Make ProofSourceX509::SupportedTlsSignatureAlgorithms() return the actual list of the algorithms we support. PiperOrigin-RevId: 450968190
diff --git a/quiche/quic/core/crypto/certificate_view.cc b/quiche/quic/core/crypto/certificate_view.cc index 1c4d3a2..c3b187c 100644 --- a/quiche/quic/core/crypto/certificate_view.cc +++ b/quiche/quic/core/crypto/certificate_view.cc
@@ -79,8 +79,12 @@ } } +} // namespace + PublicKeyType PublicKeyTypeFromSignatureAlgorithm( uint16_t signature_algorithm) { + // This should be kept in sync with the list in + // SupportedSignatureAlgorithmsForQuic(). switch (signature_algorithm) { case SSL_SIGN_RSA_PSS_RSAE_SHA256: return PublicKeyType::kRsa; @@ -95,6 +99,17 @@ } } +QUIC_EXPORT_PRIVATE QuicSignatureAlgorithmVector +SupportedSignatureAlgorithmsForQuic() { + // This should be kept in sync with the list in + // PublicKeyTypeFromSignatureAlgorithm(). + return QuicSignatureAlgorithmVector{ + SSL_SIGN_ED25519, SSL_SIGN_ECDSA_SECP256R1_SHA256, + SSL_SIGN_ECDSA_SECP384R1_SHA384, SSL_SIGN_RSA_PSS_RSAE_SHA256}; +} + +namespace { + std::string AttributeNameToString(const CBS& oid_cbs) { absl::string_view oid = CbsToStringPiece(oid_cbs);
diff --git a/quiche/quic/core/crypto/certificate_view.h b/quiche/quic/core/crypto/certificate_view.h index a0ca3c3..5c2aafc 100644 --- a/quiche/quic/core/crypto/certificate_view.h +++ b/quiche/quic/core/crypto/certificate_view.h
@@ -43,6 +43,13 @@ kUnknown, }; QUIC_EXPORT_PRIVATE std::string PublicKeyTypeToString(PublicKeyType type); +QUIC_EXPORT_PRIVATE PublicKeyType +PublicKeyTypeFromSignatureAlgorithm(uint16_t signature_algorithm); + +// Returns the list of the signature algorithms that can be processed by +// CertificateView::VerifySignature() and CertificatePrivateKey::Sign(). +QUIC_EXPORT_PRIVATE QuicSignatureAlgorithmVector +SupportedSignatureAlgorithmsForQuic(); // CertificateView represents a parsed version of a single X.509 certificate. As // the word "view" implies, it does not take ownership of the underlying strings
diff --git a/quiche/quic/core/crypto/certificate_view_test.cc b/quiche/quic/core/crypto/certificate_view_test.cc index b9ca08a..d142ae4 100644 --- a/quiche/quic/core/crypto/certificate_view_test.cc +++ b/quiche/quic/core/crypto/certificate_view_test.cc
@@ -4,9 +4,11 @@ #include "quiche/quic/core/crypto/certificate_view.h" +#include <limits> #include <memory> #include <sstream> +#include "absl/algorithm/container.h" #include "absl/strings/escaping.h" #include "absl/strings/string_view.h" #include "openssl/base.h" @@ -209,6 +211,20 @@ X509NameAttributeToString(StringPieceToCbs(invalid_oid))); } +TEST(CertificateViewTest, SupportedSignatureAlgorithmsForQuicIsUpToDate) { + QuicSignatureAlgorithmVector supported = + SupportedSignatureAlgorithmsForQuic(); + for (int i = 0; i < std::numeric_limits<uint16_t>::max(); i++) { + uint16_t sigalg = static_cast<uint16_t>(i); + PublicKeyType key_type = PublicKeyTypeFromSignatureAlgorithm(sigalg); + if (absl::c_find(supported, sigalg) == supported.end()) { + EXPECT_EQ(key_type, PublicKeyType::kUnknown); + } else { + EXPECT_NE(key_type, PublicKeyType::kUnknown); + } + } +} + } // namespace } // namespace test } // namespace quic
diff --git a/quiche/quic/core/crypto/proof_source.h b/quiche/quic/core/crypto/proof_source.h index f91b572..ab2a487 100644 --- a/quiche/quic/core/crypto/proof_source.h +++ b/quiche/quic/core/crypto/proof_source.h
@@ -173,7 +173,7 @@ // // If returns a non-empty list, ComputeTlsSignature will only be called with a // algorithm in the list. - virtual absl::InlinedVector<uint16_t, 8> SupportedTlsSignatureAlgorithms() + virtual QuicSignatureAlgorithmVector SupportedTlsSignatureAlgorithms() const = 0; class QUIC_EXPORT_PRIVATE DecryptCallback {
diff --git a/quiche/quic/core/crypto/proof_source_x509.cc b/quiche/quic/core/crypto/proof_source_x509.cc index 28f4d6e..a86c78b 100644 --- a/quiche/quic/core/crypto/proof_source_x509.cc +++ b/quiche/quic/core/crypto/proof_source_x509.cc
@@ -103,11 +103,9 @@ callback->Run(/*ok=*/!signature.empty(), signature, nullptr); } -absl::InlinedVector<uint16_t, 8> -ProofSourceX509::SupportedTlsSignatureAlgorithms() const { - // Let ComputeTlsSignature() report an error if a bad signature algorithm is - // requested. - return {}; +QuicSignatureAlgorithmVector ProofSourceX509::SupportedTlsSignatureAlgorithms() + const { + return SupportedSignatureAlgorithmsForQuic(); } ProofSource::TicketCrypter* ProofSourceX509::GetTicketCrypter() {
diff --git a/quiche/quic/core/crypto/proof_source_x509.h b/quiche/quic/core/crypto/proof_source_x509.h index 197b8bb..fa62bbf 100644 --- a/quiche/quic/core/crypto/proof_source_x509.h +++ b/quiche/quic/core/crypto/proof_source_x509.h
@@ -43,8 +43,7 @@ const QuicSocketAddress& client_address, const std::string& hostname, uint16_t signature_algorithm, absl::string_view in, std::unique_ptr<SignatureCallback> callback) override; - absl::InlinedVector<uint16_t, 8> SupportedTlsSignatureAlgorithms() - const override; + QuicSignatureAlgorithmVector SupportedTlsSignatureAlgorithms() const override; TicketCrypter* GetTicketCrypter() override; // Adds a certificate chain to the verifier. Returns false if the chain is
diff --git a/quiche/quic/core/quic_types.h b/quiche/quic/core/quic_types.h index c40eb29..8d5ca28 100644 --- a/quiche/quic/core/quic_types.h +++ b/quiche/quic/core/quic_types.h
@@ -829,6 +829,8 @@ QUIC_EXPORT_PRIVATE std::string KeyUpdateReasonString(KeyUpdateReason reason); +using QuicSignatureAlgorithmVector = absl::InlinedVector<uint16_t, 8>; + // QuicSSLConfig contains configurations to be applied on a SSL object, which // overrides the configurations in SSL_CTX. struct QUIC_NO_EXPORT QuicSSLConfig { @@ -839,7 +841,7 @@ absl::optional<bool> disable_ticket_support; // If set, used to configure the SSL object with // SSL_set_signing_algorithm_prefs. - absl::optional<absl::InlinedVector<uint16_t, 8>> signing_algorithm_prefs; + absl::optional<QuicSignatureAlgorithmVector> signing_algorithm_prefs; // Client certificate mode for mTLS support. Only used at server side. ClientCertMode client_cert_mode = ClientCertMode::kNone; };