Botan::TLS::Certificate_Request_13 Class Reference

#include <tls_messages_13.h>

Inheritance diagram for Botan::TLS::Certificate_Request_13:

Public Member Functions
std::vector< X509_DN >	acceptable_CAs () const
	Certificate_Request_13 (const std::vector< uint8_t > &buf, Connection_Side side)
const std::vector< Signature_Scheme > &	certificate_signature_schemes () const
const std::vector< uint8_t > &	context () const
const Extensions &	extensions () const
std::vector< uint8_t >	serialize () const override
const std::vector< Signature_Scheme > &	signature_schemes () const
Handshake_Type	type () const override
std::string	type_string () const
virtual Handshake_Type	wire_type () const

Static Public Member Functions
static std::optional< Certificate_Request_13 >	maybe_create (const Client_Hello_13 &sni_hostname, Credentials_Manager &cred_mgr, Callbacks &callbacks, const Policy &policy)

Detailed Description

Definition at line 290 of file tls_messages_13.h.

Constructor & Destructor Documentation

Certificate_Request_13()

Botan::TLS::Certificate_Request_13::Certificate_Request_13	(	const std::vector< uint8_t > &	buf,
		Connection_Side	side )

Definition at line 25 of file msg_certificate_req_13.cpp.

                                                                                                        {
   TLS_Data_Reader reader("Certificate_Request_13", buf);
 
   // RFC 8446 4.3.2
   //    A server which is authenticating with a certificate MAY optionally
   //    request a certificate from the client.
   if(side != Connection_Side::Server) {
      throw TLS_Exception(Alert::UnexpectedMessage, "Received a Certificate_Request message from a client");
   }
 
   m_context = reader.get_tls_length_value(1);
   m_extensions.deserialize(reader, side, type());
 
   // RFC 8446 4.3.2
   //    The "signature_algorithms" extension MUST be specified, and other
   //    extensions may optionally be included if defined for this message.
   //    Clients MUST ignore unrecognized extensions.
 
   if(!m_extensions.has<Signature_Algorithms>()) {
      throw TLS_Exception(Alert::MissingExtension,
                          "Certificate_Request message did not provide a signature_algorithms extension");
   }
 
   // RFC 8446 4.2.
   //    The table below indicates the messages where a given extension may
   //    appear [...].  If an implementation receives an extension which it
   //    recognizes and which is not specified for the message in which it
   //    appears, it MUST abort the handshake with an "illegal_parameter" alert.
   //
   // For Certificate Request said table states:
   //    "status_request", "signature_algorithms", "signed_certificate_timestamp",
   //     "certificate_authorities", "oid_filters", "signature_algorithms_cert",
   const std::set<Extension_Code> allowed_extensions = {
      Extension_Code::CertificateStatusRequest,
      Extension_Code::SignatureAlgorithms,
      // Extension_Code::SignedCertificateTimestamp,  // NYI
      Extension_Code::CertificateAuthorities,
      // Extension_Code::OidFilters,                   // NYI
      Extension_Code::CertSignatureAlgorithms,
   };
 
   if(m_extensions.contains_implemented_extensions_other_than(allowed_extensions)) {
      throw TLS_Exception(Alert::IllegalParameter, "Certificate Request contained an extension that is not allowed");
   }
}

References Botan::TLS::CertificateAuthorities, Botan::TLS::CertificateStatusRequest, Botan::TLS::CertSignatureAlgorithms, Botan::TLS::TLS_Data_Reader::get_tls_length_value(), Botan::TLS::Server, Botan::TLS::SignatureAlgorithms, and type().

Referenced by maybe_create().

Member Function Documentation

acceptable_CAs()

std::vector< X509_DN > Botan::TLS::Certificate_Request_13::acceptable_CAs

(

)

const

Definition at line 127 of file msg_certificate_req_13.cpp.

                                                                {
   if(m_extensions.has<Certificate_Authorities>()) {
      return m_extensions.get<Certificate_Authorities>()->distinguished_names();
   }
   return {};
}

Referenced by Botan::TLS::Certificate_13::Certificate_13().

certificate_signature_schemes()

const std::vector< Signature_Scheme > & Botan::TLS::Certificate_Request_13::certificate_signature_schemes

(

)

const

Definition at line 142 of file msg_certificate_req_13.cpp.

                                                                                               {
   // RFC 8446 4.2.3
   //   If no "signature_algorithms_cert" extension is present, then the
   //   "signature_algorithms" extension also applies to signatures appearing
   //   in certificates.
   if(auto* sig_schemes_cert = m_extensions.get<Signature_Algorithms_Cert>()) {
      return sig_schemes_cert->supported_schemes();
   } else {
      return signature_schemes();
   }
}

References signature_schemes().

Referenced by Botan::TLS::Certificate_13::Certificate_13().

context()

const std::vector< uint8_t > & Botan::TLS::Certificate_Request_13::context ( ) const

inline

Definition at line 311 of file tls_messages_13.h.

{ return m_context; }

extensions()

const Extensions & Botan::TLS::Certificate_Request_13::extensions ( ) const

inline

Definition at line 307 of file tls_messages_13.h.

{ return m_extensions; }

Referenced by Botan::TLS::Certificate_13::Certificate_13().

maybe_create()

std::optional< Certificate_Request_13 > Botan::TLS::Certificate_Request_13::maybe_create ( const Client_Hello_13 & sni_hostname, Credentials_Manager & cred_mgr, Callbacks & callbacks, const Policy & policy )

static

Creates a Certificate_Request message if it is required by the configuration

Returns

std::nullopt if configuration does not require client authentication

Definition at line 108 of file msg_certificate_req_13.cpp.

                                                                                                 {
   const auto trusted_CAs = cred_mgr.trusted_certificate_authorities("tls-server", client_hello.sni_hostname());
 
   std::vector<X509_DN> client_auth_CAs;
   for(auto* const store : trusted_CAs) {
      const auto subjects = store->all_subjects();
      client_auth_CAs.insert(client_auth_CAs.end(), subjects.begin(), subjects.end());
   }
 
   if(client_auth_CAs.empty() && !policy.request_client_certificate_authentication()) {
      return std::nullopt;
   }
 
   return Certificate_Request_13(client_auth_CAs, policy, callbacks);
}

References Certificate_Request_13(), Botan::TLS::Policy::request_client_certificate_authentication(), Botan::TLS::Client_Hello::sni_hostname(), and Botan::Credentials_Manager::trusted_certificate_authorities().

serialize()

std::vector< uint8_t > Botan::TLS::Certificate_Request_13::serialize ( ) const

overridevirtual

Returns

DER representation of this message

Implements Botan::TLS::Handshake_Message.

Definition at line 154 of file msg_certificate_req_13.cpp.

                                                           {
   std::vector<uint8_t> buf;
   append_tls_length_value(buf, m_context, 1);
   buf += m_extensions.serialize(Connection_Side::Server);
   return buf;
}

References Botan::TLS::append_tls_length_value(), and Botan::TLS::Server.

signature_schemes()

const std::vector< Signature_Scheme > & Botan::TLS::Certificate_Request_13::signature_schemes

(

)

const

Definition at line 134 of file msg_certificate_req_13.cpp.

                                                                                   {
   // RFC 8446 4.3.2
   //    The "signature_algorithms" extension MUST be specified
   BOTAN_ASSERT_NOMSG(m_extensions.has<Signature_Algorithms>());
 
   return m_extensions.get<Signature_Algorithms>()->supported_schemes();
}

References BOTAN_ASSERT_NOMSG.

Referenced by Botan::TLS::Certificate_13::Certificate_13(), and certificate_signature_schemes().

type()

Handshake_Type Botan::TLS::Certificate_Request_13::type ( ) const

overridevirtual

Returns

the message type

Implements Botan::TLS::Handshake_Message.

Definition at line 21 of file msg_certificate_req_13.cpp.

                                                  {
   return TLS::Handshake_Type::CertificateRequest;
}

References Botan::TLS::CertificateRequest.

Referenced by Certificate_Request_13().

type_string()

std::string Botan::TLS::Handshake_Message::type_string ( ) const

inherited

Returns

string representation of this message type

Definition at line 21 of file tls_handshake_state.cpp.

                                               {
   return handshake_type_to_string(type());
}

References Botan::TLS::handshake_type_to_string(), and type().

wire_type()

virtual Handshake_Type Botan::TLS::Handshake_Message::wire_type ( ) const

inlinevirtualinherited

Returns

the wire representation of the message's type

Reimplemented in Botan::TLS::Hello_Retry_Request.

Definition at line 39 of file tls_handshake_msg.h.

                                               {
         // Usually equal to the Handshake_Type enum value,
         // with the exception of TLS 1.3 Hello Retry Request.
         return type();
      }

References type().

Referenced by Botan::TLS::Stream_Handshake_IO::send().

---

The documentation for this class was generated from the following files:

• src/lib/tls/tls13/tls_messages_13.h
• src/lib/tls/tls13/msg_certificate_req_13.cpp