MCPcopy Create free account
hub / github.com/XTLS/Go / selectSignatureScheme

Function selectSignatureScheme

auth.go:231–249  ·  view source on GitHub ↗

selectSignatureScheme picks a SignatureScheme from the peer's preference list that works with the selected certificate. It's only called for protocol versions that support signature algorithms, so TLS 1.2 and 1.3.

(vers uint16, c *Certificate, peerAlgs []SignatureScheme)

Source from the content-addressed store, hash-verified

229// that works with the selected certificate. It's only called for protocol
230// versions that support signature algorithms, so TLS 1.2 and 1.3.
231func selectSignatureScheme(vers uint16, c *Certificate, peerAlgs []SignatureScheme) (SignatureScheme, error) {
232 supportedAlgs := signatureSchemesForCertificate(vers, c)
233 if len(supportedAlgs) == 0 {
234 return 0, unsupportedCertificateError(c)
235 }
236 if len(peerAlgs) == 0 && vers == VersionTLS12 {
237 // For TLS 1.2, if the client didn't send signature_algorithms then we
238 // can assume that it supports SHA1. See RFC 5246, Section 7.4.1.4.1.
239 peerAlgs = []SignatureScheme{PKCS1WithSHA1, ECDSAWithSHA1}
240 }
241 // Pick signature scheme in the peer's preference order, as our
242 // preference order is not configurable.
243 for _, preferredAlg := range peerAlgs {
244 if isSupportedSignatureAlgorithm(preferredAlg, supportedAlgs) {
245 return preferredAlg, nil
246 }
247 }
248 return 0, errors.New("tls: peer doesn't support any of the certificate's signature algorithms")
249}
250
251// unsupportedCertificateError returns a helpful error for certificates with
252// an unsupported private key.

Callers 6

SupportsCertificateMethod · 0.85
SupportsCertificateMethod · 0.85
doFullHandshakeMethod · 0.85
sendClientCertificateMethod · 0.85
pickCertificateMethod · 0.85

Tested by

no test coverage detected

Used in the wild real call sites across dependent graphs

searching dependent graphs…