Botan 3.11.1
Crypto and TLS for C&
msg_certificate_13.cpp
Go to the documentation of this file.
1/*
2* Certificate Message
3* (C) 2022 Jack Lloyd
4* 2022 Hannes Rantzsch, René Meusel - neXenio GmbH
5* 2023 René Meusel, Fabian Albert - Rohde & Schwarz Cybersecurity
6*
7* Botan is released under the Simplified BSD License (see license.txt)
8*/
9
10#include <botan/tls_messages_13.h>
11
12#include <botan/credentials_manager.h>
13#include <botan/ocsp.h>
14#include <botan/tls_alert.h>
15#include <botan/tls_callbacks.h>
16#include <botan/tls_exceptn.h>
17#include <botan/tls_extensions.h>
18#include <botan/tls_policy.h>
19#include <botan/x509_key.h>
20#include <botan/internal/tls_reader.h>
21#include <algorithm>
22#include <iterator>
23#include <memory>
24
25namespace Botan::TLS {
26
27namespace {
28
29bool certificate_allows_signing(const X509_Certificate& cert) {
30 const auto constraints = cert.constraints();
31 if(constraints.empty()) {
32 return true;
33 }
34
35 return constraints.includes_any(Key_Constraints::DigitalSignature, Key_Constraints::NonRepudiation);
36}
37
38std::vector<std::string> filter_signature_schemes(const std::vector<Signature_Scheme>& peer_scheme_preference) {
39 std::vector<std::string> compatible_schemes;
40 for(const auto& scheme : peer_scheme_preference) {
41 if(scheme.is_available() && scheme.is_compatible_with(Protocol_Version::TLS_V13)) {
42 compatible_schemes.push_back(scheme.algorithm_name());
43 }
44 }
45
46 if(compatible_schemes.empty()) {
47 throw TLS_Exception(Alert::HandshakeFailure, "Failed to agree on any signature algorithm");
48 }
49
50 return compatible_schemes;
51}
52
53} // namespace
54
55bool Certificate_13::has_certificate_chain() const {
56 return !empty() && m_entries.front().has_certificate();
57}
58
59bool Certificate_13::is_raw_public_key() const {
60 return !empty() && !has_certificate_chain();
61}
62
63std::vector<X509_Certificate> Certificate_13::cert_chain() const {
64 BOTAN_STATE_CHECK(has_certificate_chain());
65 std::vector<X509_Certificate> result;
66 std::transform(m_entries.cbegin(), m_entries.cend(), std::back_inserter(result), [](const auto& cert_entry) {
67 return cert_entry.certificate();
68 });
69 return result;
70}
71
72void Certificate_13::validate_extensions(const std::set<Extension_Code>& requested_extensions, Callbacks& cb) const {
73 // RFC 8446 4.4.2
74 // Extensions in the Certificate message from the server MUST
75 // correspond to ones from the ClientHello message. Extensions in
76 // the Certificate message from the client MUST correspond to
77 // extensions in the CertificateRequest message from the server.
78 for(const auto& entry : m_entries) {
79 if(entry.extensions().contains_other_than(requested_extensions)) {
80 throw TLS_Exception(Alert::IllegalParameter, "Certificate Entry contained an extension that was not offered");
81 }
82
83 cb.tls_examine_extensions(entry.extensions(), m_side, type());
84 }
85}
86
87std::shared_ptr<const Public_Key> Certificate_13::public_key() const {
88 BOTAN_STATE_CHECK(!empty());
89 return m_entries.front().public_key();
90}
91
92const X509_Certificate& Certificate_13::leaf() const {
93 BOTAN_STATE_CHECK(!empty());
94 return m_entries.front().certificate();
95}
96
97void Certificate_13::verify(Callbacks& callbacks,
98 const Policy& policy,
99 Credentials_Manager& creds,
100 std::string_view hostname,
101 bool use_ocsp) const {
102 const auto usage = (m_side == Connection_Side::Client) ? Usage_Type::TLS_CLIENT_AUTH : Usage_Type::TLS_SERVER_AUTH;
103
104 if(is_raw_public_key()) {
105 callbacks.tls_verify_raw_public_key(*public_key(), usage, hostname, policy);
106 } else {
107 verify_certificate_chain(callbacks, policy, creds, hostname, use_ocsp, usage);
108 }
109}
110
111void Certificate_13::verify_certificate_chain(Callbacks& callbacks,
112 const Policy& policy,
113 Credentials_Manager& creds,
114 std::string_view hostname,
115 bool use_ocsp,
116 Usage_Type usage_type) const {
117 std::vector<X509_Certificate> certs;
118 std::vector<std::optional<OCSP::Response>> ocsp_responses;
119 for(const auto& entry : m_entries) {
120 certs.push_back(entry.certificate());
121 if(use_ocsp) {
122 if(entry.extensions().has<Certificate_Status_Request>()) {
123 ocsp_responses.push_back(callbacks.tls_parse_ocsp_response(
124 entry.extensions().get<Certificate_Status_Request>()->get_ocsp_response()));
125 } else {
126 ocsp_responses.emplace_back();
127 }
128 }
129 }
130
131 const auto& server_cert = m_entries.front().certificate();
132 if(!certificate_allows_signing(server_cert)) {
133 throw TLS_Exception(Alert::BadCertificate, "Certificate usage constraints do not allow signing");
134 }
135
136 // Note that m_side represents the sender, so the usages here are swapped
137 const auto trusted_CAs = creds.trusted_certificate_authorities(
138 m_side == Connection_Side::Client ? "tls-server" : "tls-client", std::string(hostname));
139
140 callbacks.tls_verify_cert_chain(certs, ocsp_responses, trusted_CAs, usage_type, hostname, policy);
141}
142
143void Certificate_13::setup_entries(std::vector<X509_Certificate> cert_chain,
144 const Certificate_Status_Request* csr,
145 Callbacks& callbacks) {
146 // RFC 8446 4.4.2.1
147 // A server MAY request that a client present an OCSP response with its
148 // certificate by sending an empty "status_request" extension in its
149 // CertificateRequest message.
150 const auto ocsp_responses = (csr != nullptr) ? callbacks.tls_provide_cert_chain_status(cert_chain, *csr)
151 : std::vector<std::vector<uint8_t>>(cert_chain.size());
152
153 if(ocsp_responses.size() != cert_chain.size()) {
154 throw TLS_Exception(Alert::InternalError, "Application didn't provide the correct number of OCSP responses");
155 }
156
157 for(size_t i = 0; i < cert_chain.size(); ++i) {
158 auto& entry = m_entries.emplace_back(cert_chain[i]);
159 if(!ocsp_responses[i].empty()) {
160 entry.extensions().add(new Certificate_Status_Request(ocsp_responses[i])); // NOLINT(*-owning-memory)
161 }
162
163 // This will call the modification callback multiple times. Once for
164 // each certificate in the `cert_chain`. Users that want to add an
165 // extension to a specific Certificate Entry might have a hard time
166 // to distinguish them.
167 //
168 // TODO: Callbacks::tls_modify_extensions() might need even more
169 // context depending on the message whose extensions should be
170 // manipulatable.
171 callbacks.tls_modify_extensions(entry.extensions(), m_side, type());
172 }
173}
174
175void Certificate_13::setup_entry(std::shared_ptr<Public_Key> raw_public_key, Callbacks& callbacks) {
176 BOTAN_ASSERT_NONNULL(raw_public_key);
177 auto& entry = m_entries.emplace_back(std::move(raw_public_key));
178 callbacks.tls_modify_extensions(entry.extensions(), m_side, type());
179}
180
181/**
182 * Create a Client Certificate message
183 */
184Certificate_13::Certificate_13(const Certificate_Request_13& cert_request,
185 std::string_view hostname,
186 Credentials_Manager& credentials_manager,
187 Callbacks& callbacks,
188 Certificate_Type cert_type) :
189 m_request_context(cert_request.context()), m_side(Connection_Side::Client) {
190 const auto key_types = filter_signature_schemes(cert_request.signature_schemes());
191 const std::string op_type = "tls-client";
192
193 if(cert_type == Certificate_Type::X509) {
194 setup_entries(
195 credentials_manager.find_cert_chain(key_types,
196 to_algorithm_identifiers(cert_request.certificate_signature_schemes()),
197 cert_request.acceptable_CAs(),
198 op_type,
199 std::string(hostname)),
200 cert_request.extensions().get<Certificate_Status_Request>(),
201 callbacks);
202 } else if(cert_type == Certificate_Type::RawPublicKey) {
203 auto raw_public_key = credentials_manager.find_raw_public_key(key_types, op_type, std::string(hostname));
204
205 // RFC 8446 4.4.2
206 // If the RawPublicKey certificate type was negotiated, then the
207 // certificate_list MUST contain no more than one CertificateEntry
208 // [...].
209 // A client will send an empty certificate_list if it does not have
210 // an appropriate certificate to send in response to the server's
211 // authentication request.
212 if(raw_public_key) {
213 setup_entry(std::move(raw_public_key), callbacks);
214 }
215 }
216}
217
218/**
219 * Create a Server Certificate message
220 */
221Certificate_13::Certificate_13(const Client_Hello_13& client_hello,
222 Credentials_Manager& credentials_manager,
223 Callbacks& callbacks,
224 Certificate_Type cert_type) :
225 // RFC 8446 4.4.2:
226 // [In the case of server authentication], the request context
227 // SHALL be zero length
228 m_request_context(/* NOLINT(*-redundant-member-init) */), m_side(Connection_Side::Server) {
229 /*
230 RFC 8446 4.2.3:
231 Clients which desire the server to authenticate itself via a
232 certificate MUST send the "signature_algorithms" extension. If a
233 server is authenticating via a certificate and the client has not sent
234 a "signature_algorithms" extension, then the server MUST abort the
235 handshake with a "missing_extension" alert.
236 */
237 if(!client_hello.extensions().has<Signature_Algorithms>()) {
238 throw TLS_Exception(Alert::MissingExtension, "Client Hello is missing required signature_algorithms extension");
239 }
240
241 const auto key_types = filter_signature_schemes(client_hello.signature_schemes());
242 const std::string op_type = "tls-server";
243 const std::string context = client_hello.sni_hostname();
244
245 if(cert_type == Certificate_Type::X509) {
246 auto cert_chain = credentials_manager.find_cert_chain(
247 key_types, to_algorithm_identifiers(client_hello.certificate_signature_schemes()), {}, op_type, context);
248
249 // RFC 8446 4.4.2
250 // The server's certificate_list MUST always be non-empty.
251 if(cert_chain.empty()) {
252 throw TLS_Exception(Alert::HandshakeFailure, "No sufficient server certificate available");
253 }
254
255 setup_entries(std::move(cert_chain), client_hello.extensions().get<Certificate_Status_Request>(), callbacks);
256 } else if(cert_type == Certificate_Type::RawPublicKey) {
257 auto raw_public_key = credentials_manager.find_raw_public_key(key_types, op_type, context);
258
259 // RFC 8446 4.4.2
260 // If the RawPublicKey certificate type was negotiated, then the
261 // certificate_list MUST contain no more than one CertificateEntry
262 // [...].
263 // The server's certificate_list MUST always be non-empty
264 if(!raw_public_key) {
265 throw TLS_Exception(Alert::HandshakeFailure, "No sufficient server raw public key available");
266 }
267
268 setup_entry(std::move(raw_public_key), callbacks);
269 }
270}
271
272Certificate_13::Certificate_Entry::Certificate_Entry(TLS_Data_Reader& reader,
273 Connection_Side side,
274 Certificate_Type cert_type) {
275 switch(cert_type) {
276 case Certificate_Type::X509:
277 // RFC 8446 4.2.2
278 // [...] each CertificateEntry contains a DER-encoded X.509
279 // certificate.
280 m_certificate = std::make_unique<X509_Certificate>(reader.get_tls_length_value(3));
281 m_raw_public_key = m_certificate->subject_public_key();
282 break;
283 case Certificate_Type::RawPublicKey:
284 // RFC 7250 3.
285 // This specification uses raw public keys whereby the already
286 // available encoding used in a PKIX certificate in the form of a
287 // SubjectPublicKeyInfo structure is reused.
288 m_raw_public_key = X509::load_key(reader.get_tls_length_value(3));
289 break;
290 default:
291 throw TLS_Exception(Alert::InternalError, "Unknown certificate type");
292 }
293
294 // Extensions are simply tacked at the end of the certificate entry. This
295 // is a departure from the typical "tag-length-value" in a sense that the
296 // Extensions deserializer needs the length value of the extensions.
297 const auto extensions_length = reader.peek_uint16_t();
298 const auto exts_buf = reader.get_fixed<uint8_t>(extensions_length + 2);
299 TLS_Data_Reader exts_reader("extensions reader", exts_buf);
300 m_extensions.deserialize(exts_reader, side, Handshake_Type::Certificate);
301
302 if(cert_type == Certificate_Type::X509) {
303 // RFC 8446 4.4.2
304 // Valid extensions for server certificates at present include the
305 // OCSP Status extension [RFC6066] and the SignedCertificateTimestamp
306 // extension [RFC6962]; future extensions may be defined for this
307 // message as well.
308 //
309 // RFC 8446 4.4.2.1
310 // A server MAY request that a client present an OCSP response with its
311 // certificate by sending an empty "status_request" extension in its
312 // CertificateRequest message.
313 if(m_extensions.contains_implemented_extensions_other_than({
314 Extension_Code::CertificateStatusRequest,
315 // Extension_Code::SignedCertificateTimestamp
316 })) {
317 throw TLS_Exception(Alert::IllegalParameter, "Certificate Entry contained an extension that is not allowed");
318 }
319 } else if(m_extensions.contains_implemented_extensions_other_than({})) {
320 throw TLS_Exception(
321 Alert::IllegalParameter,
322 "Certificate Entry holding something else than a certificate contained unexpected extensions");
323 }
324}
325
326Certificate_13::Certificate_Entry::~Certificate_Entry() = default;
327
328Certificate_13::Certificate_Entry::Certificate_Entry(Certificate_13::Certificate_Entry&& other) noexcept = default;
329Certificate_13::Certificate_Entry& Certificate_13::Certificate_Entry::operator=(
330 Certificate_13::Certificate_Entry&& other) noexcept = default;
331
332Certificate_13::Certificate_Entry::Certificate_Entry(const X509_Certificate& cert) :
333 m_certificate(std::make_unique<X509_Certificate>(cert)), m_raw_public_key(m_certificate->subject_public_key()) {}
334
335Certificate_13::Certificate_Entry::Certificate_Entry(std::shared_ptr<Public_Key> raw_public_key) :
336 m_raw_public_key(std::move(raw_public_key)) {
337 BOTAN_ASSERT_NONNULL(m_raw_public_key);
338}
339
344
345std::shared_ptr<const Public_Key> Certificate_13::Certificate_Entry::public_key() const {
346 BOTAN_ASSERT_NONNULL(m_raw_public_key);
347 return m_raw_public_key;
348}
349
350std::vector<uint8_t> Certificate_13::Certificate_Entry::serialize() const {
351 return (has_certificate()) ? m_certificate->BER_encode() : X509::BER_encode(*m_raw_public_key);
352}
353
354/**
355* Deserialize a Certificate message
356*/
357Certificate_13::Certificate_13(const std::vector<uint8_t>& buf,
358 const Policy& policy,
359 Connection_Side side,
360 Certificate_Type cert_type) :
361 m_side(side) {
362 TLS_Data_Reader reader("cert message reader", buf);
363
364 m_request_context = reader.get_range<uint8_t>(1, 0, 255);
365
366 // RFC 8446 4.4.2
367 // [...] in the case of server authentication, this field SHALL be zero length.
368 if(m_side == Connection_Side::Server && !m_request_context.empty()) {
369 throw TLS_Exception(Alert::IllegalParameter, "Server Certificate message must not contain a request context");
370 }
371
372 const auto cert_entries_len = reader.get_uint24_t();
373
374 if(reader.remaining_bytes() != cert_entries_len) {
375 throw TLS_Exception(Alert::DecodeError, "Certificate: Message malformed");
376 }
377
378 const size_t max_size = policy.maximum_certificate_chain_size();
379 if(max_size > 0 && cert_entries_len > max_size) {
380 throw Decoding_Error("Certificate chain exceeds policy specified maximum size");
381 }
382
383 while(reader.has_remaining()) {
384 m_entries.emplace_back(reader, side, cert_type);
385 }
386
387 // RFC 8446 4.4.2
388 // The server's certificate_list MUST always be non-empty. A client
389 // will send an empty certificate_list if it does not have an
390 // appropriate certificate to send in response to the server's
391 // authentication request.
392 if(m_entries.empty()) {
393 // RFC 8446 4.4.2.4
394 // If the server supplies an empty Certificate message, the client MUST
395 // abort the handshake with a "decode_error" alert.
396 if(m_side == Connection_Side::Server) {
397 throw TLS_Exception(Alert::DecodeError, "No certificates sent by server");
398 }
399
400 return;
401 }
402
403 BOTAN_ASSERT_NOMSG(!m_entries.empty());
404
405 // RFC 8446 4.4.2.2
406 // The certificate type MUST be X.509v3 [RFC5280], unless explicitly
407 // negotiated otherwise (e.g., [RFC7250]).
408 //
409 // TLS 1.0 through 1.3 all seem to require that the certificate be
410 // precisely a v3 certificate. In fact the strict wording would seem
411 // to require that every certificate in the chain be v3. But often
412 // the intermediates are outside of the control of the server.
413 // But, require that the leaf certificate be v3.
414 if(cert_type == Certificate_Type::X509 && m_entries.front().certificate().x509_version() != 3) {
415 throw TLS_Exception(Alert::BadCertificate, "The leaf certificate must be v3");
416 }
417
418 // RFC 8446 4.4.2
419 // If the RawPublicKey certificate type was negotiated, then the
420 // certificate_list MUST contain no more than one CertificateEntry.
421 if(cert_type == Certificate_Type::RawPublicKey && m_entries.size() != 1) {
422 throw TLS_Exception(Alert::IllegalParameter, "Certificate message contained more than one RawPublicKey");
423 }
424
425 // Validate the provided (certificate) public key against our policy
426 auto pubkey = public_key();
427 policy.check_peer_key_acceptable(*pubkey);
428
429 if(!policy.allowed_signature_method(pubkey->algo_name())) {
430 throw TLS_Exception(Alert::HandshakeFailure, "Rejecting " + pubkey->algo_name() + " signature");
431 }
432}
433
434/**
435* Serialize a Certificate message
436*/
437std::vector<uint8_t> Certificate_13::serialize() const {
438 std::vector<uint8_t> buf;
439
440 append_tls_length_value(buf, m_request_context, 1);
441
442 std::vector<uint8_t> entries;
443 for(const auto& entry : m_entries) {
444 append_tls_length_value(entries, entry.serialize(), 3);
445
446 // Extensions are tacked at the end of certificate entries. Note that
447 // Extensions::serialize() usually emits the required length field,
448 // except when no extensions are added at all, then it returns an
449 // empty buffer.
450 //
451 // TODO: look into this issue more generally when overhauling the
452 // message marshalling.
453 auto extensions = entry.extensions().serialize(m_side);
454 entries += (!extensions.empty()) ? extensions : std::vector<uint8_t>{0, 0};
455 }
456
457 append_tls_length_value(buf, entries, 3);
458
459 return buf;
460}
461
462} // namespace Botan::TLS
BOTAN_ASSERT_NOMSG
#define BOTAN_ASSERT_NOMSG(expr)
Definition assert.h:75
BOTAN_STATE_CHECK
#define BOTAN_STATE_CHECK(expr)
Definition assert.h:49
BOTAN_ASSERT_NONNULL
#define BOTAN_ASSERT_NONNULL(ptr)
Definition assert.h:114
Botan::Credentials_Manager
Definition credentials_manager.h:40
Botan::Credentials_Manager::trusted_certificate_authorities
virtual std::vector< Certificate_Store * > trusted_certificate_authorities(const std::string &type, const std::string &context)
Definition credentials_manager.cpp:133
Botan::Credentials_Manager::find_cert_chain
virtual std::vector< X509_Certificate > find_cert_chain(const std::vector< std::string > &cert_key_types, const std::vector< AlgorithmIdentifier > &cert_signature_schemes, const std::vector< X509_DN > &acceptable_CAs, const std::string &type, const std::string &context)
Definition credentials_manager.cpp:83
Botan::Credentials_Manager::find_raw_public_key
virtual std::shared_ptr< Public_Key > find_raw_public_key(const std::vector< std::string > &key_types, const std::string &type, const std::string &context)
Definition credentials_manager.cpp:92
Botan::Decoding_Error
Definition exceptn.h:192
Botan::Key_Constraints::DigitalSignature
@ DigitalSignature
Definition pkix_enums.h:116
Botan::Key_Constraints::NonRepudiation
@ NonRepudiation
Definition pkix_enums.h:117
Botan::TLS::Callbacks::tls_parse_ocsp_response
virtual std::optional< OCSP::Response > tls_parse_ocsp_response(const std::vector< uint8_t > &raw_response)
Definition tls_callbacks.cpp:125
Botan::TLS::Callbacks::tls_examine_extensions
virtual void tls_examine_extensions(const Extensions &extn, Connection_Side which_side, Handshake_Type which_message)
Definition tls_callbacks.cpp:69
Botan::TLS::Callbacks::tls_verify_raw_public_key
virtual void tls_verify_raw_public_key(const Public_Key &raw_public_key, Usage_Type usage, std::string_view hostname, const TLS::Policy &policy)
Definition tls_callbacks.cpp:115
Botan::TLS::Callbacks::tls_verify_cert_chain
virtual void tls_verify_cert_chain(const std::vector< X509_Certificate > &cert_chain, const std::vector< std::optional< OCSP::Response > > &ocsp_responses, const std::vector< Certificate_Store * > &trusted_roots, Usage_Type usage, std::string_view hostname, const TLS::Policy &policy)
Definition tls_callbacks.cpp:88
Botan::TLS::Certificate_13::Certificate_Entry
Definition tls_messages_13.h:168
Botan::TLS::Certificate_13::Certificate_Entry::operator=
Certificate_Entry & operator=(const Certificate_Entry &other)=delete
Botan::TLS::Certificate_13::Certificate_Entry::certificate
const X509_Certificate & certificate() const
Definition msg_certificate_13.cpp:340
Botan::TLS::Certificate_13::Certificate_Entry::public_key
std::shared_ptr< const Public_Key > public_key() const
Definition msg_certificate_13.cpp:345
Botan::TLS::Certificate_13::Certificate_Entry::Certificate_Entry
Certificate_Entry(TLS_Data_Reader &reader, Connection_Side side, Certificate_Type cert_type)
Definition msg_certificate_13.cpp:272
Botan::TLS::Certificate_13::Certificate_Entry::~Certificate_Entry
~Certificate_Entry()
Botan::TLS::Certificate_13::Certificate_Entry::has_certificate
bool has_certificate() const
Definition tls_messages_13.h:174
Botan::TLS::Certificate_13::Certificate_Entry::serialize
std::vector< uint8_t > serialize() const
Definition msg_certificate_13.cpp:350
Botan::TLS::Certificate_13::leaf
const X509_Certificate & leaf() const
Definition msg_certificate_13.cpp:92
Botan::TLS::Certificate_13::validate_extensions
void validate_extensions(const std::set< Extension_Code > &requested_extensions, Callbacks &cb) const
Definition msg_certificate_13.cpp:72
Botan::TLS::Certificate_13::public_key
std::shared_ptr< const Public_Key > public_key() const
Definition msg_certificate_13.cpp:87
Botan::TLS::Certificate_13::type
Handshake_Type type() const override
Definition tls_messages_13.h:200
Botan::TLS::Certificate_13::verify
void verify(Callbacks &callbacks, const Policy &policy, Credentials_Manager &creds, std::string_view hostname, bool use_ocsp) const
Definition msg_certificate_13.cpp:97
Botan::TLS::Certificate_13::serialize
std::vector< uint8_t > serialize() const override
Definition msg_certificate_13.cpp:437
Botan::TLS::Certificate_13::is_raw_public_key
bool is_raw_public_key() const
Definition msg_certificate_13.cpp:59
Botan::TLS::Certificate_13::cert_chain
std::vector< X509_Certificate > cert_chain() const
Definition msg_certificate_13.cpp:63
Botan::TLS::Certificate_13::has_certificate_chain
bool has_certificate_chain() const
Definition msg_certificate_13.cpp:55
Botan::TLS::Certificate_13::Certificate_13
Certificate_13(const Certificate_Request_13 &cert_request, std::string_view hostname, Credentials_Manager &credentials_manager, Callbacks &callbacks, Certificate_Type cert_type)
Definition msg_certificate_13.cpp:184
Botan::TLS::Certificate_13::empty
bool empty() const
Definition tls_messages_13.h:209
Botan::TLS::Certificate_Request_13
Definition tls_messages_13.h:290
Botan::TLS::Certificate_Request_13::signature_schemes
const std::vector< Signature_Scheme > & signature_schemes() const
Definition msg_certificate_req_13.cpp:134
Botan::TLS::Certificate_Request_13::extensions
const Extensions & extensions() const
Definition tls_messages_13.h:307
Botan::TLS::Certificate_Request_13::certificate_signature_schemes
const std::vector< Signature_Scheme > & certificate_signature_schemes() const
Definition msg_certificate_req_13.cpp:142
Botan::TLS::Certificate_Request_13::acceptable_CAs
std::vector< X509_DN > acceptable_CAs() const
Definition msg_certificate_req_13.cpp:127
Botan::TLS::Certificate_Status_Request
Definition tls_extensions.h:343
Botan::TLS::Certificate_Status_Request::get_ocsp_response
const std::vector< uint8_t > & get_ocsp_response() const
Definition tls_extensions_cert_status_req.cpp:163
Botan::TLS::Client_Hello_13
Definition tls_messages_13.h:29
Botan::TLS::Client_Hello::sni_hostname
std::string sni_hostname() const
Definition msg_client_hello.cpp:228
Botan::TLS::Client_Hello::signature_schemes
std::vector< Signature_Scheme > signature_schemes() const
Definition msg_client_hello.cpp:195
Botan::TLS::Client_Hello::extensions
const Extensions & extensions() const
Definition msg_client_hello.cpp:146
Botan::TLS::Policy::check_peer_key_acceptable
virtual void check_peer_key_acceptable(const Public_Key &public_key) const
Definition tls_policy.cpp:277
Botan::TLS::Policy::allowed_signature_method
bool allowed_signature_method(std::string_view sig_method) const
Definition tls_policy.cpp:112
Botan::TLS::Policy::maximum_certificate_chain_size
virtual size_t maximum_certificate_chain_size() const
Definition tls_policy.cpp:462
Botan::TLS::Signature_Algorithms
Definition tls_extensions.h:260
Botan::TLS::TLS_Data_Reader
Definition tls_reader.h:24
Botan::TLS::TLS_Data_Reader::has_remaining
bool has_remaining() const
Definition tls_reader.h:39
Botan::TLS::TLS_Data_Reader::get_uint24_t
uint32_t get_uint24_t()
Definition tls_reader.h:64
Botan::TLS::TLS_Data_Reader::get_range
std::vector< T > get_range(size_t len_bytes, size_t min_elems, size_t max_elems)
Definition tls_reader.h:110
Botan::TLS::TLS_Data_Reader::remaining_bytes
size_t remaining_bytes() const
Definition tls_reader.h:37
Botan::TLS::TLS_Data_Reader::get_tls_length_value
std::vector< uint8_t > get_tls_length_value(size_t len_bytes)
Definition tls_reader.h:105
Botan::TLS::TLS_Data_Reader::get_fixed
std::vector< T > get_fixed(size_t size)
Definition tls_reader.h:129
Botan::TLS::TLS_Data_Reader::peek_uint16_t
uint16_t peek_uint16_t() const
Definition tls_reader.h:78
Botan::TLS::TLS_Exception
Definition tls_exceptn.h:19
Botan::X509_Certificate
Definition x509cert.h:27
Botan::TLS::to_algorithm_identifiers
std::vector< AlgorithmIdentifier > to_algorithm_identifiers(const std::vector< Signature_Scheme > &schemes)
Definition tls_signature_scheme.cpp:336
Botan::TLS::append_tls_length_value
void append_tls_length_value(std::vector< uint8_t, Alloc > &buf, const T *vals, size_t vals_size, size_t tag_size)
Definition tls_reader.h:177
Botan::X509::BER_encode
std::vector< uint8_t > BER_encode(const Public_Key &key)
Definition x509_key.h:24
Botan::X509::load_key
std::unique_ptr< Public_Key > load_key(DataSource &source)
Definition x509_key.cpp:28
Generated by doxygen 1.15.0