#include <tls_messages.h>

Inheritance diagram for Botan::TLS::Certificate_Request_13:

Public Member Functions
std::vector< X509_DN >	acceptable_CAs () const

	Certificate_Request_13 (const std::vector< uint8_t > &buf, Connection_Side side)

const std::vector< Signature_Scheme > &	certificate_signature_schemes () const

const std::vector< uint8_t > &	context () const

const Extensions &	extensions () const

std::vector< uint8_t >	serialize () const override

const std::vector< Signature_Scheme > &	signature_schemes () const

Handshake_Type	type () const override

std::string	type_string () const

virtual Handshake_Type	wire_type () const

Static Public Member Functions
static std::optional< Certificate_Request_13 >	maybe_create (const Client_Hello_13 &sni_hostname, Credentials_Manager &cred_mgr, Callbacks &callbacks, const Policy &policy)

Detailed Description

Definition at line 725 of file tls_messages.h.

Constructor & Destructor Documentation

◆ Certificate_Request_13()

Botan::TLS::Certificate_Request_13::Certificate_Request_13	(	const std::vector< uint8_t > &	buf,
		Connection_Side	side )

Definition at line 21 of file msg_certificate_req_13.cpp.

                                                                                                        {
   TLS_Data_Reader reader("Certificate_Request_13", buf);
 
   // RFC 8446 4.3.2
   //    A server which is authenticating with a certificate MAY optionally
   //    request a certificate from the client.
   if(side != Connection_Side::Server) {
      throw TLS_Exception(Alert::UnexpectedMessage, "Received a Certificate_Request message from a client");
   }
 
   m_context = reader.get_tls_length_value(1);
   m_extensions.deserialize(reader, side, type());
 
   // RFC 8446 4.3.2
   //    The "signature_algorithms" extension MUST be specified, and other
   //    extensions may optionally be included if defined for this message.
   //    Clients MUST ignore unrecognized extensions.
 
   if(!m_extensions.has<Signature_Algorithms>()) {
      throw TLS_Exception(Alert::MissingExtension,
                          "Certificate_Request message did not provide a signature_algorithms extension");
   }
 
   // RFC 8446 4.2.
   //    The table below indicates the messages where a given extension may
   //    appear [...].  If an implementation receives an extension which it
   //    recognizes and which is not specified for the message in which it
   //    appears, it MUST abort the handshake with an "illegal_parameter" alert.
   //
   // For Certificate Request said table states:
   //    "status_request", "signature_algorithms", "signed_certificate_timestamp",
   //     "certificate_authorities", "oid_filters", "signature_algorithms_cert",
   std::set<Extension_Code> allowed_extensions = {
      Extension_Code::CertificateStatusRequest,
      Extension_Code::SignatureAlgorithms,
      // Extension_Code::SignedCertificateTimestamp,  // NYI
      Extension_Code::CertificateAuthorities,
      // Extension_Code::OidFilters,                   // NYI
      Extension_Code::CertSignatureAlgorithms,
   };
 
   if(m_extensions.contains_implemented_extensions_other_than(allowed_extensions)) {
      throw TLS_Exception(Alert::IllegalParameter, "Certificate Request contained an extension that is not allowed");
   }
}

References Botan::TLS::CertificateAuthorities, Botan::TLS::CertificateStatusRequest, Botan::TLS::CertSignatureAlgorithms, Botan::TLS::Extensions::contains_implemented_extensions_other_than(), Botan::TLS::Extensions::deserialize(), Botan::TLS::TLS_Data_Reader::get_tls_length_value(), Botan::TLS::Extensions::has(), Botan::TLS::Server, Botan::TLS::SignatureAlgorithms, and type().

Referenced by maybe_create().

Member Function Documentation

◆ acceptable_CAs()

std::vector< X509_DN > Botan::TLS::Certificate_Request_13::acceptable_CAs ( ) const

Definition at line 123 of file msg_certificate_req_13.cpp.

                                                                {
   if(m_extensions.has<Certificate_Authorities>()) {
      return m_extensions.get<Certificate_Authorities>()->distinguished_names();
   }
   return {};
}

References Botan::TLS::Extensions::get(), and Botan::TLS::Extensions::has().

Referenced by Botan::TLS::Certificate_13::Certificate_13().

◆ certificate_signature_schemes()

const std::vector< Signature_Scheme > & Botan::TLS::Certificate_Request_13::certificate_signature_schemes ( ) const

Definition at line 138 of file msg_certificate_req_13.cpp.

                                                                                               {
   // RFC 8446 4.2.3
   //   If no "signature_algorithms_cert" extension is present, then the
   //   "signature_algorithms" extension also applies to signatures appearing
   //   in certificates.
   if(auto sig_schemes_cert = m_extensions.get<Signature_Algorithms_Cert>()) {
      return sig_schemes_cert->supported_schemes();
   } else {
      return signature_schemes();
   }
}

References Botan::TLS::Extensions::get(), and signature_schemes().

Referenced by Botan::TLS::Certificate_13::Certificate_13().

◆ context()

const std::vector< uint8_t > & Botan::TLS::Certificate_Request_13::context ( ) const

inline

Definition at line 746 of file tls_messages.h.

746{ return m_context; }

◆ extensions()

const Extensions & Botan::TLS::Certificate_Request_13::extensions ( ) const

inline

Definition at line 742 of file tls_messages.h.

742{ return m_extensions; }

Referenced by Botan::TLS::Certificate_13::Certificate_13().

◆ maybe_create()

std::optional< Certificate_Request_13 > Botan::TLS::Certificate_Request_13::maybe_create	(	const Client_Hello_13 &	sni_hostname,
		Credentials_Manager &	cred_mgr,
		Callbacks &	callbacks,
		const Policy &	policy )

static

Creates a Certificate_Request message if it is required by the configuration

Returns: std::nullopt if configuration does not require client authentication

Definition at line 104 of file msg_certificate_req_13.cpp.

                                                                                                 {
   const auto trusted_CAs = cred_mgr.trusted_certificate_authorities("tls-server", client_hello.sni_hostname());
 
   std::vector<X509_DN> client_auth_CAs;
   for(const auto store : trusted_CAs) {
      const auto subjects = store->all_subjects();
      client_auth_CAs.insert(client_auth_CAs.end(), subjects.begin(), subjects.end());
   }
 
   if(client_auth_CAs.empty() && !policy.request_client_certificate_authentication()) {
      return std::nullopt;
   }
 
   return Certificate_Request_13(std::move(client_auth_CAs), policy, callbacks);
}

References Certificate_Request_13(), Botan::TLS::Policy::request_client_certificate_authentication(), Botan::TLS::Client_Hello::sni_hostname(), and Botan::Credentials_Manager::trusted_certificate_authorities().

◆ serialize()

std::vector< uint8_t > Botan::TLS::Certificate_Request_13::serialize ( ) const

overridevirtual

Returns: DER representation of this message

Implements Botan::TLS::Handshake_Message.

Definition at line 150 of file msg_certificate_req_13.cpp.

                                                           {
   std::vector<uint8_t> buf;
   append_tls_length_value(buf, m_context, 1);
   buf += m_extensions.serialize(Connection_Side::Server);
   return buf;
}

References Botan::TLS::append_tls_length_value(), Botan::TLS::Extensions::serialize(), and Botan::TLS::Server.

◆ signature_schemes()

const std::vector< Signature_Scheme > & Botan::TLS::Certificate_Request_13::signature_schemes ( ) const

Definition at line 130 of file msg_certificate_req_13.cpp.

                                                                                   {
   // RFC 8446 4.3.2
   //    The "signature_algorithms" extension MUST be specified
   BOTAN_ASSERT_NOMSG(m_extensions.has<Signature_Algorithms>());
 
   return m_extensions.get<Signature_Algorithms>()->supported_schemes();
}

References BOTAN_ASSERT_NOMSG, Botan::TLS::Extensions::get(), and Botan::TLS::Extensions::has().

Referenced by Botan::TLS::Certificate_13::Certificate_13(), and certificate_signature_schemes().

◆ type()

Handshake_Type Botan::TLS::Certificate_Request_13::type ( ) const

overridevirtual

Returns: the message type

Implements Botan::TLS::Handshake_Message.

Definition at line 17 of file msg_certificate_req_13.cpp.

                                                  {
   return TLS::Handshake_Type::CertificateRequest;
}

References Botan::TLS::CertificateRequest.

Referenced by Certificate_Request_13().

◆ type_string()

std::string Botan::TLS::Handshake_Message::type_string ( ) const

inherited

Returns: string representation of this message type

Definition at line 19 of file tls_handshake_state.cpp.

                                               {
   return handshake_type_to_string(type());
}

References Botan::TLS::handshake_type_to_string(), and Botan::TLS::Handshake_Message::type().

◆ wire_type()

virtual Handshake_Type Botan::TLS::Handshake_Message::wire_type ( ) const

inlinevirtualinherited

Returns: the wire representation of the message's type

Reimplemented in Botan::TLS::Hello_Retry_Request.

Definition at line 39 of file tls_handshake_msg.h.

                                               {
         // Usually equal to the Handshake_Type enum value,
         // with the exception of TLS 1.3 Hello Retry Request.
         return type();
      }

Referenced by Botan::TLS::Stream_Handshake_IO::send().

The documentation for this class was generated from the following files:

src/lib/tls/tls_messages.h
src/lib/tls/tls13/msg_certificate_req_13.cpp

Public Member Functions

Static Public Member Functions

Detailed Description

Constructor & Destructor Documentation

◆ Certificate_Request_13()

Member Function Documentation

◆ acceptable_CAs()

◆ certificate_signature_schemes()

◆ context()

◆ extensions()

◆ maybe_create()

◆ serialize()

◆ signature_schemes()

◆ type()

◆ type_string()

◆ wire_type()