#include <tls_extensions.h>

Inheritance diagram for Botan::TLS::Certificate_Type_Base:

Public Member Functions
	Certificate_Type_Base (std::vector< Certificate_Type > supported_cert_types)

	Certificate_Type_Base (TLS_Data_Reader &reader, uint16_t extension_size, Connection_Side from)

bool	empty () const override

virtual bool	is_implemented () const

Certificate_Type	selected_certificate_type () const

std::vector< uint8_t >	serialize (Connection_Side whoami) const override

virtual Extension_Code	type () const =0

void	validate_selection (const Certificate_Type_Base &from_server) const

Protected Member Functions
	Certificate_Type_Base (const Certificate_Type_Base &certificate_type_from_client, const std::vector< Certificate_Type > &server_preference)

Detailed Description

RFC 7250 Base class for 'client_certificate_type' and 'server_certificate_type' extensions.

Definition at line 214 of file tls_extensions.h.

Constructor & Destructor Documentation

◆ Certificate_Type_Base() [1/3]

Botan::TLS::Certificate_Type_Base::Certificate_Type_Base ( std::vector< Certificate_Type > supported_cert_types )

Called by the client to advertise support for a number of cert types.

Definition at line 387 of file tls_extensions.cpp.

                                                                                             :
      m_certificate_types(std::move(supported_cert_types)), m_from(Connection_Side::Client) {
   BOTAN_ARG_CHECK(!m_certificate_types.empty(), "at least one certificate type must be supported");
}

References BOTAN_ARG_CHECK.

◆ Certificate_Type_Base() [2/3]

Botan::TLS::Certificate_Type_Base::Certificate_Type_Base	(	const Certificate_Type_Base &	certificate_type_from_client,
		const std::vector< Certificate_Type > &	server_preference )

protected

Called by the server to select a cert type to be used in the handshake.

Definition at line 398 of file tls_extensions.cpp.

                                                                                                   :
      m_from(Connection_Side::Server) {
   // RFC 7250 4.2
   //    The server_certificate_type extension in the client hello indicates the
   //    types of certificates the client is able to process when provided by
   //    the server in a subsequent certificate payload. [...] With the
   //    server_certificate_type extension in the server hello, the TLS server
   //    indicates the certificate type carried in the Certificate payload.
   for(const auto server_supported_cert_type : server_preference) {
      if(value_exists(certificate_type_from_client.m_certificate_types, server_supported_cert_type)) {
         m_certificate_types.push_back(server_supported_cert_type);
         return;
      }
   }
 
   // RFC 7250 4.2 (2.)
   //    The server supports the extension defined in this document, but
   //    it does not have any certificate type in common with the client.
   //    Then, the server terminates the session with a fatal alert of
   //    type "unsupported_certificate".
   throw TLS_Exception(Alert::UnsupportedCertificate, "Failed to agree on certificate_type");
}

References Botan::value_exists().

◆ Certificate_Type_Base() [3/3]

Botan::TLS::Certificate_Type_Base::Certificate_Type_Base	(	TLS_Data_Reader &	reader,
		uint16_t	extension_size,
		Connection_Side	from )

Definition at line 422 of file tls_extensions.cpp.

                                                                                                                   :
      m_from(from) {
   if(extension_size == 0) {
      throw Decoding_Error("Certificate type extension cannot be empty");
   }
 
   if(from == Connection_Side::Client) {
      const auto type_bytes = reader.get_tls_length_value(1);
      if(static_cast<size_t>(extension_size) != type_bytes.size() + 1) {
         throw Decoding_Error("certificate type extension had inconsistent length");
      }
      std::transform(
         type_bytes.begin(), type_bytes.end(), std::back_inserter(m_certificate_types), [](const auto type_byte) {
            return static_cast<Certificate_Type>(type_byte);
         });
   } else {
      // RFC 7250 4.2
      //    Note that only a single value is permitted in the
      //    server_certificate_type extension when carried in the server hello.
      if(extension_size != 1) {
         throw Decoding_Error("Server's certificate type extension must be of length 1");
      }
      const auto type_byte = reader.get_byte();
      m_certificate_types.push_back(static_cast<Certificate_Type>(type_byte));
   }
}

References Botan::TLS::Client, Botan::TLS::TLS_Data_Reader::get_byte(), and Botan::TLS::TLS_Data_Reader::get_tls_length_value().

Member Function Documentation

◆ empty()

bool Botan::TLS::Certificate_Type_Base::empty ( ) const

inlineoverridevirtual

Returns: if we should encode this extension or not

Implements Botan::TLS::Extension.

Definition at line 236 of file tls_extensions.h.

                                  {
         // RFC 7250 4.1
         //    If the client has no remaining certificate types to send in the
         //    client hello, other than the default X.509 type, it MUST omit the
         //    entire client[/server]_certificate_type extension [...].
         return m_from == Connection_Side::Client && m_certificate_types.size() == 1 &&
                m_certificate_types.front() == Certificate_Type::X509;
      }

◆ is_implemented()

virtual bool Botan::TLS::Extension::is_implemented ( ) const

inlinevirtualinherited

Returns: true if this extension is known and implemented by Botan

Reimplemented in Botan::TLS::Unknown_Extension.

Definition at line 116 of file tls_extensions.h.

116{ return true; }

◆ selected_certificate_type()

Certificate_Type Botan::TLS::Certificate_Type_Base::selected_certificate_type ( ) const

Definition at line 480 of file tls_extensions.cpp.

                                                                        {
   BOTAN_ASSERT_NOMSG(m_from == Connection_Side::Server);
   BOTAN_ASSERT_NOMSG(m_certificate_types.size() == 1);
   return m_certificate_types.front();
}

References BOTAN_ASSERT_NOMSG, and Botan::TLS::Server.

Referenced by validate_selection().

◆ serialize()

std::vector< uint8_t > Botan::TLS::Certificate_Type_Base::serialize ( Connection_Side whoami ) const

overridevirtual

Returns: serialized binary for the extension

Implements Botan::TLS::Extension.

Definition at line 449 of file tls_extensions.cpp.

                                                                                {
   std::vector<uint8_t> result;
   if(whoami == Connection_Side::Client) {
      std::vector<uint8_t> type_bytes;
      std::transform(
         m_certificate_types.begin(), m_certificate_types.end(), std::back_inserter(type_bytes), [](const auto type) {
            return static_cast<uint8_t>(type);
         });
      append_tls_length_value(result, type_bytes, 1);
   } else {
      BOTAN_ASSERT_NOMSG(m_certificate_types.size() == 1);
      result.push_back(static_cast<uint8_t>(m_certificate_types.front()));
   }
   return result;
}

References Botan::TLS::append_tls_length_value(), BOTAN_ASSERT_NOMSG, Botan::TLS::Client, and Botan::TLS::Extension::type().

◆ type()

virtual Extension_Code Botan::TLS::Extension::type ( ) const

pure virtualinherited

Returns: code number of the extension

Implemented in Botan::TLS::Server_Name_Indicator, Botan::TLS::Renegotiation_Extension, Botan::TLS::Application_Layer_Protocol_Notification, Botan::TLS::Client_Certificate_Type, Botan::TLS::Server_Certificate_Type, Botan::TLS::Session_Ticket_Extension, Botan::TLS::Supported_Groups, Botan::TLS::Supported_Point_Formats, Botan::TLS::Signature_Algorithms, Botan::TLS::Signature_Algorithms_Cert, Botan::TLS::SRTP_Protection_Profiles, Botan::TLS::Extended_Master_Secret, Botan::TLS::Encrypt_then_MAC, Botan::TLS::Certificate_Status_Request, Botan::TLS::Supported_Versions, Botan::TLS::Record_Size_Limit, Botan::TLS::Cookie, Botan::TLS::PSK_Key_Exchange_Modes, Botan::TLS::Certificate_Authorities, Botan::TLS::PSK, Botan::TLS::Key_Share, Botan::TLS::EarlyDataIndication, and Botan::TLS::Unknown_Extension.

Referenced by serialize().

◆ validate_selection()

void Botan::TLS::Certificate_Type_Base::validate_selection ( const Certificate_Type_Base & from_server ) const

Definition at line 465 of file tls_extensions.cpp.

                                                                                             {
   BOTAN_ASSERT_NOMSG(m_from == Connection_Side::Client);
   BOTAN_ASSERT_NOMSG(from_server.m_from == Connection_Side::Server);
 
   // RFC 7250 4.2
   //    The value conveyed in the [client_]certificate_type extension MUST be
   //    selected from one of the values provided in the [client_]certificate_type
   //    extension sent in the client hello.
   if(!value_exists(m_certificate_types, from_server.selected_certificate_type())) {
      throw TLS_Exception(Alert::IllegalParameter,
                          Botan::fmt("Selected certificate type was not offered: {}",
                                     certificate_type_to_string(from_server.selected_certificate_type())));
   }
}

References BOTAN_ASSERT_NOMSG, Botan::TLS::certificate_type_to_string(), Botan::TLS::Client, Botan::fmt(), selected_certificate_type(), Botan::TLS::Server, and Botan::value_exists().

The documentation for this class was generated from the following files:

src/lib/tls/tls_extensions.h
src/lib/tls/tls_extensions.cpp

Public Member Functions

Protected Member Functions