diff options
| author | Peter Dettman <peter.dettman@bouncycastle.org> | 2022-09-24 18:09:39 +0700 |
|---|---|---|
| committer | Peter Dettman <peter.dettman@bouncycastle.org> | 2022-09-24 18:09:39 +0700 |
| commit | ed081e3fe9634391ac496bd79193a7d00dfa6f07 (patch) | |
| tree | ecc1382c5f3f9a17c6b21ebf8026076f6a32f15f /crypto/src/tls/AbstractTlsServer.cs | |
| parent | Cmp updates (diff) | |
| download | BouncyCastle.NET-ed25519-ed081e3fe9634391ac496bd79193a7d00dfa6f07.tar.xz | |
(D)TLS: RFC 7250 Raw Public Keys
Diffstat (limited to 'crypto/src/tls/AbstractTlsServer.cs')
| -rw-r--r-- | crypto/src/tls/AbstractTlsServer.cs | 70 |
1 files changed, 70 insertions, 0 deletions
diff --git a/crypto/src/tls/AbstractTlsServer.cs b/crypto/src/tls/AbstractTlsServer.cs index a41bc4710..3c62793b6 100644 --- a/crypto/src/tls/AbstractTlsServer.cs +++ b/crypto/src/tls/AbstractTlsServer.cs @@ -207,6 +207,16 @@ namespace Org.BouncyCastle.Tls return true; } + protected virtual bool PreferLocalClientCertificateTypes() + { + return false; + } + + protected virtual short[] GetAllowedClientCertificateTypes() + { + return null; + } + public virtual void Init(TlsServerContext context) { this.m_context = context; @@ -491,6 +501,66 @@ namespace Org.BouncyCastle.Tls TlsExtensionsUtilities.AddMaxFragmentLengthExtension(m_serverExtensions, m_maxFragmentLengthOffered); } + // RFC 7250 4.2 for server_certificate_type + short[] serverCertTypes = TlsExtensionsUtilities.GetServerCertificateTypeExtensionClient( + m_clientExtensions); + if (serverCertTypes != null) + { + TlsCredentials credentials = GetCredentials(); + + if (credentials == null || !Arrays.Contains(serverCertTypes, credentials.Certificate.CertificateType)) + { + // outcome 2: we support the extension but have no common types + throw new TlsFatalAlert(AlertDescription.unsupported_certificate); + } + + // outcome 3: we support the extension and have a common type + TlsExtensionsUtilities.AddServerCertificateTypeExtensionServer(m_serverExtensions, + credentials.Certificate.CertificateType); + } + + // RFC 7250 4.2 for client_certificate_type + short[] remoteClientCertTypes = TlsExtensionsUtilities.GetClientCertificateTypeExtensionClient( + m_clientExtensions); + if (remoteClientCertTypes != null) + { + short[] localClientCertTypes = GetAllowedClientCertificateTypes(); + if (localClientCertTypes != null) + { + short[] preferredTypes; + short[] nonPreferredTypes; + if (PreferLocalClientCertificateTypes()) + { + preferredTypes = localClientCertTypes; + nonPreferredTypes = remoteClientCertTypes; + } + else + { + preferredTypes = remoteClientCertTypes; + nonPreferredTypes = localClientCertTypes; + } + + short selectedType = -1; + for (int i = 0; i < preferredTypes.Length; i++) + { + if (Arrays.Contains(nonPreferredTypes, preferredTypes[i])) + { + selectedType = preferredTypes[i]; + break; + } + } + + if (selectedType == -1) + { + // outcome 2: we support the extension but have no common types + throw new TlsFatalAlert(AlertDescription.unsupported_certificate); + } + + // outcome 3: we support the extension and have a common type + TlsExtensionsUtilities.AddClientCertificateTypeExtensionServer(m_serverExtensions, selectedType); + } // else outcome 1: we don't support the extension + } + return m_serverExtensions; } |