1diff --git a/third_party/tlslite/tlslite/api.py b/third_party/tlslite/tlslite/api.py 2index fa6a18c..aabcc14 100644 3--- a/third_party/tlslite/tlslite/api.py 4+++ b/third_party/tlslite/tlslite/api.py 5@@ -2,7 +2,8 @@ 6 # See the LICENSE file for legal information regarding use of this file. 7 8 __version__ = "0.4.8" 9-from .constants import AlertLevel, AlertDescription, Fault 10+from .constants import AlertLevel, AlertDescription, ClientCertificateType, \ 11+ Fault 12 from .errors import * 13 from .checker import Checker 14 from .handshakesettings import HandshakeSettings 15diff --git a/third_party/tlslite/tlslite/constants.py b/third_party/tlslite/tlslite/constants.py 16index d2d50c5..7ee70be 100644 17--- a/third_party/tlslite/tlslite/constants.py 18+++ b/third_party/tlslite/tlslite/constants.py 19@@ -15,10 +15,14 @@ class CertificateType: 20 openpgp = 1 21 22 class ClientCertificateType: 23+ # http://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-2 24 rsa_sign = 1 25 dss_sign = 2 26 rsa_fixed_dh = 3 27 dss_fixed_dh = 4 28+ ecdsa_sign = 64 29+ rsa_fixed_ecdh = 65 30+ ecdsa_fixed_ecdh = 66 31 32 class HandshakeType: 33 hello_request = 0 34diff --git a/third_party/tlslite/tlslite/messages.py b/third_party/tlslite/tlslite/messages.py 35index 8b77ee6..e1be195 100644 36--- a/third_party/tlslite/tlslite/messages.py 37+++ b/third_party/tlslite/tlslite/messages.py 38@@ -455,17 +455,14 @@ class CertificateStatus(HandshakeMsg): 39 class CertificateRequest(HandshakeMsg): 40 def __init__(self, version): 41 HandshakeMsg.__init__(self, HandshakeType.certificate_request) 42- #Apple's Secure Transport library rejects empty certificate_types, so 43- #default to rsa_sign. 44- self.certificate_types = [ClientCertificateType.rsa_sign] 45+ self.certificate_types = [] 46 self.certificate_authorities = [] 47 self.version = version 48 self.supported_signature_algs = [] 49 50- def create(self, certificate_types, certificate_authorities, sig_algs=(), version=(3,0)): 51+ def create(self, certificate_types, certificate_authorities, sig_algs=()): 52 self.certificate_types = certificate_types 53 self.certificate_authorities = certificate_authorities 54- self.version = version 55 self.supported_signature_algs = sig_algs 56 return self 57 58diff --git a/third_party/tlslite/tlslite/tlsconnection.py b/third_party/tlslite/tlslite/tlsconnection.py 59index f6d13d4..f8547d5 100644 60--- a/third_party/tlslite/tlslite/tlsconnection.py 61+++ b/third_party/tlslite/tlslite/tlsconnection.py 62@@ -1070,7 +1070,7 @@ class TLSConnection(TLSRecordLayer): 63 def handshakeServer(self, verifierDB=None, 64 certChain=None, privateKey=None, reqCert=False, 65 sessionCache=None, settings=None, checker=None, 66- reqCAs = None, 67+ reqCAs = None, reqCertTypes = None, 68 tacks=None, activationFlags=0, 69 nextProtos=None, anon=False, 70 tlsIntolerant=None, signedCertTimestamps=None, 71@@ -1138,6 +1138,10 @@ class TLSConnection(TLSRecordLayer): 72 will be sent along with a certificate request. This does not affect 73 verification. 74 75+ @type reqCertTypes: list of int 76+ @param reqCertTypes: A list of certificate_type values to be sent 77+ along with a certificate request. This does not affect verification. 78+ 79 @type nextProtos: list of strings. 80 @param nextProtos: A list of upper layer protocols to expose to the 81 clients through the Next-Protocol Negotiation Extension, 82@@ -1177,7 +1181,7 @@ class TLSConnection(TLSRecordLayer): 83 """ 84 for result in self.handshakeServerAsync(verifierDB, 85 certChain, privateKey, reqCert, sessionCache, settings, 86- checker, reqCAs, 87+ checker, reqCAs, reqCertTypes, 88 tacks=tacks, activationFlags=activationFlags, 89 nextProtos=nextProtos, anon=anon, tlsIntolerant=tlsIntolerant, 90 signedCertTimestamps=signedCertTimestamps, 91@@ -1188,7 +1192,7 @@ class TLSConnection(TLSRecordLayer): 92 def handshakeServerAsync(self, verifierDB=None, 93 certChain=None, privateKey=None, reqCert=False, 94 sessionCache=None, settings=None, checker=None, 95- reqCAs=None, 96+ reqCAs=None, reqCertTypes=None, 97 tacks=None, activationFlags=0, 98 nextProtos=None, anon=False, 99 tlsIntolerant=None, 100@@ -1211,7 +1215,7 @@ class TLSConnection(TLSRecordLayer): 101 verifierDB=verifierDB, certChain=certChain, 102 privateKey=privateKey, reqCert=reqCert, 103 sessionCache=sessionCache, settings=settings, 104- reqCAs=reqCAs, 105+ reqCAs=reqCAs, reqCertTypes=reqCertTypes, 106 tacks=tacks, activationFlags=activationFlags, 107 nextProtos=nextProtos, anon=anon, 108 tlsIntolerant=tlsIntolerant, 109@@ -1224,7 +1228,7 @@ class TLSConnection(TLSRecordLayer): 110 111 def _handshakeServerAsyncHelper(self, verifierDB, 112 certChain, privateKey, reqCert, sessionCache, 113- settings, reqCAs, 114+ settings, reqCAs, reqCertTypes, 115 tacks, activationFlags, 116 nextProtos, anon, 117 tlsIntolerant, signedCertTimestamps, fallbackSCSV, 118@@ -1240,6 +1244,8 @@ class TLSConnection(TLSRecordLayer): 119 raise ValueError("Caller passed a privateKey but no certChain") 120 if reqCAs and not reqCert: 121 raise ValueError("Caller passed reqCAs but not reqCert") 122+ if reqCertTypes and not reqCert: 123+ raise ValueError("Caller passed reqCertTypes but not reqCert") 124 if certChain and not isinstance(certChain, X509CertChain): 125 raise ValueError("Unrecognized certificate type") 126 if activationFlags and not tacks: 127@@ -1328,7 +1334,7 @@ class TLSConnection(TLSRecordLayer): 128 assert(False) 129 for result in self._serverCertKeyExchange(clientHello, serverHello, 130 certChain, keyExchange, 131- reqCert, reqCAs, cipherSuite, 132+ reqCert, reqCAs, reqCertTypes, cipherSuite, 133 settings, ocspResponse): 134 if result in (0,1): yield result 135 else: break 136@@ -1607,7 +1613,7 @@ class TLSConnection(TLSRecordLayer): 137 138 def _serverCertKeyExchange(self, clientHello, serverHello, 139 serverCertChain, keyExchange, 140- reqCert, reqCAs, cipherSuite, 141+ reqCert, reqCAs, reqCertTypes, cipherSuite, 142 settings, ocspResponse): 143 #Send ServerHello, Certificate[, ServerKeyExchange] 144 #[, CertificateRequest], ServerHelloDone 145@@ -1623,11 +1629,13 @@ class TLSConnection(TLSRecordLayer): 146 serverKeyExchange = keyExchange.makeServerKeyExchange() 147 if serverKeyExchange is not None: 148 msgs.append(serverKeyExchange) 149- if reqCert and reqCAs: 150- msgs.append(CertificateRequest().create(\ 151- [ClientCertificateType.rsa_sign], reqCAs)) 152- elif reqCert: 153- msgs.append(CertificateRequest(self.version)) 154+ if reqCert: 155+ reqCAs = reqCAs or [] 156+ #Apple's Secure Transport library rejects empty certificate_types, 157+ #so default to rsa_sign. 158+ reqCertTypes = reqCertTypes or [ClientCertificateType.rsa_sign] 159+ msgs.append(CertificateRequest(self.version).create(reqCertTypes, 160+ reqCAs)) 161 msgs.append(ServerHelloDone()) 162 for result in self._sendMsgs(msgs): 163 yield result 164