Struct bearssl::br_ssl_client_certificate_class_

#[repr(C)]
pub struct br_ssl_client_certificate_class_ {
    pub context_size: usize,
    pub start_name_list: Option<unsafe extern "C" fn(_: *mut *const br_ssl_client_certificate_class)>,
    pub start_name: Option<unsafe extern "C" fn(_: *mut *const br_ssl_client_certificate_class, _: usize)>,
    pub append_name: Option<unsafe extern "C" fn(_: *mut *const br_ssl_client_certificate_class, _: *const c_uchar, _: usize)>,
    pub end_name: Option<unsafe extern "C" fn(_: *mut *const br_ssl_client_certificate_class)>,
    pub end_name_list: Option<unsafe extern "C" fn(_: *mut *const br_ssl_client_certificate_class)>,
    pub choose: Option<unsafe extern "C" fn(_: *mut *const br_ssl_client_certificate_class, _: *const br_ssl_client_context, _: u32, _: *mut br_ssl_client_certificate)>,
    pub do_keyx: Option<unsafe extern "C" fn(_: *mut *const br_ssl_client_certificate_class, _: *mut c_uchar, _: *mut usize) -> u32>,
    pub do_sign: Option<unsafe extern "C" fn(_: *mut *const br_ssl_client_certificate_class, _: c_int, _: usize, _: *mut c_uchar, _: usize) -> usize>,
}

Fields

context_size: usize

\brief Context size (in bytes).

start_name_list: Option<unsafe extern "C" fn(_: *mut *const br_ssl_client_certificate_class)>

\brief Begin reception of a list of trust anchor names. This is called while parsing the incoming CertificateRequest.

\param pctx certificate handler context.

start_name: Option<unsafe extern "C" fn(_: *mut *const br_ssl_client_certificate_class, _: usize)>

\brief Begin reception of a new trust anchor name.

The total encoded name length is provided; it is less than 65535 bytes.

\param pctx certificate handler context. \param len encoded name length (in bytes).

append_name: Option<unsafe extern "C" fn(_: *mut *const br_ssl_client_certificate_class, _: *const c_uchar, _: usize)>

\brief Receive some more bytes for the current trust anchor name.

The provided reference (data) points to a transient buffer they may be reused as soon as this function returns. The chunk length (len) is never zero.

\param pctx certificate handler context. \param data anchor name chunk. \param len anchor name chunk length (in bytes).

end_name: Option<unsafe extern "C" fn(_: *mut *const br_ssl_client_certificate_class)>

\brief End current trust anchor name.

This function is called when all the encoded anchor name data has been provided.

\param pctx certificate handler context.

end_name_list: Option<unsafe extern "C" fn(_: *mut *const br_ssl_client_certificate_class)>

\brief End list of trust anchor names.

This function is called when all the anchor names in the CertificateRequest message have been obtained.

\param pctx certificate handler context.

choose: Option<unsafe extern "C" fn(_: *mut *const br_ssl_client_certificate_class, _: *const br_ssl_client_context, _: u32, _: *mut br_ssl_client_certificate)>

\brief Select client certificate and algorithms.

This callback function shall fill the provided choices structure with the selected algorithms and certificate chain. The hash_id, chain and chain_len fields must be set. If the client cannot or does not wish to send a certificate, then it shall set chain to NULL and chain_len to 0.

The auth_types parameter describes the authentication types, signature algorithms and hash functions that are supported by both the client context and the server, and compatible with the current protocol version. This is a bit field with the following contents:

• If RSA signatures with hash function x are supported, then bit x is set.

• If ECDSA signatures with hash function x are supported, then bit 8+x is set.

• If static ECDH is supported, with a RSA-signed certificate, then bit 16 is set.

• If static ECDH is supported, with an ECDSA-signed certificate, then bit 17 is set.

Notes:

• When using TLS 1.0 or 1.1, the hash function for RSA signatures is always the special MD5+SHA-1 (id 0), and the hash function for ECDSA signatures is always SHA-1 (id 2).

• When using TLS 1.2, the list of hash functions is trimmed down to include only hash functions that the client context can support. The actual server list can be obtained with br_ssl_client_get_server_hashes(); that list may be used to select the certificate chain to send to the server.

\param pctx certificate handler context. \param cc SSL client context. \param auth_types supported authentication types and algorithms. \param choices destination structure for the policy choices.

do_keyx: Option<unsafe extern "C" fn(_: *mut *const br_ssl_client_certificate_class, _: *mut c_uchar, _: *mut usize) -> u32>

\brief Perform key exchange (client part).

This callback is invoked in case of a full static ECDH key exchange:

• the cipher suite uses ECDH_RSA or ECDH_ECDSA;

• the server requests a client certificate;

• the client has, and sends, a client certificate that uses an EC key in the same curve as the server's key, and chooses static ECDH (the hash_id field in the choice structure was set to -1).

In that situation, this callback is invoked to compute the client-side ECDH: the provided data (of length *len bytes) is the server's public key point (as decoded from its certificate), and the client shall multiply that point with its own private key, and write back the X coordinate of the resulting point in the same buffer, starting at offset 0. The *len value shall be modified to designate the actual length of the X coordinate.

The callback must uphold the following:

• If the input array does not have the proper length for an encoded curve point, then an error (0) shall be reported.

• If the input array has the proper length, then processing MUST be constant-time, even if the data is not a valid encoded point.

• This callback MUST check that the input point is valid.

Returned value is 1 on success, 0 on error.

\param pctx certificate handler context. \param data server public key point. \param len public key point length / X coordinate length. \return 1 on success, 0 on error.

do_sign: Option<unsafe extern "C" fn(_: *mut *const br_ssl_client_certificate_class, _: c_int, _: usize, _: *mut c_uchar, _: usize) -> usize>

\brief Perform a signature (client authentication).

This callback is invoked when a client certificate was sent, and static ECDH is not used. It shall compute a signature, using the client's private key, over the provided hash value (which is the hash of all previous handshake messages).

On input, the hash value to sign is in data, of size hv_len; the involved hash function is identified by hash_id. The signature shall be computed and written back into data; the total size of that buffer is len bytes.

This callback shall verify that the signature length does not exceed len bytes, and abstain from writing the signature if it does not fit.

For RSA signatures, the hash_id may be 0, in which case this is the special header-less signature specified in TLS 1.0 and 1.1, with a 36-byte hash value. Otherwise, normal PKCS#1 v1.5 signatures shall be computed.

For ECDSA signatures, the signature value shall use the ASN.1 based encoding.

Returned value is the signature length (in bytes), or 0 on error.

\param pctx certificate handler context. \param hash_id hash function identifier. \param hv_len hash value length (in bytes). \param data input/output buffer (hash value, then signature). \param len total buffer length (in bytes). \return signature length (in bytes) on success, or 0 on error.

Trait Implementations

impl Debug for br_ssl_client_certificate_class_

fn fmt(&self, __arg_0: &mut Formatter) -> Result

Formats the value using the given formatter.

impl Copy for br_ssl_client_certificate_class_

impl Clone for br_ssl_client_certificate_class_

fn clone(&self) -> br_ssl_client_certificate_class_

Returns a copy of the value.

fn clone_from(&mut self, source: &Self)

Performs copy-assignment from source.