From 54bd89aa9a92754cdd95bdd7387751b64f76ed30 Mon Sep 17 00:00:00 2001
From: Peter Dettman <peter.dettman@bouncycastle.org>
Date: Thu, 5 May 2022 12:18:55 +0700
Subject: Refactor client cert type checks

---
 crypto/src/tls/TlsUtilities.cs | 36 +++++++++++++++++-------------------
 1 file changed, 17 insertions(+), 19 deletions(-)

diff --git a/crypto/src/tls/TlsUtilities.cs b/crypto/src/tls/TlsUtilities.cs
index df098e20b..8e5b02216 100644
--- a/crypto/src/tls/TlsUtilities.cs
+++ b/crypto/src/tls/TlsUtilities.cs
@@ -2224,22 +2224,17 @@ namespace Org.BouncyCastle.Tls
             {
                 signatureAlgorithm = verifyingCert.GetLegacySignatureAlgorithm();
 
-                short clientCertType = GetLegacyClientCertType(signatureAlgorithm);
-                if (clientCertType < 0 || !Arrays.Contains(certificateRequest.CertificateTypes, clientCertType))
-                    throw new TlsFatalAlert(AlertDescription.unsupported_certificate);
+                CheckClientCertificateType(certificateRequest, GetLegacyClientCertType(signatureAlgorithm),
+                    AlertDescription.unsupported_certificate);
             }
             else
             {
-                signatureAlgorithm = sigAndHashAlg.Signature;
+                VerifySupportedSignatureAlgorithm(securityParameters.ServerSigAlgs, sigAndHashAlg);
 
-                // TODO Is it possible (maybe only pre-1.2 to check this immediately when the Certificate arrives?
-                if (!IsValidSignatureAlgorithmForCertificateVerify(signatureAlgorithm,
-                    certificateRequest.CertificateTypes))
-                {
-                    throw new TlsFatalAlert(AlertDescription.illegal_parameter);
-                }
+                signatureAlgorithm = sigAndHashAlg.Signature;
 
-                VerifySupportedSignatureAlgorithm(securityParameters.ServerSigAlgs, sigAndHashAlg);
+                CheckClientCertificateType(certificateRequest,
+                    SignatureAlgorithm.GetClientCertificateType(signatureAlgorithm), AlertDescription.illegal_parameter);
             }
 
             // Verify the CertificateVerify message contains a correct signature.
@@ -3896,14 +3891,6 @@ namespace Org.BouncyCastle.Tls
                 && NamedGroup.CanBeNegotiated(keyShareGroup, negotiatedVersion);
         }
 
-        internal static bool IsValidSignatureAlgorithmForCertificateVerify(short signatureAlgorithm,
-            short[] clientCertificateTypes)
-        {
-            short clientCertificateType = SignatureAlgorithm.GetClientCertificateType(signatureAlgorithm);
-
-            return clientCertificateType >= 0 &&  Arrays.Contains(clientCertificateTypes, clientCertificateType);
-        }
-
         internal static bool IsValidSignatureAlgorithmForServerKeyExchange(short signatureAlgorithm,
             int keyExchangeAlgorithm)
         {
@@ -4801,6 +4788,17 @@ namespace Org.BouncyCastle.Tls
             return (TlsCredentialedSigner)credentials;
         }
 
+        /// <exception cref="IOException"/>
+        private static void CheckClientCertificateType(CertificateRequest certificateRequest,
+            short clientCertificateType, short alertDescription)
+        {
+            if (clientCertificateType < 0
+                || !Arrays.Contains(certificateRequest.CertificateTypes, clientCertificateType))
+            {
+                throw new TlsFatalAlert(alertDescription);
+            }
+        }
+
         private static void CheckDowngradeMarker(byte[] randomBlock, byte[] downgradeMarker)
         {
             int len = downgradeMarker.Length;
-- 
cgit 1.4.1