MCPcopy
hub / github.com/XTLS/REALITY / readClientCertificate

Method readClientCertificate

handshake_server_tls13.go:1145–1233  ·  view source on GitHub ↗
()

Source from the content-addressed store, hash-verified

1143}
1144
1145func (hs *serverHandshakeStateTLS13) readClientCertificate() error {
1146 c := hs.c
1147
1148 if !hs.requestClientCert() {
1149 // Make sure the connection is still being verified whether or not
1150 // the server requested a client certificate.
1151 if c.config.VerifyConnection != nil {
1152 if err := c.config.VerifyConnection(c.connectionStateLocked()); err != nil {
1153 c.sendAlert(alertBadCertificate)
1154 return err
1155 }
1156 }
1157 return nil
1158 }
1159
1160 // If we requested a client certificate, then the client must send a
1161 // certificate message. If it's empty, no CertificateVerify is sent.
1162
1163 msg, err := c.readHandshake(hs.transcript)
1164 if err != nil {
1165 return err
1166 }
1167
1168 certMsg, ok := msg.(*certificateMsgTLS13)
1169 if !ok {
1170 c.sendAlert(alertUnexpectedMessage)
1171 return unexpectedMessageError(certMsg, msg)
1172 }
1173
1174 if err := c.processCertsFromClient(certMsg.certificate); err != nil {
1175 return err
1176 }
1177
1178 if c.config.VerifyConnection != nil {
1179 if err := c.config.VerifyConnection(c.connectionStateLocked()); err != nil {
1180 c.sendAlert(alertBadCertificate)
1181 return err
1182 }
1183 }
1184
1185 if len(certMsg.certificate.Certificate) != 0 {
1186 // certificateVerifyMsg is included in the transcript, but not until
1187 // after we verify the handshake signature, since the state before
1188 // this message was sent is used.
1189 msg, err = c.readHandshake(nil)
1190 if err != nil {
1191 return err
1192 }
1193
1194 certVerify, ok := msg.(*certificateVerifyMsg)
1195 if !ok {
1196 c.sendAlert(alertUnexpectedMessage)
1197 return unexpectedMessageError(certVerify, msg)
1198 }
1199
1200 // See RFC 8446, Section 4.4.3.
1201 // We don't use certReq.supportedSignatureAlgorithms because it would
1202 // require keeping the certificateRequestMsgTLS13 around in the hs.

Callers 1

handshakeMethod · 0.95

Calls 14

requestClientCertMethod · 0.95
sendSessionTicketsMethod · 0.95
unexpectedMessageErrorFunction · 0.85
signedMessageFunction · 0.85
verifyHandshakeSignatureFunction · 0.85
transcriptMsgFunction · 0.85
connectionStateLockedMethod · 0.80
sendAlertMethod · 0.80
readHandshakeMethod · 0.80

Tested by

no test coverage detected