MCPcopy
hub / github.com/tjfoc/gmsm / pickSignatureAlgorithm

Function pickSignatureAlgorithm

gmtls/auth.go:36–85  ·  view source on GitHub ↗

pickSignatureAlgorithm selects a signature algorithm that is compatible with the given public key and the list of algorithms from the peer and this side. The lists of signature algorithms (peerSigAlgs and ourSigAlgs) are ignored for tlsVersion < VersionTLS12. The returned SignatureScheme codepoint

(pubkey crypto.PublicKey, peerSigAlgs, ourSigAlgs []SignatureScheme, tlsVersion uint16)

Source from the content-addressed store, hash-verified

34// The returned SignatureScheme codepoint is only meaningful for TLS 1.2,
35// previous TLS versions have a fixed hash function.
36func pickSignatureAlgorithm(pubkey crypto.PublicKey, peerSigAlgs, ourSigAlgs []SignatureScheme, tlsVersion uint16) (sigAlg SignatureScheme, sigType uint8, hashFunc crypto.Hash, err error) {
37 if tlsVersion < VersionTLS12 || len(peerSigAlgs) == 0 {
38 // For TLS 1.1 and before, the signature algorithm could not be
39 // negotiated and the hash is fixed based on the signature type.
40 // For TLS 1.2, if the client didn't send signature_algorithms
41 // extension then we can assume that it supports SHA1. See
42 // https://tools.ietf.org/html/rfc5246#section-7.4.1.4.1
43 switch pubkey.(type) {
44 case *rsa.PublicKey:
45 if tlsVersion < VersionTLS12 {
46 return 0, signaturePKCS1v15, crypto.MD5SHA1, nil
47 } else {
48 return PKCS1WithSHA1, signaturePKCS1v15, crypto.SHA1, nil
49 }
50 case *ecdsa.PublicKey:
51 return ECDSAWithSHA1, signatureECDSA, crypto.SHA1, nil
52 case *sm2.PublicKey:
53 return SM2WITHSM3, signatureSM2, crypto.SHA1, nil
54 default:
55 return 0, 0, 0, fmt.Errorf("tls: unsupported public key: %T", pubkey)
56 }
57 }
58 for _, sigAlg := range peerSigAlgs {
59 if !isSupportedSignatureAlgorithm(sigAlg, ourSigAlgs) {
60 continue
61 }
62 hashAlg, err := lookupTLSHash(sigAlg)
63 if err != nil {
64 panic("tls: supported signature algorithm has an unknown hash function")
65 }
66 sigType := signatureFromSignatureScheme(sigAlg)
67 switch pubkey.(type) {
68 case *rsa.PublicKey:
69 if sigType == signaturePKCS1v15 || sigType == signatureRSAPSS {
70 return sigAlg, sigType, hashAlg, nil
71 }
72 case *ecdsa.PublicKey:
73 if sigType == signatureECDSA {
74 return sigAlg, sigType, hashAlg, nil
75 }
76 case *sm2.PublicKey:
77 if sigType == signatureECDSA {
78 return sigAlg, sigType, hashAlg, nil
79 }
80 default:
81 return 0, 0, 0, fmt.Errorf("tls: unsupported public key: %T", pubkey)
82 }
83 }
84 return 0, 0, 0, errors.New("tls: peer doesn't support any common signature algorithms")
85}
86
87// verifyHandshakeSignature verifies a signature against pre-hashed handshake
88// contents.

Callers 7

doFullHandshakeMethod · 0.85
doFullHandshakeMethod · 0.85
doFullHandshakeMethod · 0.85
doFullHandshakeMethod · 0.85

Calls 4

lookupTLSHashFunction · 0.85
NewMethod · 0.80

Tested by

no test coverage detected

Used in the wild real call sites across dependent graphs

searching dependent graphs…