From 7abd4af6873142092f5f38f93888a73c0a1bd17a Mon Sep 17 00:00:00 2001
From: Peter Dettman <peter.dettman@bouncycastle.org>
Date: Wed, 14 Jul 2021 23:45:24 +0700
Subject: Avoid redundant CheckUsageInRole calls

---
 crypto/BouncyCastle.Android.csproj                |  1 -
 crypto/BouncyCastle.csproj                        |  1 -
 crypto/BouncyCastle.iOS.csproj                    |  1 -
 crypto/crypto.csproj                              |  5 -----
 crypto/src/tls/TlsDHKeyExchange.cs                |  6 ++----
 crypto/src/tls/TlsECDHKeyExchange.cs              |  4 ++--
 crypto/src/tls/TlsPskKeyExchange.cs               |  8 +++----
 crypto/src/tls/TlsRsaKeyExchange.cs               |  6 +++---
 crypto/src/tls/TlsRsaUtilities.cs                 | 26 -----------------------
 crypto/src/tls/TlsUtilities.cs                    | 12 +++++++++++
 crypto/src/tls/crypto/TlsCertificate.cs           |  3 +--
 crypto/src/tls/crypto/impl/bc/BcTlsCertificate.cs | 21 +-----------------
 12 files changed, 25 insertions(+), 69 deletions(-)
 delete mode 100644 crypto/src/tls/TlsRsaUtilities.cs

diff --git a/crypto/BouncyCastle.Android.csproj b/crypto/BouncyCastle.Android.csproj
index f8d4fa890..043cd2b27 100644
--- a/crypto/BouncyCastle.Android.csproj
+++ b/crypto/BouncyCastle.Android.csproj
@@ -1803,7 +1803,6 @@
     <Compile Include="src\tls\TlsPskIdentityManager.cs" />
     <Compile Include="src\tls\TlsPskKeyExchange.cs" />
     <Compile Include="src\tls\TlsRsaKeyExchange.cs" />
-    <Compile Include="src\tls\TlsRsaUtilities.cs" />
     <Compile Include="src\tls\TlsServer.cs" />
     <Compile Include="src\tls\TlsServerCertificate.cs" />
     <Compile Include="src\tls\TlsServerCertificateImpl.cs" />
diff --git a/crypto/BouncyCastle.csproj b/crypto/BouncyCastle.csproj
index 90c686996..8f93f8013 100644
--- a/crypto/BouncyCastle.csproj
+++ b/crypto/BouncyCastle.csproj
@@ -1797,7 +1797,6 @@
     <Compile Include="src\tls\TlsPskIdentityManager.cs" />
     <Compile Include="src\tls\TlsPskKeyExchange.cs" />
     <Compile Include="src\tls\TlsRsaKeyExchange.cs" />
-    <Compile Include="src\tls\TlsRsaUtilities.cs" />
     <Compile Include="src\tls\TlsServer.cs" />
     <Compile Include="src\tls\TlsServerCertificate.cs" />
     <Compile Include="src\tls\TlsServerCertificateImpl.cs" />
diff --git a/crypto/BouncyCastle.iOS.csproj b/crypto/BouncyCastle.iOS.csproj
index 70e241004..6417b95b0 100644
--- a/crypto/BouncyCastle.iOS.csproj
+++ b/crypto/BouncyCastle.iOS.csproj
@@ -1798,7 +1798,6 @@
     <Compile Include="src\tls\TlsPskIdentityManager.cs" />
     <Compile Include="src\tls\TlsPskKeyExchange.cs" />
     <Compile Include="src\tls\TlsRsaKeyExchange.cs" />
-    <Compile Include="src\tls\TlsRsaUtilities.cs" />
     <Compile Include="src\tls\TlsServer.cs" />
     <Compile Include="src\tls\TlsServerCertificate.cs" />
     <Compile Include="src\tls\TlsServerCertificateImpl.cs" />
diff --git a/crypto/crypto.csproj b/crypto/crypto.csproj
index 62d523e33..0e9884ab2 100644
--- a/crypto/crypto.csproj
+++ b/crypto/crypto.csproj
@@ -8873,11 +8873,6 @@
                     SubType = "Code"
                     BuildAction = "Compile"
                 />
-                <File
-                    RelPath = "src\tls\TlsRsaUtilities.cs"
-                    SubType = "Code"
-                    BuildAction = "Compile"
-                />
                 <File
                     RelPath = "src\tls\TlsServer.cs"
                     SubType = "Code"
diff --git a/crypto/src/tls/TlsDHKeyExchange.cs b/crypto/src/tls/TlsDHKeyExchange.cs
index a00ed67b7..abce91faf 100644
--- a/crypto/src/tls/TlsDHKeyExchange.cs
+++ b/crypto/src/tls/TlsDHKeyExchange.cs
@@ -41,8 +41,7 @@ namespace Org.BouncyCastle.Tls
 
         public override void ProcessServerCertificate(Certificate serverCertificate)
         {
-            this.m_dhPeerCertificate = serverCertificate.GetCertificateAt(0).CheckUsageInRole(ConnectionEnd.server,
-                TlsCertificateRole.DH);
+            this.m_dhPeerCertificate = serverCertificate.GetCertificateAt(0).CheckUsageInRole(TlsCertificateRole.DH);
         }
 
         public override short[] GetClientCertificateTypes()
@@ -71,8 +70,7 @@ namespace Org.BouncyCastle.Tls
 
         public override void ProcessClientCertificate(Certificate clientCertificate)
         {
-            this.m_dhPeerCertificate = clientCertificate.GetCertificateAt(0).CheckUsageInRole(ConnectionEnd.client,
-                TlsCertificateRole.DH);
+            this.m_dhPeerCertificate = clientCertificate.GetCertificateAt(0).CheckUsageInRole(TlsCertificateRole.DH);
         }
 
         public override void ProcessClientKeyExchange(Stream input)
diff --git a/crypto/src/tls/TlsECDHKeyExchange.cs b/crypto/src/tls/TlsECDHKeyExchange.cs
index 45e83f8ad..e7e2981d5 100644
--- a/crypto/src/tls/TlsECDHKeyExchange.cs
+++ b/crypto/src/tls/TlsECDHKeyExchange.cs
@@ -41,7 +41,7 @@ namespace Org.BouncyCastle.Tls
 
         public override void ProcessServerCertificate(Certificate serverCertificate)
         {
-            this.m_ecdhPeerCertificate = serverCertificate.GetCertificateAt(0).CheckUsageInRole(ConnectionEnd.server,
+            this.m_ecdhPeerCertificate = serverCertificate.GetCertificateAt(0).CheckUsageInRole(
                 TlsCertificateRole.ECDH);
         }
 
@@ -73,7 +73,7 @@ namespace Org.BouncyCastle.Tls
 
         public override void ProcessClientCertificate(Certificate clientCertificate)
         {
-            this.m_ecdhPeerCertificate = clientCertificate.GetCertificateAt(0).CheckUsageInRole(ConnectionEnd.client,
+            this.m_ecdhPeerCertificate = clientCertificate.GetCertificateAt(0).CheckUsageInRole(
                 TlsCertificateRole.ECDH);
         }
 
diff --git a/crypto/src/tls/TlsPskKeyExchange.cs b/crypto/src/tls/TlsPskKeyExchange.cs
index 1055fdc53..8a279c62a 100644
--- a/crypto/src/tls/TlsPskKeyExchange.cs
+++ b/crypto/src/tls/TlsPskKeyExchange.cs
@@ -36,7 +36,7 @@ namespace Org.BouncyCastle.Tls
         protected TlsAgreement m_agreement;
 
         protected TlsCredentialedDecryptor m_serverCredentials = null;
-        protected TlsCertificate m_serverCertificate;
+        protected TlsEncryptor m_serverEncryptor;
         protected TlsSecret m_preMasterSecret;
 
         public TlsPskKeyExchange(int keyExchange, TlsPskIdentity pskIdentity, TlsDHGroupVerifier dhGroupVerifier)
@@ -80,7 +80,7 @@ namespace Org.BouncyCastle.Tls
             if (m_keyExchange != KeyExchangeAlgorithm.RSA_PSK)
                 throw new TlsFatalAlert(AlertDescription.unexpected_message);
 
-            this.m_serverCertificate = serverCertificate.GetCertificateAt(0).CheckUsageInRole(ConnectionEnd.server,
+            this.m_serverEncryptor = serverCertificate.GetCertificateAt(0).CreateEncryptor(
                 TlsCertificateRole.RsaEncryption);
         }
 
@@ -207,8 +207,8 @@ namespace Org.BouncyCastle.Tls
             }
             else if (this.m_keyExchange == KeyExchangeAlgorithm.RSA_PSK)
             {
-                this.m_preMasterSecret = TlsRsaUtilities.GenerateEncryptedPreMasterSecret(m_context,
-                    m_serverCertificate, output);
+                this.m_preMasterSecret = TlsUtilities.GenerateEncryptedPreMasterSecret(m_context, m_serverEncryptor,
+                    output);
             }
         }
 
diff --git a/crypto/src/tls/TlsRsaKeyExchange.cs b/crypto/src/tls/TlsRsaKeyExchange.cs
index 5184ca8fa..a2f5559d1 100644
--- a/crypto/src/tls/TlsRsaKeyExchange.cs
+++ b/crypto/src/tls/TlsRsaKeyExchange.cs
@@ -21,7 +21,7 @@ namespace Org.BouncyCastle.Tls
         }
 
         protected TlsCredentialedDecryptor m_serverCredentials = null;
-        protected TlsCertificate m_serverCertificate;
+        protected TlsEncryptor m_serverEncryptor;
         protected TlsSecret m_preMasterSecret;
 
         public TlsRsaKeyExchange(int keyExchange)
@@ -41,7 +41,7 @@ namespace Org.BouncyCastle.Tls
 
         public override void ProcessServerCertificate(Certificate serverCertificate)
         {
-            this.m_serverCertificate = serverCertificate.GetCertificateAt(0).CheckUsageInRole(ConnectionEnd.server,
+            this.m_serverEncryptor = serverCertificate.GetCertificateAt(0).CreateEncryptor(
                 TlsCertificateRole.RsaEncryption);
         }
 
@@ -58,7 +58,7 @@ namespace Org.BouncyCastle.Tls
 
         public override void GenerateClientKeyExchange(Stream output)
         {
-            this.m_preMasterSecret = TlsRsaUtilities.GenerateEncryptedPreMasterSecret(m_context, m_serverCertificate,
+            this.m_preMasterSecret = TlsUtilities.GenerateEncryptedPreMasterSecret(m_context, m_serverEncryptor,
                 output);
         }
 
diff --git a/crypto/src/tls/TlsRsaUtilities.cs b/crypto/src/tls/TlsRsaUtilities.cs
deleted file mode 100644
index 065279528..000000000
--- a/crypto/src/tls/TlsRsaUtilities.cs
+++ /dev/null
@@ -1,26 +0,0 @@
-using System;
-using System.IO;
-
-using Org.BouncyCastle.Tls.Crypto;
-
-namespace Org.BouncyCastle.Tls
-{
-    /// <summary>RSA utility methods.</summary>
-    public abstract class TlsRsaUtilities
-    {
-        /// <summary>Generate a pre_master_secret and send it encrypted to the server.</summary>
-        /// <exception cref="IOException"/>
-        public static TlsSecret GenerateEncryptedPreMasterSecret(TlsContext context, TlsCertificate certificate,
-            Stream output)
-        {
-            TlsSecret preMasterSecret = context.Crypto.GenerateRsaPreMasterSecret(context.RsaPreMasterSecretVersion);
-
-            TlsEncryptor encryptor = certificate.CreateEncryptor(TlsCertificateRole.RsaEncryption);
-
-            byte[] encryptedPreMasterSecret = preMasterSecret.Encrypt(encryptor);
-            TlsUtilities.WriteEncryptedPms(context, encryptedPreMasterSecret, output);
-
-            return preMasterSecret;
-        }
-    }
-}
diff --git a/crypto/src/tls/TlsUtilities.cs b/crypto/src/tls/TlsUtilities.cs
index 98d834b6d..4cec13bae 100644
--- a/crypto/src/tls/TlsUtilities.cs
+++ b/crypto/src/tls/TlsUtilities.cs
@@ -5327,6 +5327,18 @@ namespace Org.BouncyCastle.Tls
             }
         }
 
+        /// <summary>Generate a pre_master_secret and send it encrypted to the server.</summary>
+        /// <exception cref="IOException"/>
+        public static TlsSecret GenerateEncryptedPreMasterSecret(TlsContext context, TlsEncryptor encryptor,
+            Stream output)
+        {
+            ProtocolVersion version = context.RsaPreMasterSecretVersion;
+            TlsSecret preMasterSecret = context.Crypto.GenerateRsaPreMasterSecret(version);
+            byte[] encryptedPreMasterSecret = preMasterSecret.Encrypt(encryptor);
+            WriteEncryptedPms(context, encryptedPreMasterSecret, output);
+            return preMasterSecret;
+        }
+
 #if !PORTABLE || DOTNET
         public static bool IsTimeout(SocketException e)
         {
diff --git a/crypto/src/tls/crypto/TlsCertificate.cs b/crypto/src/tls/crypto/TlsCertificate.cs
index b9efe37b3..fe507a662 100644
--- a/crypto/src/tls/crypto/TlsCertificate.cs
+++ b/crypto/src/tls/crypto/TlsCertificate.cs
@@ -50,9 +50,8 @@ namespace Org.BouncyCastle.Tls.Crypto
         /// <exception cref="IOException"/>
         bool SupportsSignatureAlgorithmCA(short signatureAlgorithm);
 
-        /// <param name="connectionEnd"><see cref="ConnectionEnd"/></param>
         /// <param name="tlsCertificateRole"><see cref="TlsCertificateRole"/></param>
         /// <exception cref="IOException"/>
-        TlsCertificate CheckUsageInRole(int connectionEnd, int tlsCertificateRole);
+        TlsCertificate CheckUsageInRole(int tlsCertificateRole);
     }
 }
diff --git a/crypto/src/tls/crypto/impl/bc/BcTlsCertificate.cs b/crypto/src/tls/crypto/impl/bc/BcTlsCertificate.cs
index 2f331a166..9d4157050 100644
--- a/crypto/src/tls/crypto/impl/bc/BcTlsCertificate.cs
+++ b/crypto/src/tls/crypto/impl/bc/BcTlsCertificate.cs
@@ -342,7 +342,7 @@ namespace Org.BouncyCastle.Tls.Crypto.Impl.BC
         }
 
         /// <exception cref="IOException"/>
-        public virtual TlsCertificate CheckUsageInRole(int connectionEnd, int tlsCertificateRole)
+        public virtual TlsCertificate CheckUsageInRole(int tlsCertificateRole)
         {
             switch (tlsCertificateRole)
             {
@@ -360,25 +360,6 @@ namespace Org.BouncyCastle.Tls.Crypto.Impl.BC
             }
             }
 
-            if (connectionEnd == ConnectionEnd.server)
-            {
-                switch (tlsCertificateRole)
-                {
-                case TlsCertificateRole.RsaEncryption:
-                {
-                    ValidateKeyUsage(KeyUsage.KeyEncipherment);
-                    this.m_pubKeyRsa = GetPubKeyRsa();
-                    return this;
-                }
-                case TlsCertificateRole.Sm2Encryption:
-                {
-                    ValidateKeyUsage(KeyUsage.KeyEncipherment);
-                    this.m_pubKeyEC = GetPubKeyEC();
-                    return this;
-                }
-                }
-            }
-
             throw new TlsFatalAlert(AlertDescription.certificate_unknown);
         }
 
-- 
cgit 1.4.1