Refactoring around TlsEncryptor

8 files changed, 39 insertions, 28 deletions

diff --git a/crypto/src/tls/TlsRsaUtilities.cs b/crypto/src/tls/TlsRsaUtilities.cs

index d520d3ea2..065279528 100644
--- a/crypto/src/tls/TlsRsaUtilities.cs
+++ b/crypto/src/tls/TlsRsaUtilities.cs
@@ -5,7 +5,7 @@ using Org.BouncyCastle.Tls.Crypto;
 
 namespace Org.BouncyCastle.Tls
 {
-    /// <summary>RSA Utility methods.</summary>
+    /// <summary>RSA utility methods.</summary>
     public abstract class TlsRsaUtilities
     {
         /// <summary>Generate a pre_master_secret and send it encrypted to the server.</summary>
@@ -15,7 +15,9 @@ namespace Org.BouncyCastle.Tls
         {
             TlsSecret preMasterSecret = context.Crypto.GenerateRsaPreMasterSecret(context.RsaPreMasterSecretVersion);
 
-            byte[] encryptedPreMasterSecret = preMasterSecret.Encrypt(certificate);
+            TlsEncryptor encryptor = certificate.CreateEncryptor(TlsCertificateRole.RsaEncryption);
+
+            byte[] encryptedPreMasterSecret = preMasterSecret.Encrypt(encryptor);
             TlsUtilities.WriteEncryptedPms(context, encryptedPreMasterSecret, output);
 
             return preMasterSecret;
diff --git a/crypto/src/tls/crypto/TlsCertificate.cs b/crypto/src/tls/crypto/TlsCertificate.cs

index 7bd8e0359..b9efe37b3 100644
--- a/crypto/src/tls/crypto/TlsCertificate.cs
+++ b/crypto/src/tls/crypto/TlsCertificate.cs
@@ -9,6 +9,12 @@ namespace Org.BouncyCastle.Tls.Crypto
     /// <summary>Interface providing the functional representation of a single X.509 certificate.</summary>
     public interface TlsCertificate
     {
+        /// <summary>Return an encryptor based on the public key in this certificate.</summary>
+        /// <param name="tlsCertificateRole"><see cref="TlsCertificateRole"/></param>
+        /// <returns>a <see cref="TlsEncryptor"/> based on this certificate's public key.</returns>
+        /// <exception cref="IOException"/>
+        TlsEncryptor CreateEncryptor(int tlsCertificateRole);
+
         /// <param name="signatureAlgorithm"><see cref="SignatureAlgorithm"/></param>
         /// <exception cref="IOException"/>
         TlsVerifier CreateVerifier(short signatureAlgorithm);
diff --git a/crypto/src/tls/crypto/impl/TlsEncryptor.cs b/crypto/src/tls/crypto/TlsEncryptor.cs

index 6e4ef0c44..53f1973fd 100644
--- a/crypto/src/tls/crypto/impl/TlsEncryptor.cs
+++ b/crypto/src/tls/crypto/TlsEncryptor.cs
@@ -1,9 +1,9 @@
 using System;
 using System.IO;
 
-namespace Org.BouncyCastle.Tls.Crypto.Impl
+namespace Org.BouncyCastle.Tls.Crypto
 {
-    /// <summary>Base interface for an encryptor based on a public key.</summary>
+    /// <summary>Base interface for an encryptor.</summary>
     public interface TlsEncryptor
     {
         /// <summary>Encrypt data from the passed in input array.</summary>
diff --git a/crypto/src/tls/crypto/TlsSecret.cs b/crypto/src/tls/crypto/TlsSecret.cs

index 9b092fc40..0499d37c3 100644
--- a/crypto/src/tls/crypto/TlsSecret.cs
+++ b/crypto/src/tls/crypto/TlsSecret.cs
@@ -23,11 +23,10 @@ namespace Org.BouncyCastle.Tls.Crypto
         void Destroy();
 
         /// <summary>Return an encrypted copy of the data this secret is based on.</summary>
-        /// <param name="certificate">the certificate containing the public key to use for protecting the internal
-        /// data.</param>
+        /// <param name="encryptor">the encryptor to use for protecting the internal data.</param>
         /// <returns>an encrypted copy of this secret's internal data.</returns>
         /// <exception cref="IOException"/>
-        byte[] Encrypt(TlsCertificate certificate);
+        byte[] Encrypt(TlsEncryptor encryptor);
 
         /// <summary>Return the internal data from this secret.</summary>
         /// <remarks>
diff --git a/crypto/src/tls/crypto/impl/AbstractTlsCrypto.cs b/crypto/src/tls/crypto/impl/AbstractTlsCrypto.cs

index f0b2b03f6..0a634fffe 100644
--- a/crypto/src/tls/crypto/impl/AbstractTlsCrypto.cs
+++ b/crypto/src/tls/crypto/impl/AbstractTlsCrypto.cs
@@ -80,11 +80,5 @@ namespace Org.BouncyCastle.Tls.Crypto.Impl
         public abstract TlsSrp6VerifierGenerator CreateSrp6VerifierGenerator(TlsSrpConfig srpConfig);
 
         public abstract TlsSecret HkdfInit(int cryptoHashAlgorithm);
-
-        /// <summary>Return an encryptor based on the public key in certificate.</summary>
-        /// <param name="certificate">the certificate carrying the public key.</param>
-        /// <returns>a <see cref="TlsEncryptor"/> based on the certificate's public key.</returns>
-        /// <exception cref="IOException"/>
-        public abstract TlsEncryptor CreateEncryptor(TlsCertificate certificate);
     }
 }
diff --git a/crypto/src/tls/crypto/impl/AbstractTlsSecret.cs b/crypto/src/tls/crypto/impl/AbstractTlsSecret.cs

index 634b86732..e8298193f 100644
--- a/crypto/src/tls/crypto/impl/AbstractTlsSecret.cs
+++ b/crypto/src/tls/crypto/impl/AbstractTlsSecret.cs
@@ -42,13 +42,13 @@ namespace Org.BouncyCastle.Tls.Crypto.Impl
         }
 
         /// <exception cref="IOException"/>
-        public virtual byte[] Encrypt(TlsCertificate certificate)
+        public virtual byte[] Encrypt(TlsEncryptor encryptor)
         {
             lock (this)
             {
                 CheckAlive();
 
-                return Crypto.CreateEncryptor(certificate).Encrypt(m_data, 0, m_data.Length);
+                return encryptor.Encrypt(m_data, 0, m_data.Length);
             }
         }
 
diff --git a/crypto/src/tls/crypto/impl/bc/BcTlsCertificate.cs b/crypto/src/tls/crypto/impl/bc/BcTlsCertificate.cs

index e1243087d..2f331a166 100644
--- a/crypto/src/tls/crypto/impl/bc/BcTlsCertificate.cs
+++ b/crypto/src/tls/crypto/impl/bc/BcTlsCertificate.cs
@@ -59,6 +59,29 @@ namespace Org.BouncyCastle.Tls.Crypto.Impl.BC
         }
 
         /// <exception cref="IOException"/>
+        public virtual TlsEncryptor CreateEncryptor(int tlsCertificateRole)
+        {
+            ValidateKeyUsage(KeyUsage.KeyEncipherment);
+
+            switch (tlsCertificateRole)
+            {
+            case TlsCertificateRole.RsaEncryption:
+            {
+                this.m_pubKeyRsa = GetPubKeyRsa();
+                return new BcTlsRsaEncryptor(m_crypto, m_pubKeyRsa);
+            }
+            // TODO[gmssl]
+            //case TlsCertificateRole.Sm2Encryption:
+            //{
+            //    this.m_pubKeyEC = GetPubKeyEC();
+            //    return new BcTlsSM2Encryptor(m_crypto, m_pubKeyEC);
+            //}
+            }
+
+            throw new TlsFatalAlert(AlertDescription.certificate_unknown);
+        }
+
+        /// <exception cref="IOException"/>
         public virtual TlsVerifier CreateVerifier(short signatureAlgorithm)
         {
             switch (signatureAlgorithm)
diff --git a/crypto/src/tls/crypto/impl/bc/BcTlsCrypto.cs b/crypto/src/tls/crypto/impl/bc/BcTlsCrypto.cs

index aa9985ed9..69e353bae 100644
--- a/crypto/src/tls/crypto/impl/bc/BcTlsCrypto.cs
+++ b/crypto/src/tls/crypto/impl/bc/BcTlsCrypto.cs
@@ -1,11 +1,8 @@
 using System;
-using System.IO;
 
-using Org.BouncyCastle.Asn1.X509;
 using Org.BouncyCastle.Crypto;
 using Org.BouncyCastle.Crypto.Agreement.Srp;
 using Org.BouncyCastle.Crypto.Digests;
-using Org.BouncyCastle.Crypto.Encodings;
 using Org.BouncyCastle.Crypto.Engines;
 using Org.BouncyCastle.Crypto.Macs;
 using Org.BouncyCastle.Crypto.Modes;
@@ -140,16 +137,6 @@ namespace Org.BouncyCastle.Tls.Crypto.Impl.BC
             }
         }
 
-        public override TlsEncryptor CreateEncryptor(TlsCertificate certificate)
-        {
-            BcTlsCertificate bcCert = BcTlsCertificate.Convert(this, certificate);
-            bcCert.ValidateKeyUsage(KeyUsage.KeyEncipherment);
-
-            RsaKeyParameters pubKeyRsa = bcCert.GetPubKeyRsa();
-
-            return new BcTlsRsaEncryptor(this, pubKeyRsa);
-        }
-
         public override TlsNonceGenerator CreateNonceGenerator(byte[] additionalSeedMaterial)
         {
             IDigest digest = CreateDigest(CryptoHashAlgorithm.sha256);