client cert support by pixel

2007-07-07 15:26:13 +00:00 · 2007-07-07 15:26:13 +00:00 · 3a54386160
parent 78eea24562
commit 3a54386160
2 changed files with 22 additions and 5 deletions
--- a/index.html
+++ b/index.html
@ -19,8 +19,8 @@
    <p>
      2007-07-07: Improved clisp support, thanks
      to <a
-      href="http://web.kepibu.org/code/lisp/cl+ssl/#faster-clisp">Pixel
-      // pinterface</a>.
+      href="http://web.kepibu.org/code/lisp/cl+ssl/">Pixel
+      // pinterface</a>, as well as client certificate support.
    </p>
    <p>
      2007-01-16: CL+SSL is now available under an MIT-style license.
@ -118,10 +118,13 @@ $ cvs co trivial-https</pre>

    <h3>API functions</h3>
    <p>
-      <div class="def">Function CL+SSL:MAKE-SSL-CLIENT-STREAM (stream &key external-format)</div>
+      <div class="def">Function CL+SSL:MAKE-SSL-CLIENT-STREAM (stream &key external-format certificate key)</div>
      Return an SSL stream for the client socket <tt>stream</tt>.
      All reads and writes to this SSL stream will be pushed through the
      SSL connection can be closed using the standard <tt>close</tt> function.
+      <tt>certificate</tt> is the path to a file containing the PEM-encoded
+      certificate for your client. <tt>key</tt> is the path to the PEM-encoded
+      key for the client, which must not be associated with a passphrase.
    </p>
    <p>
      If <tt>external-format</tt> is <tt>nil</tt> (the default), a plain
--- a/streams.lisp
+++ b/streams.lisp
@ -151,14 +151,28 @@
 ;;; interface functions
 ;;;
 (defun make-ssl-client-stream
-    (socket &key (method 'ssl-v23-method) external-format)
-  "Returns an SSL stream for the client socket descriptor SOCKET."
+    (socket &key certificate key (method 'ssl-v23-method) external-format)
+  "Returns an SSL stream for the client socket descriptor SOCKET.
+CERTIFICATE is the path to a file containing the PEM-encoded certificate for
+ your client. KEY is the path to the PEM-encoded key for the client, which
+must not be associated with a passphrase."
  (ensure-initialized method)
  (let ((stream (make-instance 'ssl-stream :socket socket))
        (handle (ssl-new *ssl-global-context*)))
    (setf (ssl-stream-handle stream) handle)
    (ssl-set-bio handle (bio-new-lisp) (bio-new-lisp))
    (ssl-set-connect-state handle)
+    (when key
+      (unless (eql 1 (ssl-use-rsa-privatekey-file handle
+						  key
+						  +ssl-filetype-pem+))
+        (error 'ssl-error-initialize :reason "Can't load RSA private key ~A")))
+    (when certificate
+      (unless (eql 1 (ssl-use-certificate-file handle
+					       certificate
+					       +ssl-filetype-pem+))
+        (error 'ssl-error-initialize
+	       :reason "Can't load certificate ~A" certificate)))
    (ensure-ssl-funcall socket handle #'ssl-connect 0.25 handle)
    (if external-format
        (flexi-streams:make-flexi-stream stream