TonBERRY/micropython
3
0
Fork 0
Code Pull Requests Activity

extmod/modussl_mbedtls: Implement cert_reqs and cadata arguments.

Browse Source 
Add cert_reqs and cadata keyword-args to ssl.wrap_socket() and
ssl.CERT_NONE, ssl.CERT_OPTIONAL, ssl.CERT_REQUIRED constants to allow
certificate validation.

CPython doesn't accept cadata in ssl.wrap_socket(), but it does in
SSLContext.load_verify_locations(), so we use this name to at least match
the same name in load_verify_locations().

Add docs for these new arguments, as well as docs for the existing
server_hostname argument which is important for certificate validation.

Tests are added as well.

Signed-off-by: Carlos Gil <carlosgilglez@gmail.com>
This commit is contained in:
Carlosgg
2022-01-28 04:42:46 +00:00
committed by Damien George
parent 93a17b9581
commit b41cfea02a
6 changed files with 258 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
docs/library/ssl.rst
View File

@@ -13,7 +13,7 @@ facilities for network sockets, both client-side and server-side.
Functions
---------
.. function:: ssl.wrap_socket(sock, server_side=False, keyfile=None, certfile=None, cert_reqs=CERT_NONE, ca_certs=None, do_handshake=True)
.. function:: ssl.wrap_socket(sock, server_side=False, keyfile=None, certfile=None, cert_reqs=CERT_NONE, cadata=None, server_hostname=None, do_handshake=True)
Takes a `stream` *sock* (usually socket.socket instance of ``SOCK_STREAM`` type),
and returns an instance of ssl.SSLSocket, which wraps the underlying stream in
@@ -31,6 +31,17 @@ Functions
until it completes. Note that in AXTLS the handshake can be deferred until the first
read or write but it then blocks until completion.
- *cert_reqs* determines whether the peer (server or client) must present a valid certificate.
Note that for mbedtls based ports, ``ssl.CERT_NONE`` and ``ssl.CERT_OPTIONAL`` will not
validate any certificate, only ``ssl.CERT_REQUIRED`` will.
- *cadata* is a bytes object containing the CA certificate chain (in DER format) that will
validate the peer's certificate. Currently only a single DER-encoded certificate is supported.
- *server_hostname* is for use as a client, and sets the hostname to check against the received
server certificate. It also sets the name for Server Name Indication (SNI), allowing the server
to present the proper certificate.
Depending on the underlying module implementation in a particular
:term:`MicroPython port`, some or all keyword arguments above may be not supported.