Cryptography Reference
In-Depth Information
name dn;
read_pos = read_buffer( ( void * ) &dn_length, read_pos, 2 );
dn_length = htons( dn_length );
asn1parse( read_pos, dn_length, &dn_data );
parse_name( &dn, &dn_data );
printf( “Server trusts issuer: C=%s/ST=%s/L=%s/O=%s/OU=%s/CN=%s\n”,
dn.idAtCountryName, dn.idAtStateOrProvinceName,
dn.idAtLocalityName, dn.idAtOrganizationName,
dn.idAtOrganizationalUnitName, dn.idAtCommonName );
asn1free( &dn_data );
read_pos += dn_length;
}
parameters->got_certificate_request = 1;
return read_pos;
}
Handling the Certifi cate Request
The certifi cate request is split into two parts. The fi rst is a variable-length list of
recognized certifi cate types; the values defi ned by TLS 1.0 are described by the
enumeration
certificate_types
. The second part is a variable-length list of
ASN.1 DER-encoded X.509 distinguished names (whew!) of trusted CAs. Notice
in Listing 8-29 that the
CertificateRequest
structure defi ned in this topic's
implementation has a section to store the received certifi cate types but not the CA
names. You can — and a robust implementation certainly should — store them
for downstream processing, but the memory management gets fairly complex
and adds little to the discussion here because this code ignores the information.
Still, for your edifi cation, the list of trusted CAs is parsed and printed out. In
most common use cases, there is only a single trusted CA here.
The only really important bit of this routine is the setting of the
got_certifi-
cate_request
fl ag. This indicates to the
tls_connect
routine that it must send a
certifi cate. If, and only if, the server sends a certifi cate request, the client should
send a certifi cate. The client certifi cate message is in exactly the same format
as the server certifi cate; the code can be reused as is, as shown in Listing 8-30.
Listing 8-30:
“tls.c” tls_connect with support for certifi cate requests
// Step 2. Receive the server hello response (will also have gotten
// the server certificate along the way)
parameters->server_hello_done = 0;
parameters->got_certificate_request = 0;
while ( !parameters->server_hello_done )
{
if ( receive_tls_msg( connection, NULL, 0, parameters ) < 0 )
Search WWH ::
Custom Search