summary refs log tree commit diff
diff options
context:
space:
mode:
authorPeter Dettman <peter.dettman@bouncycastle.org>2022-05-05 12:18:55 +0700
committerPeter Dettman <peter.dettman@bouncycastle.org>2022-05-05 12:18:55 +0700
commit54bd89aa9a92754cdd95bdd7387751b64f76ed30 (patch)
treedef76c15c3c30e1a7eb647600257647fbe741abd
parentFollowup fix for PSS changes (diff)
downloadBouncyCastle.NET-ed25519-54bd89aa9a92754cdd95bdd7387751b64f76ed30.tar.xz
Refactor client cert type checks
Diffstat
-rw-r--r--crypto/src/tls/TlsUtilities.cs36


1 files changed, 17 insertions, 19 deletions
diff --git a/crypto/src/tls/TlsUtilities.cs b/crypto/src/tls/TlsUtilities.cs
index df098e20b..8e5b02216 100644
--- a/crypto/src/tls/TlsUtilities.cs
+++ b/crypto/src/tls/TlsUtilities.cs
@@ -2224,22 +2224,17 @@ namespace Org.BouncyCastle.Tls
             {
                 signatureAlgorithm = verifyingCert.GetLegacySignatureAlgorithm();
 
-                short clientCertType = GetLegacyClientCertType(signatureAlgorithm);
-                if (clientCertType < 0 || !Arrays.Contains(certificateRequest.CertificateTypes, clientCertType))
-                    throw new TlsFatalAlert(AlertDescription.unsupported_certificate);
+                CheckClientCertificateType(certificateRequest, GetLegacyClientCertType(signatureAlgorithm),
+                    AlertDescription.unsupported_certificate);
             }
             else
             {
-                signatureAlgorithm = sigAndHashAlg.Signature;
+                VerifySupportedSignatureAlgorithm(securityParameters.ServerSigAlgs, sigAndHashAlg);
 
-                // TODO Is it possible (maybe only pre-1.2 to check this immediately when the Certificate arrives?
-                if (!IsValidSignatureAlgorithmForCertificateVerify(signatureAlgorithm,
-                    certificateRequest.CertificateTypes))
-                {
-                    throw new TlsFatalAlert(AlertDescription.illegal_parameter);
-                }
+                signatureAlgorithm = sigAndHashAlg.Signature;
 
-                VerifySupportedSignatureAlgorithm(securityParameters.ServerSigAlgs, sigAndHashAlg);
+                CheckClientCertificateType(certificateRequest,
+                    SignatureAlgorithm.GetClientCertificateType(signatureAlgorithm), AlertDescription.illegal_parameter);
             }
 
             // Verify the CertificateVerify message contains a correct signature.
@@ -3896,14 +3891,6 @@ namespace Org.BouncyCastle.Tls
                 && NamedGroup.CanBeNegotiated(keyShareGroup, negotiatedVersion);
         }
 
-        internal static bool IsValidSignatureAlgorithmForCertificateVerify(short signatureAlgorithm,
-            short[] clientCertificateTypes)
-        {
-            short clientCertificateType = SignatureAlgorithm.GetClientCertificateType(signatureAlgorithm);
-
-            return clientCertificateType >= 0 &&  Arrays.Contains(clientCertificateTypes, clientCertificateType);
-        }
-
         internal static bool IsValidSignatureAlgorithmForServerKeyExchange(short signatureAlgorithm,
             int keyExchangeAlgorithm)
         {
@@ -4801,6 +4788,17 @@ namespace Org.BouncyCastle.Tls
             return (TlsCredentialedSigner)credentials;
         }
 
+        /// <exception cref="IOException"/>
+        private static void CheckClientCertificateType(CertificateRequest certificateRequest,
+            short clientCertificateType, short alertDescription)
+        {
+            if (clientCertificateType < 0
+                || !Arrays.Contains(certificateRequest.CertificateTypes, clientCertificateType))
+            {
+                throw new TlsFatalAlert(alertDescription);
+            }
+        }
+
         private static void CheckDowngradeMarker(byte[] randomBlock, byte[] downgradeMarker)
         {
             int len = downgradeMarker.Length;

 

generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-09-19 22:25:38 +0000