm
echo client sends a client certificate if asked, echo_server requests…
8d15455 
… a client certificate
@hannesm
update CHANGES.md
36424ae
@hannesm
fixes
364a9cb
@hannesm
style
e5b8999
@hannesm hannesm mentioned this pull request Jan 16, 2015
Merged
pqwy added a commit that referenced this pull request Jan 20, 2015
@pqwy
Merge pull request #192 from mirleft/client_auth
fccd439 
Client authentication
@pqwy pqwy merged commit fccd439 into master Jan 20, 2015
@pqwy pqwy deleted the client_auth branch January 20, 2015 20:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@hannesm @pqwy