Skip to content

Adapted tls to support custom certificate types. #2165

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Adapted tls to support custom certificate types. #2165

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 6 additions & 1 deletion tls/src/main/java/org/bouncycastle/tls/Certificate.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -83,7 +83,12 @@ private static CertificateEntry[] convert(TlsCertificate[] certificateList)

public Certificate(TlsCertificate[] certificateList)
{
this(null, convert(certificateList));
this(CertificateType.X509, certificateList);
}

public Certificate(short certificateType, TlsCertificate[] certificateList)
{
this(certificateType, null, convert(certificateList));
}

public Certificate(byte[] certificateRequestContext, CertificateEntry[] certificateEntryList)
Expand Down
5 changes: 3 additions & 2 deletions tls/src/main/java/org/bouncycastle/tls/DTLSClientProtocol.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1060,10 +1060,11 @@ else if (TlsUtils.hasExpectedEmptyExtensionData(sessionServerExtensions, TlsExte
securityParameters.statusRequestVersion = 1;
}

TlsCrypto crypto = clientContext.getCrypto();
securityParameters.clientCertificateType = TlsUtils.processClientCertificateTypeExtension(
sessionClientExtensions, sessionServerExtensions, AlertDescription.illegal_parameter);
crypto, sessionClientExtensions, sessionServerExtensions, AlertDescription.illegal_parameter);
securityParameters.serverCertificateType = TlsUtils.processServerCertificateTypeExtension(
sessionClientExtensions, sessionServerExtensions, AlertDescription.illegal_parameter);
crypto, sessionClientExtensions, sessionServerExtensions, AlertDescription.illegal_parameter);

state.expectSessionTicket = TlsUtils.hasExpectedEmptyExtensionData(sessionServerExtensions,
TlsProtocol.EXT_SessionTicket, AlertDescription.illegal_parameter);
Expand Down
5 changes: 3 additions & 2 deletions tls/src/main/java/org/bouncycastle/tls/DTLSServerProtocol.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -690,10 +690,11 @@ else if (TlsUtils.hasExpectedEmptyExtensionData(state.serverExtensions,
securityParameters.statusRequestVersion = 1;
}

TlsCrypto crypto = serverContext.getCrypto();
securityParameters.clientCertificateType = TlsUtils.processClientCertificateTypeExtension(
clientHelloExtensions, state.serverExtensions, AlertDescription.internal_error);
crypto, clientHelloExtensions, state.serverExtensions, AlertDescription.internal_error);
securityParameters.serverCertificateType = TlsUtils.processServerCertificateTypeExtension(
clientHelloExtensions, state.serverExtensions, AlertDescription.internal_error);
crypto, clientHelloExtensions, state.serverExtensions, AlertDescription.internal_error);

state.expectSessionTicket = TlsUtils.hasExpectedEmptyExtensionData(state.serverExtensions,
TlsProtocol.EXT_SessionTicket, AlertDescription.internal_error);
Expand Down
11 changes: 7 additions & 4 deletions tls/src/main/java/org/bouncycastle/tls/TlsClientProtocol.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@
import java.util.Vector;

import org.bouncycastle.tls.crypto.TlsAgreement;
import org.bouncycastle.tls.crypto.TlsCrypto;
import org.bouncycastle.tls.crypto.TlsSecret;
import org.bouncycastle.tls.crypto.TlsStreamSigner;
import org.bouncycastle.util.Arrays;
Expand Down Expand Up @@ -1441,10 +1442,11 @@ else if (TlsUtils.hasExpectedEmptyExtensionData(sessionServerExtensions, TlsExte
securityParameters.statusRequestVersion = 1;
}

TlsCrypto crypto = tlsClientContext.getCrypto();
securityParameters.clientCertificateType = TlsUtils.processClientCertificateTypeExtension(
sessionClientExtensions, sessionServerExtensions, AlertDescription.illegal_parameter);
crypto, sessionClientExtensions, sessionServerExtensions, AlertDescription.illegal_parameter);
securityParameters.serverCertificateType = TlsUtils.processServerCertificateTypeExtension(
sessionClientExtensions, sessionServerExtensions, AlertDescription.illegal_parameter);
crypto, sessionClientExtensions, sessionServerExtensions, AlertDescription.illegal_parameter);

this.expectSessionTicket = TlsUtils.hasExpectedEmptyExtensionData(sessionServerExtensions,
TlsProtocol.EXT_SessionTicket, AlertDescription.illegal_parameter);
Expand Down Expand Up @@ -1561,10 +1563,11 @@ protected void receive13EncryptedExtensions(ByteArrayInputStream buf)
securityParameters.statusRequestVersion = clientExtensions.containsKey(TlsExtensionsUtils.EXT_status_request)
? 1 : 0;

TlsCrypto crypto = tlsClientContext.getCrypto();
securityParameters.clientCertificateType = TlsUtils.processClientCertificateTypeExtension13(
sessionClientExtensions, sessionServerExtensions, AlertDescription.illegal_parameter);
crypto, sessionClientExtensions, sessionServerExtensions, AlertDescription.illegal_parameter);
securityParameters.serverCertificateType = TlsUtils.processServerCertificateTypeExtension13(
sessionClientExtensions, sessionServerExtensions, AlertDescription.illegal_parameter);
crypto, sessionClientExtensions, sessionServerExtensions, AlertDescription.illegal_parameter);
}

this.expectSessionTicket = false;
Expand Down
9 changes: 5 additions & 4 deletions tls/src/main/java/org/bouncycastle/tls/TlsServerProtocol.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -366,9 +366,9 @@ protected ServerHello generate13ServerHello(ClientHello clientHello, HandshakeMe
if (!securityParameters.isResumedSession())
{
securityParameters.clientCertificateType = TlsUtils.processClientCertificateTypeExtension13(
clientHelloExtensions, serverEncryptedExtensions, AlertDescription.internal_error);
crypto, clientHelloExtensions, serverEncryptedExtensions, AlertDescription.internal_error);
securityParameters.serverCertificateType = TlsUtils.processServerCertificateTypeExtension13(
clientHelloExtensions, serverEncryptedExtensions, AlertDescription.internal_error);
crypto, clientHelloExtensions, serverEncryptedExtensions, AlertDescription.internal_error);
}
}

Expand Down Expand Up @@ -826,10 +826,11 @@ else if (TlsUtils.hasExpectedEmptyExtensionData(serverExtensions, TlsExtensionsU
securityParameters.statusRequestVersion = 1;
}

TlsCrypto crypto = tlsServerContext.getCrypto();
securityParameters.clientCertificateType = TlsUtils.processClientCertificateTypeExtension(
clientExtensions, serverExtensions, AlertDescription.internal_error);
crypto, clientExtensions, serverExtensions, AlertDescription.internal_error);
securityParameters.serverCertificateType = TlsUtils.processServerCertificateTypeExtension(
clientExtensions, serverExtensions, AlertDescription.internal_error);
crypto, clientExtensions, serverExtensions, AlertDescription.internal_error);

this.expectSessionTicket = TlsUtils.hasExpectedEmptyExtensionData(serverExtensions,
TlsProtocol.EXT_SessionTicket, AlertDescription.internal_error);
Expand Down
16 changes: 8 additions & 8 deletions tls/src/main/java/org/bouncycastle/tls/TlsUtils.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6307,7 +6307,7 @@ static short processMaxFragmentLengthExtension(Hashtable clientExtensions, Hasht
return maxFragmentLength;
}

static short processClientCertificateTypeExtension(Hashtable clientExtensions, Hashtable serverExtensions,
static short processClientCertificateTypeExtension(TlsCrypto tlsCrypto, Hashtable clientExtensions, Hashtable serverExtensions,
short alertDescription)
throws IOException
{
Expand All @@ -6317,7 +6317,7 @@ static short processClientCertificateTypeExtension(Hashtable clientExtensions, H
return CertificateType.X509;
}

if (!CertificateType.isValid(serverValue))
if (!tlsCrypto.isCertificateTypeValid(serverValue))
{
throw new TlsFatalAlert(alertDescription, "Unknown value for client_certificate_type");
}
Expand All @@ -6331,17 +6331,17 @@ static short processClientCertificateTypeExtension(Hashtable clientExtensions, H
return serverValue;
}

static short processClientCertificateTypeExtension13(Hashtable clientExtensions, Hashtable serverExtensions,
static short processClientCertificateTypeExtension13(TlsCrypto tlsCrypto, Hashtable clientExtensions, Hashtable serverExtensions,
short alertDescription)
throws IOException
{
short certificateType = processClientCertificateTypeExtension(clientExtensions, serverExtensions,
short certificateType = processClientCertificateTypeExtension(tlsCrypto, clientExtensions, serverExtensions,
alertDescription);

return validateCertificateType13(certificateType, alertDescription);
}

static short processServerCertificateTypeExtension(Hashtable clientExtensions, Hashtable serverExtensions,
static short processServerCertificateTypeExtension(TlsCrypto tlsCrypto, Hashtable clientExtensions, Hashtable serverExtensions,
short alertDescription)
throws IOException
{
Expand All @@ -6351,7 +6351,7 @@ static short processServerCertificateTypeExtension(Hashtable clientExtensions, H
return CertificateType.X509;
}

if (!CertificateType.isValid(serverValue))
if (!tlsCrypto.isCertificateTypeValid(serverValue))
{
throw new TlsFatalAlert(alertDescription, "Unknown value for server_certificate_type");
}
Expand All @@ -6365,11 +6365,11 @@ static short processServerCertificateTypeExtension(Hashtable clientExtensions, H
return serverValue;
}

static short processServerCertificateTypeExtension13(Hashtable clientExtensions, Hashtable serverExtensions,
static short processServerCertificateTypeExtension13(TlsCrypto tlsCrypto, Hashtable clientExtensions, Hashtable serverExtensions,
short alertDescription)
throws IOException
{
short certificateType = processServerCertificateTypeExtension(clientExtensions, serverExtensions,
short certificateType = processServerCertificateTypeExtension(tlsCrypto, clientExtensions, serverExtensions,
alertDescription);

return validateCertificateType13(certificateType, alertDescription);
Expand Down
9 changes: 9 additions & 0 deletions tls/src/main/java/org/bouncycastle/tls/crypto/TlsCrypto.java
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,15 @@
*/
public interface TlsCrypto
{

/**
* Return true if this TlsCrypto can support the passed in certificate type.
*
* @param certificateType the certificate type of interest.
* @return true if certificateType is supported, false otherwise.
*/
boolean isCertificateTypeValid(short certificateType);

/**
* Return true if this TlsCrypto would use a stream verifier for any of the passed in algorithms. This
* method is only relevant to handshakes negotiating (D)TLS 1.2.
Expand Down
6 changes: 6 additions & 0 deletions tls/src/main/java/org/bouncycastle/tls/crypto/impl/AbstractTlsCrypto.java
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
package org.bouncycastle.tls.crypto.impl;

import org.bouncycastle.tls.CertificateType;
import org.bouncycastle.tls.crypto.TlsCrypto;
import org.bouncycastle.tls.crypto.TlsSecret;

Expand All @@ -21,4 +22,9 @@ public TlsSecret adoptSecret(TlsSecret secret)

throw new IllegalArgumentException("unrecognized TlsSecret - cannot copy data: " + secret.getClass().getName());
}

public boolean isCertificateTypeValid(short certificateType)
{
return CertificateType.isValid(certificateType);
}
}