diff options
author | Peter Dettman <peter.dettman@bouncycastle.org> | 2013-06-16 13:04:20 +0400 |
---|---|---|
committer | Peter Dettman <peter.dettman@bouncycastle.org> | 2013-06-16 13:04:20 +0400 |
commit | 5ceb3f7cafc53b1c39924bc0fb65ba47ab9aabe9 (patch) | |
tree | 042df12a84fea17ba4d99cc0d876a91529a05f58 | |
parent | 936746ff5335374f92b29db972c561b1f7ae5102 (diff) |
Parse certificate_status messages at the client
-rw-r--r-- | core/src/main/java/org/bouncycastle/crypto/tls/DTLSClientProtocol.java | 40 | ||||
-rw-r--r-- | core/src/main/java/org/bouncycastle/crypto/tls/TlsClientProtocol.java | 13 |
2 files changed, 31 insertions, 22 deletions
diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/DTLSClientProtocol.java b/core/src/main/java/org/bouncycastle/crypto/tls/DTLSClientProtocol.java index 15c0e232..6e24931c 100644 --- a/core/src/main/java/org/bouncycastle/crypto/tls/DTLSClientProtocol.java +++ b/core/src/main/java/org/bouncycastle/crypto/tls/DTLSClientProtocol.java @@ -153,22 +153,7 @@ public class DTLSClientProtocol if (serverMessage.getType() == HandshakeType.certificate_status) { - if (!state.allowCertificateStatus) - { - /* - * RFC 3546 3.6. If a server returns a "CertificateStatus" message, then the - * server MUST have included an extension of type "status_request" with empty - * "extension_data" in the extended server hello.. - */ - throw new TlsFatalAlert(AlertDescription.unexpected_message); - } - - /* - * TODO[RFC 3546] Parse the CertificateStatus message. We should bundle any - * CertificateStatus message with the actual Certificate since the authentication - * will want to use it. - */ - + processCertificateStatus(state, serverMessage.getBody()); serverMessage = handshake.receiveMessage(); } else @@ -418,6 +403,28 @@ public class DTLSClientProtocol state.keyExchange.validateCertificateRequest(state.certificateRequest); } + protected void processCertificateStatus(ClientHandshakeState state, byte[] body) + throws IOException + { + if (!state.allowCertificateStatus) + { + /* + * RFC 3546 3.6. If a server returns a "CertificateStatus" message, then the + * server MUST have included an extension of type "status_request" with empty + * "extension_data" in the extended server hello.. + */ + throw new TlsFatalAlert(AlertDescription.unexpected_message); + } + + ByteArrayInputStream buf = new ByteArrayInputStream(body); + + state.certificateStatus = CertificateStatus.parse(buf); + + TlsProtocol.assertEmpty(buf); + + // TODO[RFC 3546] Figure out how to provide this to the client/authentication. + } + protected void processNewSessionTicket(ClientHandshakeState state, byte[] body) throws IOException { @@ -652,6 +659,7 @@ public class DTLSClientProtocol boolean expectSessionTicket = false; TlsKeyExchange keyExchange = null; TlsAuthentication authentication = null; + CertificateStatus certificateStatus = null; CertificateRequest certificateRequest = null; TlsCredentials clientCredentials = null; } diff --git a/core/src/main/java/org/bouncycastle/crypto/tls/TlsClientProtocol.java b/core/src/main/java/org/bouncycastle/crypto/tls/TlsClientProtocol.java index 77ef0c57..40adfa15 100644 --- a/core/src/main/java/org/bouncycastle/crypto/tls/TlsClientProtocol.java +++ b/core/src/main/java/org/bouncycastle/crypto/tls/TlsClientProtocol.java @@ -29,6 +29,7 @@ public class TlsClientProtocol protected TlsKeyExchange keyExchange = null; protected TlsAuthentication authentication = null; + protected CertificateStatus certificateStatus = null; protected CertificateRequest certificateRequest = null; private static SecureRandom createSecureRandom() @@ -187,12 +188,12 @@ public class TlsClientProtocol this.failWithError(AlertLevel.fatal, AlertDescription.unexpected_message); } - /* - * TODO[RFC 3546] Parse the CertificateStatus message. We should bundle any - * CertificateStatus message with the actual Certificate since the authentication - * will want to use it. - */ - Streams.drain(buf); + this.certificateStatus = CertificateStatus.parse(buf); + + assertEmpty(buf); + + // TODO[RFC 3546] Figure out how to provide this to the client/authentication. + this.connection_state = CS_CERTIFICATE_STATUS; break; default: |