crypto/test/src/tls/test/MockRawKeysTlsClient.cs


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126

using System;
using System.Collections.Generic;

using NUnit.Framework;

using Org.BouncyCastle.Crypto.Parameters;
using Org.BouncyCastle.Security;
using Org.BouncyCastle.Tls.Crypto;
using Org.BouncyCastle.Tls.Crypto.Impl.BC;
using Org.BouncyCastle.X509;

namespace Org.BouncyCastle.Tls.Tests
{
    internal class MockRawKeysTlsClient
        : DefaultTlsClient
    {
        private short m_serverCertType;
        private short m_clientCertType;
        private short[] m_offerServerCertTypes;
        private short[] m_offerClientCertTypes;
        private ProtocolVersion m_tlsVersion;
        private Ed25519PrivateKeyParameters m_privateKey;

        internal MockRawKeysTlsClient(short serverCertType, short clientCertType, short[] offerServerCertTypes,
            short[] offerClientCertTypes, Ed25519PrivateKeyParameters privateKey, ProtocolVersion tlsVersion)
            : base(new BcTlsCrypto(new SecureRandom()))
        {
            m_serverCertType = serverCertType;
            m_clientCertType = clientCertType;
            m_offerServerCertTypes = offerServerCertTypes;
            m_offerClientCertTypes = offerClientCertTypes;
            m_privateKey = privateKey;
            m_tlsVersion = tlsVersion;
        }

        protected override ProtocolVersion[] GetSupportedVersions()
        {
            return new ProtocolVersion[]{ m_tlsVersion };
        }

        protected override int[] GetSupportedCipherSuites()
        {
            return TlsUtilities.IsTlsV13(m_tlsVersion)
                ?   new int[]{ CipherSuite.TLS_AES_128_GCM_SHA256 }
                :   new int[]{ CipherSuite.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 };
        }

        protected override short[] GetAllowedClientCertificateTypes() => m_offerClientCertTypes;

        protected override short[] GetAllowedServerCertificateTypes() => m_offerServerCertTypes;

        protected override CertificateStatusRequest GetCertificateStatusRequest()
        {
            return m_serverCertType == CertificateType.RawPublicKey ? null : base.GetCertificateStatusRequest();
        }

        protected override IList<CertificateStatusRequestItemV2> GetMultiCertStatusRequest()
        {
            return m_serverCertType == CertificateType.RawPublicKey ? null : base.GetMultiCertStatusRequest();
        }

        public override TlsAuthentication GetAuthentication()
        {
            return new MyTlsAuthentication(this);
        }

        internal class MyTlsAuthentication
            : TlsAuthentication
        {
            private readonly MockRawKeysTlsClient m_outer;
            private TlsCredentialedSigner m_credentials;

            internal MyTlsAuthentication(MockRawKeysTlsClient outer)
            {
                m_outer = outer;
            }

            public void NotifyServerCertificate(TlsServerCertificate serverCertificate)
            {
                Assert.AreEqual(m_outer.m_serverCertType, serverCertificate.Certificate.CertificateType,
                    "wrong certificate type from server");
            }

            public TlsCredentials GetClientCredentials(CertificateRequest certificateRequest)
            {
                var clientCertType = m_outer.m_clientCertType;
                var context = m_outer.m_context;
                var crypto = (BcTlsCrypto)m_outer.Crypto;
                var privateKey = m_outer.m_privateKey;

                if (clientCertType < 0)
                {
                    Assert.Fail("should not have received a certificate request");
                }

                Assert.AreEqual(clientCertType, context.SecurityParameters.ClientCertificateType,
                    "wrong certificate type in request");

                if (m_credentials == null)
                {
                    switch (clientCertType)
                    {
                    case CertificateType.X509:
                        m_credentials = TlsTestUtilities.LoadSignerCredentials(context,
                            certificateRequest.SupportedSignatureAlgorithms, SignatureAlgorithm.ed25519,
                            "x509-client-ed25519.pem", "x509-client-key-ed25519.pem");
                        break;
                    case CertificateType.RawPublicKey:
                        TlsCertificate rawKeyCert = new BcTlsRawKeyCertificate(crypto,
                            SubjectPublicKeyInfoFactory.CreateSubjectPublicKeyInfo(privateKey.GeneratePublicKey()));
                        Certificate cert = new Certificate(CertificateType.RawPublicKey,
                            TlsUtilities.IsTlsV13(context) ? TlsUtilities.EmptyBytes : null,
                            new CertificateEntry[]{ new CertificateEntry(rawKeyCert, null) });
                        m_credentials = new BcDefaultTlsCredentialedSigner(new TlsCryptoParameters(context),
                            crypto, privateKey, cert, SignatureAndHashAlgorithm.ed25519);
                        break;
                    default:
                        throw new ArgumentException("Only supports X509 and raw keys");
                    }
                }

                return m_credentials;
            }
        };
    }
}