Fix CertificateRequest initialization.

Adapted from a Chromium patch. This matches the other messages; __init__ gets passed parameters necessary to determine the behavior of parse (version, cipherSuite), while the fields for outgoing messages are set in create.
tlsfuzzer · Jun 8, 2015 · 598283b · 598283b
1 parent 21b6350
commit 598283b
Show file tree

Hide file tree

Showing 3 changed files with 11 additions and 15 deletions.
diff --git a/tlslite/messages.py b/tlslite/messages.py
@@ -877,17 +877,14 @@ def write(self):
 class CertificateRequest(HandshakeMsg):
     def __init__(self, version):
         HandshakeMsg.__init__(self, HandshakeType.certificate_request)
-        #Apple's Secure Transport library rejects empty certificate_types, so
-        #default to rsa_sign.
-        self.certificate_types = [ClientCertificateType.rsa_sign]
+        self.certificate_types = []
         self.certificate_authorities = []
         self.version = version
         self.supported_signature_algs = []
 
-    def create(self, certificate_types, certificate_authorities, sig_algs=(), version=(3,0)):
+    def create(self, certificate_types, certificate_authorities, sig_algs=()):
         self.certificate_types = certificate_types
         self.certificate_authorities = certificate_authorities
-        self.version = version
         self.supported_signature_algs = sig_algs
         return self
 

diff --git a/tlslite/tlsconnection.py b/tlslite/tlsconnection.py
@@ -1485,11 +1485,13 @@ def _serverCertKeyExchange(self, clientHello, serverHello,
 
         msgs.append(serverHello)
         msgs.append(Certificate(CertificateType.x509).create(serverCertChain))
-        if reqCert and reqCAs:
-            msgs.append(CertificateRequest().create(\
-                [ClientCertificateType.rsa_sign], reqCAs))
-        elif reqCert:
-            msgs.append(CertificateRequest(self.version))
+        if reqCert:
+            #Apple's Secure Transport library rejects empty certificate_types,
+            #and only RSA certificates are supported.
+            reqCAs = reqCAs or []
+            reqCertTypes = [ClientCertificateType.rsa_sign]
+            msgs.append(CertificateRequest(self.version).create(reqCertTypes,
+                                                                reqCAs))
         msgs.append(ServerHelloDone())
         for result in self._sendMsgs(msgs):
             yield result

diff --git a/unit_tests/test_tlslite_messages.py b/unit_tests/test_tlslite_messages.py
@@ -1441,8 +1441,7 @@ def test___init__(self):
 
         self.assertIsNotNone(cr)
         self.assertEqual(cr.version, (3, 0))
-        # XXX unset
-        self.assertEqual(cr.certificate_types, [ClientCertificateType.rsa_sign])
+        self.assertEqual(cr.certificate_types, [])
         self.assertEqual(cr.certificate_authorities, [])
         self.assertEqual(cr.supported_signature_algs, [])
 
@@ -1524,9 +1523,7 @@ def test_write_in_TLS_v1_2(self):
         cr.create([ClientCertificateType.rsa_sign],
                   [],
                   # XXX should be an array of tuples
-                  [0x0601, 0x0401, 0x0201],
-                  # XXX version set for the second time!
-                  version=(3, 3))
+                  [0x0601, 0x0401, 0x0201])
 
         self.assertEqual(cr.write(), bytearray(
             b'\x0d' +               # type