Implement server support for delegated credentials.
This implements the server-side of delegated credentials, a proposed
extension for TLS:
https://tools.ietf.org/html/draft-ietf-tls-subcerts-02
Change-Id: I6a29cf1ead87b90aeca225335063aaf190a417ff
Reviewed-on: https://boringssl-review.googlesource.com/c/33666
Reviewed-by: Adam Langley <agl@google.com>
Commit-Queue: Adam Langley <agl@google.com>
diff --git a/ssl/tls13_both.cc b/ssl/tls13_both.cc
index 7674d99..eb1c15e 100644
--- a/ssl/tls13_both.cc
+++ b/ssl/tls13_both.cc
@@ -418,6 +418,7 @@
bool tls13_add_certificate(SSL_HANDSHAKE *hs) {
SSL *const ssl = hs->ssl;
CERT *const cert = hs->config->cert.get();
+ DC *const dc = cert->dc.get();
ScopedCBB cbb;
CBB *body, body_storage, certificate_list;
@@ -484,6 +485,19 @@
}
}
+ if (ssl_signing_with_dc(hs)) {
+ const CRYPTO_BUFFER *raw = dc->raw.get();
+ if (!CBB_add_u16(&extensions, TLSEXT_TYPE_delegated_credential) ||
+ !CBB_add_u16(&extensions, CRYPTO_BUFFER_len(raw)) ||
+ !CBB_add_bytes(&extensions,
+ CRYPTO_BUFFER_data(raw),
+ CRYPTO_BUFFER_len(raw)) ||
+ !CBB_flush(&extensions)) {
+ OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
+ return 0;
+ }
+ }
+
for (size_t i = 1; i < sk_CRYPTO_BUFFER_num(cert->chain.get()); i++) {
CRYPTO_BUFFER *cert_buf = sk_CRYPTO_BUFFER_value(cert->chain.get(), i);
CBB child;
