Struct bearssl::br_ssl_client_certificate_class_
[−]
[src]
#[repr(C)]pub struct br_ssl_client_certificate_class_ { pub context_size: usize, pub start_name_list: Option<unsafe extern "C" fn(_: *mut *const br_ssl_client_certificate_class)>, pub start_name: Option<unsafe extern "C" fn(_: *mut *const br_ssl_client_certificate_class, _: usize)>, pub append_name: Option<unsafe extern "C" fn(_: *mut *const br_ssl_client_certificate_class, _: *const c_uchar, _: usize)>, pub end_name: Option<unsafe extern "C" fn(_: *mut *const br_ssl_client_certificate_class)>, pub end_name_list: Option<unsafe extern "C" fn(_: *mut *const br_ssl_client_certificate_class)>, pub choose: Option<unsafe extern "C" fn(_: *mut *const br_ssl_client_certificate_class, _: *const br_ssl_client_context, _: u32, _: *mut br_ssl_client_certificate)>, pub do_keyx: Option<unsafe extern "C" fn(_: *mut *const br_ssl_client_certificate_class, _: *mut c_uchar, _: *mut usize) -> u32>, pub do_sign: Option<unsafe extern "C" fn(_: *mut *const br_ssl_client_certificate_class, _: c_int, _: usize, _: *mut c_uchar, _: usize) -> usize>, }
Fields
context_size: usize
\brief Context size (in bytes).
start_name_list: Option<unsafe extern "C" fn(_: *mut *const br_ssl_client_certificate_class)>
\brief Begin reception of a list of trust anchor names. This is called while parsing the incoming CertificateRequest.
\param pctx certificate handler context.
start_name: Option<unsafe extern "C" fn(_: *mut *const br_ssl_client_certificate_class, _: usize)>
\brief Begin reception of a new trust anchor name.
The total encoded name length is provided; it is less than 65535 bytes.
\param pctx certificate handler context. \param len encoded name length (in bytes).
append_name: Option<unsafe extern "C" fn(_: *mut *const br_ssl_client_certificate_class, _: *const c_uchar, _: usize)>
\brief Receive some more bytes for the current trust anchor name.
The provided reference (data
) points to a transient buffer
they may be reused as soon as this function returns. The chunk
length (len
) is never zero.
\param pctx certificate handler context. \param data anchor name chunk. \param len anchor name chunk length (in bytes).
end_name: Option<unsafe extern "C" fn(_: *mut *const br_ssl_client_certificate_class)>
\brief End current trust anchor name.
This function is called when all the encoded anchor name data has been provided.
\param pctx certificate handler context.
end_name_list: Option<unsafe extern "C" fn(_: *mut *const br_ssl_client_certificate_class)>
\brief End list of trust anchor names.
This function is called when all the anchor names in the CertificateRequest message have been obtained.
\param pctx certificate handler context.
choose: Option<unsafe extern "C" fn(_: *mut *const br_ssl_client_certificate_class, _: *const br_ssl_client_context, _: u32, _: *mut br_ssl_client_certificate)>
\brief Select client certificate and algorithms.
This callback function shall fill the provided choices
structure with the selected algorithms and certificate chain.
The hash_id
, chain
and chain_len
fields must be set. If
the client cannot or does not wish to send a certificate,
then it shall set chain
to NULL
and chain_len
to 0.
The auth_types
parameter describes the authentication types,
signature algorithms and hash functions that are supported by
both the client context and the server, and compatible with
the current protocol version. This is a bit field with the
following contents:
If RSA signatures with hash function x are supported, then bit x is set.
If ECDSA signatures with hash function x are supported, then bit 8+x is set.
If static ECDH is supported, with a RSA-signed certificate, then bit 16 is set.
If static ECDH is supported, with an ECDSA-signed certificate, then bit 17 is set.
Notes:
When using TLS 1.0 or 1.1, the hash function for RSA signatures is always the special MD5+SHA-1 (id 0), and the hash function for ECDSA signatures is always SHA-1 (id 2).
When using TLS 1.2, the list of hash functions is trimmed down to include only hash functions that the client context can support. The actual server list can be obtained with
br_ssl_client_get_server_hashes()
; that list may be used to select the certificate chain to send to the server.
\param pctx certificate handler context. \param cc SSL client context. \param auth_types supported authentication types and algorithms. \param choices destination structure for the policy choices.
do_keyx: Option<unsafe extern "C" fn(_: *mut *const br_ssl_client_certificate_class, _: *mut c_uchar, _: *mut usize) -> u32>
\brief Perform key exchange (client part).
This callback is invoked in case of a full static ECDH key exchange:
the cipher suite uses
ECDH_RSA
orECDH_ECDSA
;the server requests a client certificate;
the client has, and sends, a client certificate that uses an EC key in the same curve as the server's key, and chooses static ECDH (the
hash_id
field in the choice structure was set to -1).
In that situation, this callback is invoked to compute the
client-side ECDH: the provided data
(of length *len
bytes)
is the server's public key point (as decoded from its
certificate), and the client shall multiply that point with
its own private key, and write back the X coordinate of the
resulting point in the same buffer, starting at offset 0.
The *len
value shall be modified to designate the actual
length of the X coordinate.
The callback must uphold the following:
If the input array does not have the proper length for an encoded curve point, then an error (0) shall be reported.
If the input array has the proper length, then processing MUST be constant-time, even if the data is not a valid encoded point.
This callback MUST check that the input point is valid.
Returned value is 1 on success, 0 on error.
\param pctx certificate handler context. \param data server public key point. \param len public key point length / X coordinate length. \return 1 on success, 0 on error.
do_sign: Option<unsafe extern "C" fn(_: *mut *const br_ssl_client_certificate_class, _: c_int, _: usize, _: *mut c_uchar, _: usize) -> usize>
\brief Perform a signature (client authentication).
This callback is invoked when a client certificate was sent, and static ECDH is not used. It shall compute a signature, using the client's private key, over the provided hash value (which is the hash of all previous handshake messages).
On input, the hash value to sign is in data
, of size
hv_len
; the involved hash function is identified by
hash_id
. The signature shall be computed and written
back into data
; the total size of that buffer is len
bytes.
This callback shall verify that the signature length does not
exceed len
bytes, and abstain from writing the signature if
it does not fit.
For RSA signatures, the hash_id
may be 0, in which case
this is the special header-less signature specified in TLS 1.0
and 1.1, with a 36-byte hash value. Otherwise, normal PKCS#1
v1.5 signatures shall be computed.
For ECDSA signatures, the signature value shall use the ASN.1 based encoding.
Returned value is the signature length (in bytes), or 0 on error.
\param pctx certificate handler context. \param hash_id hash function identifier. \param hv_len hash value length (in bytes). \param data input/output buffer (hash value, then signature). \param len total buffer length (in bytes). \return signature length (in bytes) on success, or 0 on error.
Trait Implementations
impl Debug for br_ssl_client_certificate_class_
[src]
impl Copy for br_ssl_client_certificate_class_
[src]
impl Clone for br_ssl_client_certificate_class_
[src]
fn clone(&self) -> br_ssl_client_certificate_class_
[src]
Returns a copy of the value. Read more
fn clone_from(&mut self, source: &Self)
1.0.0[src]
Performs copy-assignment from source
. Read more