/src/botan/src/lib/tls/tls13/msg_certificate_req_13.cpp
Line | Count | Source (jump to first uncovered line) |
1 | | /* |
2 | | * (C) 2022 Jack Lloyd |
3 | | * (C) 2022 Hannes Rantzsch, René Meusel - neXenio GmbH |
4 | | * |
5 | | * Botan is released under the Simplified BSD License (see license.txt) |
6 | | */ |
7 | | |
8 | | #include <botan/tls_messages.h> |
9 | | #include <botan/internal/tls_reader.h> |
10 | | #include <botan/tls_exceptn.h> |
11 | | |
12 | | namespace Botan::TLS |
13 | | { |
14 | | |
15 | | Handshake_Type Certificate_Request_13::type() const |
16 | 1.59k | { |
17 | 1.59k | return Botan::TLS::Handshake_Type::CERTIFICATE_REQUEST; |
18 | 1.59k | } |
19 | | |
20 | | Certificate_Request_13::Certificate_Request_13(const std::vector<uint8_t>& buf, const Connection_Side side) |
21 | 1.60k | { |
22 | 1.60k | TLS_Data_Reader reader("Certificate_Request_13", buf); |
23 | | |
24 | | // RFC 8446 4.3.2 |
25 | | // A server which is authenticating with a certificate MAY optionally |
26 | | // request a certificate from the client. |
27 | 1.60k | if(side != Connection_Side::SERVER) |
28 | 0 | { |
29 | 0 | throw TLS_Exception(Alert::UNEXPECTED_MESSAGE, "Received a Certificate_Request message from a client"); |
30 | 0 | } |
31 | | |
32 | 1.60k | m_context = reader.get_tls_length_value(1); |
33 | 1.60k | m_extensions.deserialize(reader, side, type()); |
34 | | |
35 | | // RFC 8446 4.3.2 |
36 | | // The "signature_algorithms" extension MUST be specified, and other |
37 | | // extensions may optionally be included if defined for this message. |
38 | | // Clients MUST ignore unrecognized extensions. |
39 | | |
40 | 1.60k | if(!m_extensions.has<Signature_Algorithms>()) |
41 | 80 | { |
42 | 80 | throw TLS_Exception(Alert::MISSING_EXTENSION, "Certificate_Request message did not provide a signature_algorithms extension"); |
43 | 80 | } |
44 | | |
45 | | // RFC 8446 4.2. |
46 | | // The table below indicates the messages where a given extension may |
47 | | // appear [...]. If an implementation receives an extension which it |
48 | | // recognizes and which is not specified for the message in which it |
49 | | // appears, it MUST abort the handshake with an "illegal_parameter" alert. |
50 | | // |
51 | | // For Certificate Request said table states: |
52 | | // "status_request", "signature_algorithms", "signed_certificate_timestamp", |
53 | | // "certificate_authorities", "oid_filters", "signature_algorithms_cert", |
54 | 1.52k | std::set<Handshake_Extension_Type> allowed_extensions = |
55 | 1.52k | { |
56 | 1.52k | TLSEXT_CERT_STATUS_REQUEST, |
57 | 1.52k | TLSEXT_SIGNATURE_ALGORITHMS, |
58 | | // TLSEXT_SIGNED_CERTIFICATE_TIMESTAMP, // NYI |
59 | 1.52k | TLSEXT_CERTIFICATE_AUTHORITIES, |
60 | | // TLSEXT_OID_FILTERS, // NYI |
61 | 1.52k | TLSEXT_SIGNATURE_ALGORITHMS_CERT, |
62 | 1.52k | }; |
63 | | |
64 | 1.52k | if(m_extensions.contains_implemented_extensions_other_than(allowed_extensions)) |
65 | 12 | { |
66 | 12 | throw TLS_Exception(Alert::ILLEGAL_PARAMETER, |
67 | 12 | "Certificate Request contained an extension that is not allowed"); |
68 | 12 | } |
69 | 1.52k | } |
70 | | |
71 | | std::vector<X509_DN> Certificate_Request_13::acceptable_CAs() const |
72 | 0 | { |
73 | 0 | if(m_extensions.has<Certificate_Authorities>()) |
74 | 0 | return m_extensions.get<Certificate_Authorities>()->distinguished_names(); |
75 | 0 | return {}; |
76 | 0 | } |
77 | | |
78 | | const std::vector<Signature_Scheme>& Certificate_Request_13::signature_schemes() const |
79 | 0 | { |
80 | | // RFC 8446 4.3.2 |
81 | | // The "signature_algorithms" extension MUST be specified |
82 | 0 | BOTAN_ASSERT_NOMSG(m_extensions.has<Signature_Algorithms>()); |
83 | |
|
84 | 0 | return m_extensions.get<Signature_Algorithms>()->supported_schemes(); |
85 | 0 | } |
86 | | |
87 | | std::vector<uint8_t> Certificate_Request_13::serialize() const |
88 | 0 | { |
89 | 0 | throw Botan::Not_Implemented("Certificate_Request_13::serialize"); |
90 | 0 | } |
91 | | |
92 | | } // namespace Botan::TLS |