MCPcopy Create free account
hub / github.com/XTLS/Go / signatureSchemesForCertificate

Function signatureSchemesForCertificate

auth.go:172–226  ·  view source on GitHub ↗

signatureSchemesForCertificate returns the list of supported SignatureSchemes for a given certificate, based on the public key and the protocol version, and optionally filtered by its explicit SupportedSignatureAlgorithms. This function must be kept in sync with supportedSignatureAlgorithms.

(version uint16, cert *Certificate)

Source from the content-addressed store, hash-verified

170//
171// This function must be kept in sync with supportedSignatureAlgorithms.
172func signatureSchemesForCertificate(version uint16, cert *Certificate) []SignatureScheme {
173 priv, ok := cert.PrivateKey.(crypto.Signer)
174 if !ok {
175 return nil
176 }
177
178 var sigAlgs []SignatureScheme
179 switch pub := priv.Public().(type) {
180 case *ecdsa.PublicKey:
181 if version != VersionTLS13 {
182 // In TLS 1.2 and earlier, ECDSA algorithms are not
183 // constrained to a single curve.
184 sigAlgs = []SignatureScheme{
185 ECDSAWithP256AndSHA256,
186 ECDSAWithP384AndSHA384,
187 ECDSAWithP521AndSHA512,
188 ECDSAWithSHA1,
189 }
190 break
191 }
192 switch pub.Curve {
193 case elliptic.P256():
194 sigAlgs = []SignatureScheme{ECDSAWithP256AndSHA256}
195 case elliptic.P384():
196 sigAlgs = []SignatureScheme{ECDSAWithP384AndSHA384}
197 case elliptic.P521():
198 sigAlgs = []SignatureScheme{ECDSAWithP521AndSHA512}
199 default:
200 return nil
201 }
202 case *rsa.PublicKey:
203 size := pub.Size()
204 sigAlgs = make([]SignatureScheme, 0, len(rsaSignatureSchemes))
205 for _, candidate := range rsaSignatureSchemes {
206 if size >= candidate.minModulusBytes && version <= candidate.maxVersion {
207 sigAlgs = append(sigAlgs, candidate.scheme)
208 }
209 }
210 case ed25519.PublicKey:
211 sigAlgs = []SignatureScheme{Ed25519}
212 default:
213 return nil
214 }
215
216 if cert.SupportedSignatureAlgorithms != nil {
217 var filteredSigAlgs []SignatureScheme
218 for _, sigAlg := range sigAlgs {
219 if isSupportedSignatureAlgorithm(sigAlg, cert.SupportedSignatureAlgorithms) {
220 filteredSigAlgs = append(filteredSigAlgs, sigAlg)
221 }
222 }
223 return filteredSigAlgs
224 }
225 return sigAlgs
226}
227
228// selectSignatureScheme picks a SignatureScheme from the peer's preference list
229// that works with the selected certificate. It's only called for protocol

Callers 1

selectSignatureSchemeFunction · 0.85

Calls 2

SizeMethod · 0.80

Tested by

no test coverage detected

Used in the wild real call sites across dependent graphs

searching dependent graphs…