crypto/tls: implement (*CertificateRequestInfo).SupportsCertificate

Also, add Version to CertificateRequestInfo, as the semantics of SignatureSchemes change based on version: the ECDSA SignatureSchemes are only constrained to a specific curve in TLS 1.3. Fixes #32426 Change-Id: I7a551bea864799e98118349ac2476162893d1ffd Reviewed-on: https://go-review.googlesource.com/c/go/+/205058 Run-TryBot: Filippo Valsorda <filippo@golang.org> TryBot-Result: Gobot Gobot <gobot@golang.org> Reviewed-by: Adam Langley <agl@golang.org>
2025-04-04 20:47:36 +03:00 · 2019-11-01 19:40:05 -04:00 · 2019-11-01 19:40:05 -04:00 · 87d4ef8a3f
commit 87d4ef8a3f
parent da96d661d8
3 changed files with 47 additions and 42 deletions
--- a/common.go
+++ b/common.go
@ -5,6 +5,7 @@
 package tls

 import (
+	"bytes"
 	"container/list"
 	"crypto"
 	"crypto/ecdsa"
@ -407,6 +408,9 @@ type CertificateRequestInfo struct {
 	// SignatureSchemes lists the signature schemes that the server is
 	// willing to verify.
 	SignatureSchemes []SignatureScheme
+
+	// Version is the TLS version that was negotiated for this connection.
+	Version uint16
 }

 // RenegotiationSupport enumerates the different levels of support for TLS
@ -1070,6 +1074,38 @@ func (chi *ClientHelloInfo) SupportsCertificate(c *Certificate) error {
 	return nil
 }

+// SupportsCertificate returns nil if the provided certificate is supported by
+// the server that sent the CertificateRequest. Otherwise, it returns an error
+// describing the reason for the incompatibility.
+func (cri *CertificateRequestInfo) SupportsCertificate(c *Certificate) error {
+	if _, err := selectSignatureScheme(cri.Version, c, cri.SignatureSchemes); err != nil {
+		return err
+	}
+
+	if len(cri.AcceptableCAs) == 0 {
+		return nil
+	}
+
+	for j, cert := range c.Certificate {
+		x509Cert := c.Leaf
+		// Parse the certificate if this isn't the leaf node, or if
+		// chain.Leaf was nil.
+		if j != 0 || x509Cert == nil {
+			var err error
+			if x509Cert, err = x509.ParseCertificate(cert); err != nil {
+				return fmt.Errorf("failed to parse certificate #%d in the chain: %w", j, err)
+			}
+		}
+
+		for _, ca := range cri.AcceptableCAs {
+			if bytes.Equal(x509Cert.RawIssuer, ca) {
+				return nil
+			}
+		}
+	}
+	return errors.New("chain is not signed by an acceptable CA")
+}
+
 // BuildNameToCertificate parses c.Certificates and builds c.NameToCertificate
 // from the CommonName and SubjectAlternateName fields of each of the leaf
 // certificates.