Verify Client Authentication based on RawPublicKey

randombit · Oct 30, 2023 · bd6b9a6 · bd6b9a6
1 parent a2685ed
commit bd6b9a6
Show file tree

Hide file tree

Showing 2 changed files with 24 additions and 3 deletions.
diff --git a/src/cli/tls_server.cpp b/src/cli/tls_server.cpp
@@ -93,6 +93,14 @@ class Callbacks : public Botan::TLS::Callbacks {
  return "echo/0.1";
  }
 
+ void tls_verify_raw_public_key(const Botan::Public_Key& raw_public_key,
+ Botan::Usage_Type /* usage */,
+ std::string_view /* hostname */,
+ const Botan::TLS::Policy& /* policy */) override {
+ const auto fingerprint = raw_public_key.fingerprint_public("SHA-256");
+ output() << "received Raw Public Key (" << fingerprint << ")\n";
+ }
+
  private:
  TLS_Server& m_server_command;
  std::string m_line_buf;

diff --git a/src/lib/tls/tls13/tls_server_impl_13.cpp b/src/lib/tls/tls13/tls_server_impl_13.cpp
@@ -45,7 +45,8 @@ std::string Server_Impl_13::application_protocol() const {
 std::vector<X509_Certificate> Server_Impl_13::peer_cert_chain() const {
  if(m_resumed_session.has_value()) {
  return m_resumed_session->peer_certs();
- } else if(m_handshake_state.has_client_certificate_msg()) {
+ } else if(m_handshake_state.has_client_certificate_msg() &&
+ m_handshake_state.client_certificate().has_certificate_chain()) {
  return m_handshake_state.client_certificate().cert_chain();
  } else {
  return {};
@@ -295,13 +296,25 @@ void Server_Impl_13::handle_reply_to_client_hello(Server_Hello_13 server_hello)
  flight.add(m_handshake_state.sending(std::move(certificate_request.value())));
  }
 
+ const auto& enc_exts = m_handshake_state.encrypted_extensions().extensions();
+
+ // RFC 7250 4.2
+ // This client_certificate_type extension in the server hello then
+ // indicates the type of certificates the client is requested to provide
+ // in a subsequent certificate payload.
+ //
+ // Note: TLS 1.3 carries this extension in the Encrypted Extensions
+ // message instead of the Server Hello.
+ if(auto client_cert_type = enc_exts.get<Client_Certificate_Type>()) {
+ set_certificate_type(client_cert_type->selected_certificate_type());
+ }
+
  // RFC 8446 4.4.2
  // If the corresponding certificate type extension [...] was not
  // negotiated in EncryptedExtensions, or the X.509 certificate type
  // was negotiated, then each CertificateEntry contains a DER-encoded
  // X.509 certificate.
- const auto cert_type = [this] {
- const auto& enc_exts = m_handshake_state.encrypted_extensions().extensions();
+ const auto cert_type = [&] {
  if(auto server_cert_type = enc_exts.get<Server_Certificate_Type>()) {
  return server_cert_type->selected_certificate_type();
  } else {