From 985b2b8c511fe7b6430161f04278a4c0c3c89754 Mon Sep 17 00:00:00 2001
From: Peter Dettman <peter.dettman@bouncycastle.org>
Date: Tue, 13 Jul 2021 23:11:07 +0700
Subject: Refactoring around TlsEncryptor

---
 crypto/BouncyCastle.Android.csproj                |  2 +-
 crypto/BouncyCastle.csproj                        |  2 +-
 crypto/BouncyCastle.iOS.csproj                    |  2 +-
 crypto/crypto.csproj                              | 10 +++++-----
 crypto/src/tls/TlsRsaUtilities.cs                 |  6 ++++--
 crypto/src/tls/crypto/TlsCertificate.cs           |  6 ++++++
 crypto/src/tls/crypto/TlsEncryptor.cs             | 17 +++++++++++++++++
 crypto/src/tls/crypto/TlsSecret.cs                |  5 ++---
 crypto/src/tls/crypto/impl/AbstractTlsCrypto.cs   |  6 ------
 crypto/src/tls/crypto/impl/AbstractTlsSecret.cs   |  4 ++--
 crypto/src/tls/crypto/impl/TlsEncryptor.cs        | 17 -----------------
 crypto/src/tls/crypto/impl/bc/BcTlsCertificate.cs | 23 +++++++++++++++++++++++
 crypto/src/tls/crypto/impl/bc/BcTlsCrypto.cs      | 13 -------------
 13 files changed, 62 insertions(+), 51 deletions(-)
 create mode 100644 crypto/src/tls/crypto/TlsEncryptor.cs
 delete mode 100644 crypto/src/tls/crypto/impl/TlsEncryptor.cs

diff --git a/crypto/BouncyCastle.Android.csproj b/crypto/BouncyCastle.Android.csproj
index 575c753ea..f8d4fa890 100644
--- a/crypto/BouncyCastle.Android.csproj
+++ b/crypto/BouncyCastle.Android.csproj
@@ -1652,7 +1652,6 @@
     <Compile Include="src\tls\crypto\impl\TlsAeadCipherImpl.cs" />
     <Compile Include="src\tls\crypto\impl\TlsBlockCipher.cs" />
     <Compile Include="src\tls\crypto\impl\TlsBlockCipherImpl.cs" />
-    <Compile Include="src\tls\crypto\impl\TlsEncryptor.cs" />
     <Compile Include="src\tls\crypto\impl\TlsImplUtilities.cs" />
     <Compile Include="src\tls\crypto\impl\TlsNullCipher.cs" />
     <Compile Include="src\tls\crypto\impl\TlsSuiteHmac.cs" />
@@ -1673,6 +1672,7 @@
     <Compile Include="src\tls\crypto\TlsECConfig.cs" />
     <Compile Include="src\tls\crypto\TlsECDomain.cs" />
     <Compile Include="src\tls\crypto\TlsEncodeResult.cs" />
+    <Compile Include="src\tls\crypto\TlsEncryptor.cs" />
     <Compile Include="src\tls\crypto\TlsHash.cs" />
     <Compile Include="src\tls\crypto\TlsHashSink.cs" />
     <Compile Include="src\tls\crypto\TlsHmac.cs" />
diff --git a/crypto/BouncyCastle.csproj b/crypto/BouncyCastle.csproj
index f972a7694..90c686996 100644
--- a/crypto/BouncyCastle.csproj
+++ b/crypto/BouncyCastle.csproj
@@ -1646,7 +1646,6 @@
     <Compile Include="src\tls\crypto\impl\TlsAeadCipherImpl.cs" />
     <Compile Include="src\tls\crypto\impl\TlsBlockCipher.cs" />
     <Compile Include="src\tls\crypto\impl\TlsBlockCipherImpl.cs" />
-    <Compile Include="src\tls\crypto\impl\TlsEncryptor.cs" />
     <Compile Include="src\tls\crypto\impl\TlsImplUtilities.cs" />
     <Compile Include="src\tls\crypto\impl\TlsNullCipher.cs" />
     <Compile Include="src\tls\crypto\impl\TlsSuiteHmac.cs" />
@@ -1667,6 +1666,7 @@
     <Compile Include="src\tls\crypto\TlsECConfig.cs" />
     <Compile Include="src\tls\crypto\TlsECDomain.cs" />
     <Compile Include="src\tls\crypto\TlsEncodeResult.cs" />
+    <Compile Include="src\tls\crypto\TlsEncryptor.cs" />
     <Compile Include="src\tls\crypto\TlsHash.cs" />
     <Compile Include="src\tls\crypto\TlsHashSink.cs" />
     <Compile Include="src\tls\crypto\TlsHmac.cs" />
diff --git a/crypto/BouncyCastle.iOS.csproj b/crypto/BouncyCastle.iOS.csproj
index 682b74d5e..70e241004 100644
--- a/crypto/BouncyCastle.iOS.csproj
+++ b/crypto/BouncyCastle.iOS.csproj
@@ -1647,7 +1647,6 @@
     <Compile Include="src\tls\crypto\impl\TlsAeadCipherImpl.cs" />
     <Compile Include="src\tls\crypto\impl\TlsBlockCipher.cs" />
     <Compile Include="src\tls\crypto\impl\TlsBlockCipherImpl.cs" />
-    <Compile Include="src\tls\crypto\impl\TlsEncryptor.cs" />
     <Compile Include="src\tls\crypto\impl\TlsImplUtilities.cs" />
     <Compile Include="src\tls\crypto\impl\TlsNullCipher.cs" />
     <Compile Include="src\tls\crypto\impl\TlsSuiteHmac.cs" />
@@ -1668,6 +1667,7 @@
     <Compile Include="src\tls\crypto\TlsECConfig.cs" />
     <Compile Include="src\tls\crypto\TlsECDomain.cs" />
     <Compile Include="src\tls\crypto\TlsEncodeResult.cs" />
+    <Compile Include="src\tls\crypto\TlsEncryptor.cs" />
     <Compile Include="src\tls\crypto\TlsHash.cs" />
     <Compile Include="src\tls\crypto\TlsHashSink.cs" />
     <Compile Include="src\tls\crypto\TlsHmac.cs" />
diff --git a/crypto/crypto.csproj b/crypto/crypto.csproj
index 97fcb3a5b..62d523e33 100644
--- a/crypto/crypto.csproj
+++ b/crypto/crypto.csproj
@@ -8118,11 +8118,6 @@
                     SubType = "Code"
                     BuildAction = "Compile"
                 />
-                <File
-                    RelPath = "src\tls\crypto\impl\TlsEncryptor.cs"
-                    SubType = "Code"
-                    BuildAction = "Compile"
-                />
                 <File
                     RelPath = "src\tls\crypto\impl\TlsImplUtilities.cs"
                     SubType = "Code"
@@ -8223,6 +8218,11 @@
                     SubType = "Code"
                     BuildAction = "Compile"
                 />
+                <File
+                    RelPath = "src\tls\crypto\TlsEncryptor.cs"
+                    SubType = "Code"
+                    BuildAction = "Compile"
+                />
                 <File
                     RelPath = "src\tls\crypto\TlsHash.cs"
                     SubType = "Code"
diff --git a/crypto/src/tls/TlsRsaUtilities.cs b/crypto/src/tls/TlsRsaUtilities.cs
index d520d3ea2..065279528 100644
--- a/crypto/src/tls/TlsRsaUtilities.cs
+++ b/crypto/src/tls/TlsRsaUtilities.cs
@@ -5,7 +5,7 @@ using Org.BouncyCastle.Tls.Crypto;
 
 namespace Org.BouncyCastle.Tls
 {
-    /// <summary>RSA Utility methods.</summary>
+    /// <summary>RSA utility methods.</summary>
     public abstract class TlsRsaUtilities
     {
         /// <summary>Generate a pre_master_secret and send it encrypted to the server.</summary>
@@ -15,7 +15,9 @@ namespace Org.BouncyCastle.Tls
         {
             TlsSecret preMasterSecret = context.Crypto.GenerateRsaPreMasterSecret(context.RsaPreMasterSecretVersion);
 
-            byte[] encryptedPreMasterSecret = preMasterSecret.Encrypt(certificate);
+            TlsEncryptor encryptor = certificate.CreateEncryptor(TlsCertificateRole.RsaEncryption);
+
+            byte[] encryptedPreMasterSecret = preMasterSecret.Encrypt(encryptor);
             TlsUtilities.WriteEncryptedPms(context, encryptedPreMasterSecret, output);
 
             return preMasterSecret;
diff --git a/crypto/src/tls/crypto/TlsCertificate.cs b/crypto/src/tls/crypto/TlsCertificate.cs
index 7bd8e0359..b9efe37b3 100644
--- a/crypto/src/tls/crypto/TlsCertificate.cs
+++ b/crypto/src/tls/crypto/TlsCertificate.cs
@@ -9,6 +9,12 @@ namespace Org.BouncyCastle.Tls.Crypto
     /// <summary>Interface providing the functional representation of a single X.509 certificate.</summary>
     public interface TlsCertificate
     {
+        /// <summary>Return an encryptor based on the public key in this certificate.</summary>
+        /// <param name="tlsCertificateRole"><see cref="TlsCertificateRole"/></param>
+        /// <returns>a <see cref="TlsEncryptor"/> based on this certificate's public key.</returns>
+        /// <exception cref="IOException"/>
+        TlsEncryptor CreateEncryptor(int tlsCertificateRole);
+
         /// <param name="signatureAlgorithm"><see cref="SignatureAlgorithm"/></param>
         /// <exception cref="IOException"/>
         TlsVerifier CreateVerifier(short signatureAlgorithm);
diff --git a/crypto/src/tls/crypto/TlsEncryptor.cs b/crypto/src/tls/crypto/TlsEncryptor.cs
new file mode 100644
index 000000000..53f1973fd
--- /dev/null
+++ b/crypto/src/tls/crypto/TlsEncryptor.cs
@@ -0,0 +1,17 @@
+using System;
+using System.IO;
+
+namespace Org.BouncyCastle.Tls.Crypto
+{
+    /// <summary>Base interface for an encryptor.</summary>
+    public interface TlsEncryptor
+    {
+        /// <summary>Encrypt data from the passed in input array.</summary>
+        /// <param name="input">byte array containing the input data.</param>
+        /// <param name="inOff">offset into input where the data starts.</param>
+        /// <param name="length">the length of the data to encrypt.</param>
+        /// <returns>the encrypted data.</returns>
+        /// <exception cref="IOException"/>
+        byte[] Encrypt(byte[] input, int inOff, int length);
+    }
+}
diff --git a/crypto/src/tls/crypto/TlsSecret.cs b/crypto/src/tls/crypto/TlsSecret.cs
index 9b092fc40..0499d37c3 100644
--- a/crypto/src/tls/crypto/TlsSecret.cs
+++ b/crypto/src/tls/crypto/TlsSecret.cs
@@ -23,11 +23,10 @@ namespace Org.BouncyCastle.Tls.Crypto
         void Destroy();
 
         /// <summary>Return an encrypted copy of the data this secret is based on.</summary>
-        /// <param name="certificate">the certificate containing the public key to use for protecting the internal
-        /// data.</param>
+        /// <param name="encryptor">the encryptor to use for protecting the internal data.</param>
         /// <returns>an encrypted copy of this secret's internal data.</returns>
         /// <exception cref="IOException"/>
-        byte[] Encrypt(TlsCertificate certificate);
+        byte[] Encrypt(TlsEncryptor encryptor);
 
         /// <summary>Return the internal data from this secret.</summary>
         /// <remarks>
diff --git a/crypto/src/tls/crypto/impl/AbstractTlsCrypto.cs b/crypto/src/tls/crypto/impl/AbstractTlsCrypto.cs
index f0b2b03f6..0a634fffe 100644
--- a/crypto/src/tls/crypto/impl/AbstractTlsCrypto.cs
+++ b/crypto/src/tls/crypto/impl/AbstractTlsCrypto.cs
@@ -80,11 +80,5 @@ namespace Org.BouncyCastle.Tls.Crypto.Impl
         public abstract TlsSrp6VerifierGenerator CreateSrp6VerifierGenerator(TlsSrpConfig srpConfig);
 
         public abstract TlsSecret HkdfInit(int cryptoHashAlgorithm);
-
-        /// <summary>Return an encryptor based on the public key in certificate.</summary>
-        /// <param name="certificate">the certificate carrying the public key.</param>
-        /// <returns>a <see cref="TlsEncryptor"/> based on the certificate's public key.</returns>
-        /// <exception cref="IOException"/>
-        public abstract TlsEncryptor CreateEncryptor(TlsCertificate certificate);
     }
 }
diff --git a/crypto/src/tls/crypto/impl/AbstractTlsSecret.cs b/crypto/src/tls/crypto/impl/AbstractTlsSecret.cs
index 634b86732..e8298193f 100644
--- a/crypto/src/tls/crypto/impl/AbstractTlsSecret.cs
+++ b/crypto/src/tls/crypto/impl/AbstractTlsSecret.cs
@@ -42,13 +42,13 @@ namespace Org.BouncyCastle.Tls.Crypto.Impl
         }
 
         /// <exception cref="IOException"/>
-        public virtual byte[] Encrypt(TlsCertificate certificate)
+        public virtual byte[] Encrypt(TlsEncryptor encryptor)
         {
             lock (this)
             {
                 CheckAlive();
 
-                return Crypto.CreateEncryptor(certificate).Encrypt(m_data, 0, m_data.Length);
+                return encryptor.Encrypt(m_data, 0, m_data.Length);
             }
         }
 
diff --git a/crypto/src/tls/crypto/impl/TlsEncryptor.cs b/crypto/src/tls/crypto/impl/TlsEncryptor.cs
deleted file mode 100644
index 6e4ef0c44..000000000
--- a/crypto/src/tls/crypto/impl/TlsEncryptor.cs
+++ /dev/null
@@ -1,17 +0,0 @@
-using System;
-using System.IO;
-
-namespace Org.BouncyCastle.Tls.Crypto.Impl
-{
-    /// <summary>Base interface for an encryptor based on a public key.</summary>
-    public interface TlsEncryptor
-    {
-        /// <summary>Encrypt data from the passed in input array.</summary>
-        /// <param name="input">byte array containing the input data.</param>
-        /// <param name="inOff">offset into input where the data starts.</param>
-        /// <param name="length">the length of the data to encrypt.</param>
-        /// <returns>the encrypted data.</returns>
-        /// <exception cref="IOException"/>
-        byte[] Encrypt(byte[] input, int inOff, int length);
-    }
-}
diff --git a/crypto/src/tls/crypto/impl/bc/BcTlsCertificate.cs b/crypto/src/tls/crypto/impl/bc/BcTlsCertificate.cs
index e1243087d..2f331a166 100644
--- a/crypto/src/tls/crypto/impl/bc/BcTlsCertificate.cs
+++ b/crypto/src/tls/crypto/impl/bc/BcTlsCertificate.cs
@@ -58,6 +58,29 @@ namespace Org.BouncyCastle.Tls.Crypto.Impl.BC
             this.m_certificate = certificate;
         }
 
+        /// <exception cref="IOException"/>
+        public virtual TlsEncryptor CreateEncryptor(int tlsCertificateRole)
+        {
+            ValidateKeyUsage(KeyUsage.KeyEncipherment);
+
+            switch (tlsCertificateRole)
+            {
+            case TlsCertificateRole.RsaEncryption:
+            {
+                this.m_pubKeyRsa = GetPubKeyRsa();
+                return new BcTlsRsaEncryptor(m_crypto, m_pubKeyRsa);
+            }
+            // TODO[gmssl]
+            //case TlsCertificateRole.Sm2Encryption:
+            //{
+            //    this.m_pubKeyEC = GetPubKeyEC();
+            //    return new BcTlsSM2Encryptor(m_crypto, m_pubKeyEC);
+            //}
+            }
+
+            throw new TlsFatalAlert(AlertDescription.certificate_unknown);
+        }
+
         /// <exception cref="IOException"/>
         public virtual TlsVerifier CreateVerifier(short signatureAlgorithm)
         {
diff --git a/crypto/src/tls/crypto/impl/bc/BcTlsCrypto.cs b/crypto/src/tls/crypto/impl/bc/BcTlsCrypto.cs
index aa9985ed9..69e353bae 100644
--- a/crypto/src/tls/crypto/impl/bc/BcTlsCrypto.cs
+++ b/crypto/src/tls/crypto/impl/bc/BcTlsCrypto.cs
@@ -1,11 +1,8 @@
 using System;
-using System.IO;
 
-using Org.BouncyCastle.Asn1.X509;
 using Org.BouncyCastle.Crypto;
 using Org.BouncyCastle.Crypto.Agreement.Srp;
 using Org.BouncyCastle.Crypto.Digests;
-using Org.BouncyCastle.Crypto.Encodings;
 using Org.BouncyCastle.Crypto.Engines;
 using Org.BouncyCastle.Crypto.Macs;
 using Org.BouncyCastle.Crypto.Modes;
@@ -140,16 +137,6 @@ namespace Org.BouncyCastle.Tls.Crypto.Impl.BC
             }
         }
 
-        public override TlsEncryptor CreateEncryptor(TlsCertificate certificate)
-        {
-            BcTlsCertificate bcCert = BcTlsCertificate.Convert(this, certificate);
-            bcCert.ValidateKeyUsage(KeyUsage.KeyEncipherment);
-
-            RsaKeyParameters pubKeyRsa = bcCert.GetPubKeyRsa();
-
-            return new BcTlsRsaEncryptor(this, pubKeyRsa);
-        }
-
         public override TlsNonceGenerator CreateNonceGenerator(byte[] additionalSeedMaterial)
         {
             IDigest digest = CreateDigest(CryptoHashAlgorithm.sha256);
-- 
cgit 1.5.1