()
| 934 | } |
| 935 | |
| 936 | func (hs *serverHandshakeStateTLS13) sendServerCertificate() error { |
| 937 | c := hs.c |
| 938 | |
| 939 | // Only one of PSK and certificates are used at a time. |
| 940 | if hs.usingPSK { |
| 941 | return nil |
| 942 | } |
| 943 | |
| 944 | if hs.requestClientCert() { |
| 945 | // Request a client certificate |
| 946 | certReq := new(certificateRequestMsgTLS13) |
| 947 | certReq.ocspStapling = true |
| 948 | certReq.scts = true |
| 949 | certReq.supportedSignatureAlgorithms = supportedSignatureAlgorithms(c.vers) |
| 950 | certReq.supportedSignatureAlgorithmsCert = supportedSignatureAlgorithmsCert() |
| 951 | if c.config.ClientCAs != nil { |
| 952 | certReq.certificateAuthorities = c.config.ClientCAs.Subjects() |
| 953 | } |
| 954 | |
| 955 | if _, err := hs.c.writeHandshakeRecord(certReq, hs.transcript); err != nil { |
| 956 | return err |
| 957 | } |
| 958 | } |
| 959 | |
| 960 | certMsg := new(certificateMsgTLS13) |
| 961 | |
| 962 | certMsg.certificate = *hs.cert |
| 963 | certMsg.scts = hs.clientHello.scts && len(hs.cert.SignedCertificateTimestamps) > 0 |
| 964 | certMsg.ocspStapling = hs.clientHello.ocspStapling && len(hs.cert.OCSPStaple) > 0 |
| 965 | |
| 966 | if _, err := hs.c.writeHandshakeRecord(certMsg, hs.transcript); err != nil { |
| 967 | return err |
| 968 | } |
| 969 | |
| 970 | certVerifyMsg := new(certificateVerifyMsg) |
| 971 | certVerifyMsg.hasSignatureAlgorithm = true |
| 972 | certVerifyMsg.signatureAlgorithm = hs.sigAlg |
| 973 | |
| 974 | sigType, sigHash, err := typeAndHashFromSignatureScheme(hs.sigAlg) |
| 975 | if err != nil { |
| 976 | return c.sendAlert(alertInternalError) |
| 977 | } |
| 978 | |
| 979 | signed := signedMessage(sigHash, serverSignatureContext, hs.transcript) |
| 980 | signOpts := crypto.SignerOpts(sigHash) |
| 981 | if sigType == signatureRSAPSS { |
| 982 | signOpts = &rsa.PSSOptions{SaltLength: rsa.PSSSaltLengthEqualsHash, Hash: sigHash} |
| 983 | } |
| 984 | sig, err := hs.cert.PrivateKey.(crypto.Signer).Sign(c.config.rand(), signed, signOpts) |
| 985 | if err != nil { |
| 986 | public := hs.cert.PrivateKey.(crypto.Signer).Public() |
| 987 | if rsaKey, ok := public.(*rsa.PublicKey); ok && sigType == signatureRSAPSS && |
| 988 | rsaKey.N.BitLen()/8 < sigHash.Size()*2+2 { // key too small for RSA-PSS |
| 989 | c.sendAlert(alertHandshakeFailure) |
| 990 | } else { |
| 991 | c.sendAlert(alertInternalError) |
| 992 | } |
| 993 | return errors.New("tls: failed to sign handshake: " + err.Error()) |
no test coverage detected