[cl-plus-ssl-devel] SSL Client Certificates
Pixel // pinterface
pinterface at gmail.com
Tue Mar 20 23:17:24 UTC 2007
I'm working on an internal project which makes use of SSL client
certificates for authentication (probably overkill on my part, but anyway)
and rather quickly discovered cl+ssl doesn't support supplying them to a
server.
Fortunately, adding support isn't hard (see patch of cut-and-paste
proportions). That said, while this patch works for me (lightly tested via a
small patch to drakma), the additional code duplication between
make-ssl-client-stream and make-ssl-server-stream is probably not ideal.
Still, support for client certificates sure would be dandy. :)
-pinterface
--V---v----cl+ssl-client-cert.patch----v---V--
Index: streams.lisp
===================================================================
RCS file: /project/cl-plus-ssl/cvsroot/cl+ssl/streams.lisp,v
retrieving revision 1.5
diff -u -r1.5 streams.lisp
--- streams.lisp 18 Nov 2006 09:52:21 -0000 1.5
+++ streams.lisp 20 Mar 2007 22:27:07 -0000
@@ -152,14 +152,28 @@
;;; interface functions
;;;
(defun make-ssl-client-stream
- (socket &key (method 'ssl-v23-method) external-format)
- "Returns an SSL stream for the client socket descriptor SOCKET."
+ (socket &key certificate key (method 'ssl-v23-method) external-format)
+ "Returns an SSL stream for the client socket descriptor SOCKET.
+CERTIFICATE is the path to a file containing the PEM-encoded certificate
for
+ your client. KEY is the path to the PEM-encoded key for the client, which
+must not be associated with a passphrase."
(ensure-initialized method)
(let ((stream (make-instance 'ssl-stream :socket socket))
(handle (ssl-new *ssl-global-context*)))
(setf (ssl-stream-handle stream) handle)
(ssl-set-bio handle (bio-new-lisp) (bio-new-lisp))
(ssl-set-connect-state handle)
+ (when key
+ (unless (eql 1 (ssl-use-rsa-privatekey-file handle
+ key
+ +ssl-filetype-pem+))
+ (error 'ssl-error-initialize :reason "Can't load RSA private key
~A")))
+ (when certificate
+ (unless (eql 1 (ssl-use-certificate-file handle
+ certificate
+ +ssl-filetype-pem+))
+ (error 'ssl-error-initialize
+ :reason "Can't load certificate ~A" certificate)))
(ensure-ssl-funcall socket handle #'ssl-connect 0.25 handle)
(if external-format
(flexi-streams:make-flexi-stream stream
More information about the cl-plus-ssl-devel
mailing list