Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Save client certificate into Context #405

Closed
wants to merge 2 commits into from
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 3 additions & 1 deletion core/Network/TLS.hs
Original file line number Diff line number Diff line change
Expand Up @@ -97,6 +97,8 @@ module Network.TLS
-- * Advanced APIs
-- ** Backend
, ctxConnection
, ctxClientCerts
, CertificateChain
, contextFlush
, contextClose
-- ** Information gathering
Expand Down Expand Up @@ -179,7 +181,7 @@ import Network.TLS.Types
import Network.TLS.X509

import Data.ByteString as B
import Data.X509 (PubKey(..), PrivKey(..))
import Data.X509 (PubKey(..), PrivKey(..), CertificateChain)
import Data.X509.Validation hiding (HostName)

{-# DEPRECATED Bytes "Use Data.ByteString.Bytestring instead of Bytes." #-}
Expand Down
2 changes: 2 additions & 0 deletions core/Network/TLS/Context.hs
Original file line number Diff line number Diff line change
Expand Up @@ -157,6 +157,7 @@ contextNew backend params = liftIO $ do
lockWrite <- newMVar ()
lockRead <- newMVar ()
lockState <- newMVar ()
certChain <- newIORef Nothing

return Context
{ ctxConnection = getBackend backend
Expand All @@ -182,6 +183,7 @@ contextNew backend params = liftIO $ do
, ctxPendingActions = as
, ctxCertRequests = crs
, ctxKeyLogger = debugKeyLogger debug
, ctxClientCerts = certChain
}

-- | create a new context on an handle.
Expand Down
2 changes: 2 additions & 0 deletions core/Network/TLS/Context/Internal.hs
Original file line number Diff line number Diff line change
Expand Up @@ -79,6 +79,7 @@ import Network.TLS.Measurement
import Network.TLS.Imports
import Network.TLS.Types
import Network.TLS.Util
import Data.X509 (CertificateChain)
import qualified Data.ByteString as B

import Control.Concurrent.MVar
Expand Down Expand Up @@ -129,6 +130,7 @@ data Context = Context
, ctxPendingActions :: IORef [PendingAction]
, ctxCertRequests :: IORef [Handshake13] -- ^ pending PHA requests
, ctxKeyLogger :: String -> IO ()
, ctxClientCerts :: IORef (Maybe CertificateChain)
}

data Established = NotEstablished
Expand Down
4 changes: 2 additions & 2 deletions core/Network/TLS/Handshake/Common13.hs
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
{-# LANGUAGE OverloadedStrings, GeneralizedNewtypeDeriving, BangPatterns #-}
{-# LANGUAGE OverloadedStrings, GeneralizedNewtypeDeriving, BangPatterns, ScopedTypeVariables #-}

-- |
-- Module : Network.TLS.Handshake.Common13
Expand Down Expand Up @@ -362,7 +362,7 @@ recvHandshake13hash ctx f = do

getHandshake13 :: MonadIO m => Context -> RecvHandshake13M m Handshake13
getHandshake13 ctx = RecvHandshake13M $ do
currentState <- get
currentState :: [Handshake13] <- get
case currentState of
(h:hs) -> found h hs
[] -> recvLoop
Expand Down
3 changes: 2 additions & 1 deletion core/Network/TLS/Handshake/Server.hs
Original file line number Diff line number Diff line change
Expand Up @@ -1066,7 +1066,8 @@ clientCertificate sparams ctx certs = do
-- Call application callback to see whether the
-- certificate chain is acceptable.
--
usage <- liftIO $ catchException (onClientCertificate (serverHooks sparams) certs) rejectOnException
let ioref = ctxClientCerts ctx
usage <- liftIO $ catchException (onClientCertificate (serverHooks sparams) certs ioref) rejectOnException
case usage of
CertificateUsageAccept -> verifyLeafKeyUsage [KeyUsage_digitalSignature] certs
CertificateUsageReject reason -> certificateRejected reason
Expand Down
6 changes: 4 additions & 2 deletions core/Network/TLS/Parameters.hs
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,8 @@ module Network.TLS.Parameters
, CertificateRejectReason(..)
) where

import Data.IORef

import Network.TLS.Extension
import Network.TLS.Struct
import qualified Network.TLS.Struct as Struct
Expand Down Expand Up @@ -440,7 +442,7 @@ data ServerHooks = ServerHooks
-- The function is not expected to verify the key-usage
-- extension of the certificate. This verification is
-- performed by the library internally.
onClientCertificate :: CertificateChain -> IO CertificateUsage
onClientCertificate :: CertificateChain -> IORef (Maybe CertificateChain) -> IO CertificateUsage

-- | This action is called when the client certificate
-- cannot be verified. Return 'True' to accept the certificate
Expand Down Expand Up @@ -480,7 +482,7 @@ data ServerHooks = ServerHooks
defaultServerHooks :: ServerHooks
defaultServerHooks = ServerHooks
{ onCipherChoosing = \_ -> head
, onClientCertificate = \_ -> return $ CertificateUsageReject $ CertificateRejectOther "no client certificates expected"
, onClientCertificate = \_ _ -> return $ CertificateUsageReject $ CertificateRejectOther "no client certificates expected"
, onUnverifiedClientCert = return False
, onServerNameIndication = \_ -> return mempty
, onNewHandshake = \_ -> return True
Expand Down