From d160b196d78d55310b274119f30d9bd5e0c44464 Mon Sep 17 00:00:00 2001 From: Armin Preiml Date: Mon, 30 Sep 2024 16:04:05 +0200 Subject: [PATCH] make it build again --- README.md | 12 ++++++------ cmd/zert/main.ha | 1 + crypto/tls/clienthandshake.ha | 5 +++-- crypto/x509/chain.ha | 3 ++- 4 files changed, 12 insertions(+), 9 deletions(-) diff --git a/README.md b/README.md index cbbb08c..09b66a9 100644 --- a/README.md +++ b/README.md @@ -44,15 +44,16 @@ make check Rough Roadmap, order may change or items will be developed in parallel: * [x] ASN1 DER support (done and and merged in upstream) - * [x] Minimal TLS 1.3 client w/o cert verification (done) - * [x] Only one cipher and key exchange method (done) - * [x] Minimal TLS 1.3 Server (done) - * [x] Initial API design (done) * [x] ECC: * [x] Curves p256, p384 and p521 (merged upstream) * [x] ECDH (merged upstream) * [x] Key generation (merged upstream) * [x] ECDSA (merged upstream) + * [x] RSA-PSS Sign/Verify (merged upstream) + * [x] Minimal TLS 1.3 client w/o cert verification (done) + * [x] Only one cipher and key exchange method (done) + * [x] Minimal TLS 1.3 Server (done) + * [x] Initial API design (done) * [ ] x509: Certificate Handling * [ ] Parsing (refactor in progress) * [ ] Verification (refactor in progress) @@ -66,9 +67,8 @@ Rough Roadmap, order may change or items will be developed in parallel: * [ ] Signature verification * [ ] Failure mode tests * [ ] Conformance tests - * [ ] RSA-PSS Sign/Verify * [ ] RSA Key generation + * [ ] DHE (TLS 1.2) * [ ] TLS 1.2 Client * [ ] TLS 1.2 Server - * [ ] Add support for required ciphers, signature methods, key exchange methods * [ ] Further add missing crypto bits targeting [Mozillas intermediate compatibility](https://wiki.mozilla.org/Security/Server_Side_TLS) diff --git a/cmd/zert/main.ha b/cmd/zert/main.ha index a18ad3a..c640661 100644 --- a/cmd/zert/main.ha +++ b/cmd/zert/main.ha @@ -167,6 +167,7 @@ fn verify(args: []str) void = { trusted = &trusted, chain = &chain, date = void,// TODO not good + keyusage = 0, // TODO }; match (x509::verify(&certs[0], &vo)) { diff --git a/crypto/tls/clienthandshake.ha b/crypto/tls/clienthandshake.ha index 61622fd..2b52a6f 100644 --- a/crypto/tls/clienthandshake.ha +++ b/crypto/tls/clienthandshake.ha @@ -434,13 +434,14 @@ fn client_parse_cert(c: *client, ms: *msgstream) (void | error) = { trusted = (c.cfg as *config).trustedca as *x509::store, chain = &chainstore, date = void, // TODO bad + keyusage = 0, // TODO bad }; match (x509::verify(&certs[0], &vo)) { case void => yield; - case => - log::println("HS | cert validation failed!"); + case let e: x509::error => + log::println("HS | cert validation failed!", x509::strerror(e)); if (!(c.cfg as *config).disable_certificate_validation) { return errors::invalid; // TODO proper error }; diff --git a/crypto/x509/chain.ha b/crypto/x509/chain.ha index 2a8f09f..16da2a2 100644 --- a/crypto/x509/chain.ha +++ b/crypto/x509/chain.ha @@ -166,7 +166,8 @@ fn verifysig(c: *cert, p: *cert, at: date::date, pathlen: size) (void | error) = match (p.keyusage) { case void => - return notca; + // TODO + void; case let ku: u16 => // printf("KU: {:x}", ku); if (ku & keyusage::KEY_CERT_SIGN == 0) { -- 2.45.2