signatureSchemesForCertificate returns the list of supported SignatureSchemes for a given certificate, based on the public key and the protocol version, and optionally filtered by its explicit SupportedSignatureAlgorithms.
(version uint16, cert *Certificate)
| 169 | // for a given certificate, based on the public key and the protocol version, |
| 170 | // and optionally filtered by its explicit SupportedSignatureAlgorithms. |
| 171 | func signatureSchemesForCertificate(version uint16, cert *Certificate) []SignatureScheme { |
| 172 | priv, ok := cert.PrivateKey.(crypto.Signer) |
| 173 | if !ok { |
| 174 | return nil |
| 175 | } |
| 176 | |
| 177 | var sigAlgs []SignatureScheme |
| 178 | switch pub := priv.Public().(type) { |
| 179 | case *ecdsa.PublicKey: |
| 180 | if version != VersionTLS13 { |
| 181 | // In TLS 1.2 and earlier, ECDSA algorithms are not |
| 182 | // constrained to a single curve. |
| 183 | sigAlgs = []SignatureScheme{ |
| 184 | ECDSAWithP256AndSHA256, |
| 185 | ECDSAWithP384AndSHA384, |
| 186 | ECDSAWithP521AndSHA512, |
| 187 | ECDSAWithSHA1, |
| 188 | } |
| 189 | break |
| 190 | } |
| 191 | switch pub.Curve { |
| 192 | case elliptic.P256(): |
| 193 | sigAlgs = []SignatureScheme{ECDSAWithP256AndSHA256} |
| 194 | case elliptic.P384(): |
| 195 | sigAlgs = []SignatureScheme{ECDSAWithP384AndSHA384} |
| 196 | case elliptic.P521(): |
| 197 | sigAlgs = []SignatureScheme{ECDSAWithP521AndSHA512} |
| 198 | default: |
| 199 | return nil |
| 200 | } |
| 201 | case *rsa.PublicKey: |
| 202 | size := pub.Size() |
| 203 | sigAlgs = make([]SignatureScheme, 0, len(rsaSignatureSchemes)) |
| 204 | for _, candidate := range rsaSignatureSchemes { |
| 205 | if size >= candidate.minModulusBytes && version <= candidate.maxVersion { |
| 206 | sigAlgs = append(sigAlgs, candidate.scheme) |
| 207 | } |
| 208 | } |
| 209 | case ed25519.PublicKey: |
| 210 | sigAlgs = []SignatureScheme{Ed25519} |
| 211 | default: |
| 212 | return nil |
| 213 | } |
| 214 | |
| 215 | if cert.SupportedSignatureAlgorithms != nil { |
| 216 | sigAlgs = slices.DeleteFunc(sigAlgs, func(sigAlg SignatureScheme) bool { |
| 217 | return !isSupportedSignatureAlgorithm(sigAlg, cert.SupportedSignatureAlgorithms) |
| 218 | }) |
| 219 | } |
| 220 | |
| 221 | // Filter out any unsupported signature algorithms, for example due to |
| 222 | // FIPS 140-3 policy, tlssha1=0, or any downstream changes to defaults.go. |
| 223 | supportedAlgs := supportedSignatureAlgorithms(version) |
| 224 | sigAlgs = slices.DeleteFunc(sigAlgs, func(sigAlg SignatureScheme) bool { |
| 225 | return !isSupportedSignatureAlgorithm(sigAlg, supportedAlgs) |
| 226 | }) |
| 227 | |
| 228 | return sigAlgs |
no test coverage detected
searching dependent graphs…