MCPcopy Index your code
hub / github.com/XTLS/Go / certificateRequestInfoFromMsg

Function certificateRequestInfoFromMsg

handshake_client.go:904–966  ·  view source on GitHub ↗

certificateRequestInfoFromMsg generates a CertificateRequestInfo from a TLS <= 1.2 CertificateRequest, making an effort to fill in missing information.

(ctx context.Context, vers uint16, certReq *certificateRequestMsg)

Source from the content-addressed store, hash-verified

902// certificateRequestInfoFromMsg generates a CertificateRequestInfo from a TLS
903// <= 1.2 CertificateRequest, making an effort to fill in missing information.
904func certificateRequestInfoFromMsg(ctx context.Context, vers uint16, certReq *certificateRequestMsg) *CertificateRequestInfo {
905 cri := &CertificateRequestInfo{
906 AcceptableCAs: certReq.certificateAuthorities,
907 Version: vers,
908 ctx: ctx,
909 }
910
911 var rsaAvail, ecAvail bool
912 for _, certType := range certReq.certificateTypes {
913 switch certType {
914 case certTypeRSASign:
915 rsaAvail = true
916 case certTypeECDSASign:
917 ecAvail = true
918 }
919 }
920
921 if !certReq.hasSignatureAlgorithm {
922 // Prior to TLS 1.2, signature schemes did not exist. In this case we
923 // make up a list based on the acceptable certificate types, to help
924 // GetClientCertificate and SupportsCertificate select the right certificate.
925 // The hash part of the SignatureScheme is a lie here, because
926 // TLS 1.0 and 1.1 always use MD5+SHA1 for RSA and SHA1 for ECDSA.
927 switch {
928 case rsaAvail && ecAvail:
929 cri.SignatureSchemes = []SignatureScheme{
930 ECDSAWithP256AndSHA256, ECDSAWithP384AndSHA384, ECDSAWithP521AndSHA512,
931 PKCS1WithSHA256, PKCS1WithSHA384, PKCS1WithSHA512, PKCS1WithSHA1,
932 }
933 case rsaAvail:
934 cri.SignatureSchemes = []SignatureScheme{
935 PKCS1WithSHA256, PKCS1WithSHA384, PKCS1WithSHA512, PKCS1WithSHA1,
936 }
937 case ecAvail:
938 cri.SignatureSchemes = []SignatureScheme{
939 ECDSAWithP256AndSHA256, ECDSAWithP384AndSHA384, ECDSAWithP521AndSHA512,
940 }
941 }
942 return cri
943 }
944
945 // Filter the signature schemes based on the certificate types.
946 // See RFC 5246, Section 7.4.4 (where it calls this "somewhat complicated").
947 cri.SignatureSchemes = make([]SignatureScheme, 0, len(certReq.supportedSignatureAlgorithms))
948 for _, sigScheme := range certReq.supportedSignatureAlgorithms {
949 sigType, _, err := typeAndHashFromSignatureScheme(sigScheme)
950 if err != nil {
951 continue
952 }
953 switch sigType {
954 case signatureECDSA, signatureEd25519:
955 if ecAvail {
956 cri.SignatureSchemes = append(cri.SignatureSchemes, sigScheme)
957 }
958 case signatureRSAPSS, signaturePKCS1v15:
959 if rsaAvail {
960 cri.SignatureSchemes = append(cri.SignatureSchemes, sigScheme)
961 }

Callers 1

doFullHandshakeMethod · 0.85

Calls 1

Tested by

no test coverage detected

Used in the wild real call sites across dependent graphs

searching dependent graphs…