MCPcopy
hub / github.com/XTLS/REALITY / signatureSchemesForCertificate

Function signatureSchemesForCertificate

auth.go:171–229  ·  view source on GitHub ↗

signatureSchemesForCertificate returns the list of supported SignatureSchemes for a given certificate, based on the public key and the protocol version, and optionally filtered by its explicit SupportedSignatureAlgorithms.

(version uint16, cert *Certificate)

Source from the content-addressed store, hash-verified

169// for a given certificate, based on the public key and the protocol version,
170// and optionally filtered by its explicit SupportedSignatureAlgorithms.
171func signatureSchemesForCertificate(version uint16, cert *Certificate) []SignatureScheme {
172 priv, ok := cert.PrivateKey.(crypto.Signer)
173 if !ok {
174 return nil
175 }
176
177 var sigAlgs []SignatureScheme
178 switch pub := priv.Public().(type) {
179 case *ecdsa.PublicKey:
180 if version != VersionTLS13 {
181 // In TLS 1.2 and earlier, ECDSA algorithms are not
182 // constrained to a single curve.
183 sigAlgs = []SignatureScheme{
184 ECDSAWithP256AndSHA256,
185 ECDSAWithP384AndSHA384,
186 ECDSAWithP521AndSHA512,
187 ECDSAWithSHA1,
188 }
189 break
190 }
191 switch pub.Curve {
192 case elliptic.P256():
193 sigAlgs = []SignatureScheme{ECDSAWithP256AndSHA256}
194 case elliptic.P384():
195 sigAlgs = []SignatureScheme{ECDSAWithP384AndSHA384}
196 case elliptic.P521():
197 sigAlgs = []SignatureScheme{ECDSAWithP521AndSHA512}
198 default:
199 return nil
200 }
201 case *rsa.PublicKey:
202 size := pub.Size()
203 sigAlgs = make([]SignatureScheme, 0, len(rsaSignatureSchemes))
204 for _, candidate := range rsaSignatureSchemes {
205 if size >= candidate.minModulusBytes && version <= candidate.maxVersion {
206 sigAlgs = append(sigAlgs, candidate.scheme)
207 }
208 }
209 case ed25519.PublicKey:
210 sigAlgs = []SignatureScheme{Ed25519}
211 default:
212 return nil
213 }
214
215 if cert.SupportedSignatureAlgorithms != nil {
216 sigAlgs = slices.DeleteFunc(sigAlgs, func(sigAlg SignatureScheme) bool {
217 return !isSupportedSignatureAlgorithm(sigAlg, cert.SupportedSignatureAlgorithms)
218 })
219 }
220
221 // Filter out any unsupported signature algorithms, for example due to
222 // FIPS 140-3 policy, tlssha1=0, or any downstream changes to defaults.go.
223 supportedAlgs := supportedSignatureAlgorithms(version)
224 sigAlgs = slices.DeleteFunc(sigAlgs, func(sigAlg SignatureScheme) bool {
225 return !isSupportedSignatureAlgorithm(sigAlg, supportedAlgs)
226 })
227
228 return sigAlgs

Callers 1

selectSignatureSchemeFunction · 0.85

Calls 3

SizeMethod · 0.80

Tested by

no test coverage detected

Used in the wild real call sites across dependent graphs

searching dependent graphs…