[cl-plus-ssl-devel] SSL Client Certificates

Pixel // pinterface pinterface at gmail.com
Tue Mar 20 23:17:24 UTC 2007 

I'm working on an internal project which makes use of SSL client
certificates for authentication (probably overkill on my part, but anyway)
and rather quickly discovered cl+ssl doesn't support supplying them to a
server.

Fortunately, adding support isn't hard (see patch of cut-and-paste
proportions). That said, while this patch works for me (lightly tested via a
small patch to drakma), the additional code duplication between
make-ssl-client-stream and make-ssl-server-stream is probably not ideal.
Still, support for client certificates sure would be dandy. :)

-pinterface



--V---v----cl+ssl-client-cert.patch----v---V--

Index: streams.lisp
===================================================================
RCS file: /project/cl-plus-ssl/cvsroot/cl+ssl/streams.lisp,v
retrieving revision 1.5
diff -u -r1.5 streams.lisp
--- streams.lisp 18 Nov 2006 09:52:21 -0000 1.5
+++ streams.lisp 20 Mar 2007 22:27:07 -0000
@@ -152,14 +152,28 @@
 ;;; interface functions
 ;;;
 (defun make-ssl-client-stream
-    (socket &key (method 'ssl-v23-method) external-format)
-  "Returns an SSL stream for the client socket descriptor SOCKET."
+    (socket &key certificate key (method 'ssl-v23-method) external-format)
+  "Returns an SSL stream for the client socket descriptor SOCKET.
+CERTIFICATE is the path to a file containing the PEM-encoded certificate
for
+ your client. KEY is the path to the PEM-encoded key for the client, which
+must not be associated with a passphrase."
   (ensure-initialized method)
   (let ((stream (make-instance 'ssl-stream :socket socket))
         (handle (ssl-new *ssl-global-context*)))
     (setf (ssl-stream-handle stream) handle)
     (ssl-set-bio handle (bio-new-lisp) (bio-new-lisp))
     (ssl-set-connect-state handle)
+    (when key
+      (unless (eql 1 (ssl-use-rsa-privatekey-file handle
+        key
+        +ssl-filetype-pem+))
+        (error 'ssl-error-initialize :reason "Can't load RSA private key
~A")))
+    (when certificate
+      (unless (eql 1 (ssl-use-certificate-file handle
+            certificate
+            +ssl-filetype-pem+))
+        (error 'ssl-error-initialize
+        :reason "Can't load certificate ~A" certificate)))
     (ensure-ssl-funcall socket handle #'ssl-connect 0.25 handle)
     (if external-format
         (flexi-streams:make-flexi-stream stream

More information about the cl-plus-ssl-devel mailing list