Make ProofSourceX509::SupportedTlsSignatureAlgorithms() return the actual list of the algorithms we support.
PiperOrigin-RevId: 450968190
diff --git a/quiche/quic/core/crypto/certificate_view.cc b/quiche/quic/core/crypto/certificate_view.cc
index 1c4d3a2..c3b187c 100644
--- a/quiche/quic/core/crypto/certificate_view.cc
+++ b/quiche/quic/core/crypto/certificate_view.cc
@@ -79,8 +79,12 @@
}
}
+} // namespace
+
PublicKeyType PublicKeyTypeFromSignatureAlgorithm(
uint16_t signature_algorithm) {
+ // This should be kept in sync with the list in
+ // SupportedSignatureAlgorithmsForQuic().
switch (signature_algorithm) {
case SSL_SIGN_RSA_PSS_RSAE_SHA256:
return PublicKeyType::kRsa;
@@ -95,6 +99,17 @@
}
}
+QUIC_EXPORT_PRIVATE QuicSignatureAlgorithmVector
+SupportedSignatureAlgorithmsForQuic() {
+ // This should be kept in sync with the list in
+ // PublicKeyTypeFromSignatureAlgorithm().
+ return QuicSignatureAlgorithmVector{
+ SSL_SIGN_ED25519, SSL_SIGN_ECDSA_SECP256R1_SHA256,
+ SSL_SIGN_ECDSA_SECP384R1_SHA384, SSL_SIGN_RSA_PSS_RSAE_SHA256};
+}
+
+namespace {
+
std::string AttributeNameToString(const CBS& oid_cbs) {
absl::string_view oid = CbsToStringPiece(oid_cbs);
diff --git a/quiche/quic/core/crypto/certificate_view.h b/quiche/quic/core/crypto/certificate_view.h
index a0ca3c3..5c2aafc 100644
--- a/quiche/quic/core/crypto/certificate_view.h
+++ b/quiche/quic/core/crypto/certificate_view.h
@@ -43,6 +43,13 @@
kUnknown,
};
QUIC_EXPORT_PRIVATE std::string PublicKeyTypeToString(PublicKeyType type);
+QUIC_EXPORT_PRIVATE PublicKeyType
+PublicKeyTypeFromSignatureAlgorithm(uint16_t signature_algorithm);
+
+// Returns the list of the signature algorithms that can be processed by
+// CertificateView::VerifySignature() and CertificatePrivateKey::Sign().
+QUIC_EXPORT_PRIVATE QuicSignatureAlgorithmVector
+SupportedSignatureAlgorithmsForQuic();
// CertificateView represents a parsed version of a single X.509 certificate. As
// the word "view" implies, it does not take ownership of the underlying strings
diff --git a/quiche/quic/core/crypto/certificate_view_test.cc b/quiche/quic/core/crypto/certificate_view_test.cc
index b9ca08a..d142ae4 100644
--- a/quiche/quic/core/crypto/certificate_view_test.cc
+++ b/quiche/quic/core/crypto/certificate_view_test.cc
@@ -4,9 +4,11 @@
#include "quiche/quic/core/crypto/certificate_view.h"
+#include <limits>
#include <memory>
#include <sstream>
+#include "absl/algorithm/container.h"
#include "absl/strings/escaping.h"
#include "absl/strings/string_view.h"
#include "openssl/base.h"
@@ -209,6 +211,20 @@
X509NameAttributeToString(StringPieceToCbs(invalid_oid)));
}
+TEST(CertificateViewTest, SupportedSignatureAlgorithmsForQuicIsUpToDate) {
+ QuicSignatureAlgorithmVector supported =
+ SupportedSignatureAlgorithmsForQuic();
+ for (int i = 0; i < std::numeric_limits<uint16_t>::max(); i++) {
+ uint16_t sigalg = static_cast<uint16_t>(i);
+ PublicKeyType key_type = PublicKeyTypeFromSignatureAlgorithm(sigalg);
+ if (absl::c_find(supported, sigalg) == supported.end()) {
+ EXPECT_EQ(key_type, PublicKeyType::kUnknown);
+ } else {
+ EXPECT_NE(key_type, PublicKeyType::kUnknown);
+ }
+ }
+}
+
} // namespace
} // namespace test
} // namespace quic
diff --git a/quiche/quic/core/crypto/proof_source.h b/quiche/quic/core/crypto/proof_source.h
index f91b572..ab2a487 100644
--- a/quiche/quic/core/crypto/proof_source.h
+++ b/quiche/quic/core/crypto/proof_source.h
@@ -173,7 +173,7 @@
//
// If returns a non-empty list, ComputeTlsSignature will only be called with a
// algorithm in the list.
- virtual absl::InlinedVector<uint16_t, 8> SupportedTlsSignatureAlgorithms()
+ virtual QuicSignatureAlgorithmVector SupportedTlsSignatureAlgorithms()
const = 0;
class QUIC_EXPORT_PRIVATE DecryptCallback {
diff --git a/quiche/quic/core/crypto/proof_source_x509.cc b/quiche/quic/core/crypto/proof_source_x509.cc
index 28f4d6e..a86c78b 100644
--- a/quiche/quic/core/crypto/proof_source_x509.cc
+++ b/quiche/quic/core/crypto/proof_source_x509.cc
@@ -103,11 +103,9 @@
callback->Run(/*ok=*/!signature.empty(), signature, nullptr);
}
-absl::InlinedVector<uint16_t, 8>
-ProofSourceX509::SupportedTlsSignatureAlgorithms() const {
- // Let ComputeTlsSignature() report an error if a bad signature algorithm is
- // requested.
- return {};
+QuicSignatureAlgorithmVector ProofSourceX509::SupportedTlsSignatureAlgorithms()
+ const {
+ return SupportedSignatureAlgorithmsForQuic();
}
ProofSource::TicketCrypter* ProofSourceX509::GetTicketCrypter() {
diff --git a/quiche/quic/core/crypto/proof_source_x509.h b/quiche/quic/core/crypto/proof_source_x509.h
index 197b8bb..fa62bbf 100644
--- a/quiche/quic/core/crypto/proof_source_x509.h
+++ b/quiche/quic/core/crypto/proof_source_x509.h
@@ -43,8 +43,7 @@
const QuicSocketAddress& client_address, const std::string& hostname,
uint16_t signature_algorithm, absl::string_view in,
std::unique_ptr<SignatureCallback> callback) override;
- absl::InlinedVector<uint16_t, 8> SupportedTlsSignatureAlgorithms()
- const override;
+ QuicSignatureAlgorithmVector SupportedTlsSignatureAlgorithms() const override;
TicketCrypter* GetTicketCrypter() override;
// Adds a certificate chain to the verifier. Returns false if the chain is
diff --git a/quiche/quic/core/quic_types.h b/quiche/quic/core/quic_types.h
index c40eb29..8d5ca28 100644
--- a/quiche/quic/core/quic_types.h
+++ b/quiche/quic/core/quic_types.h
@@ -829,6 +829,8 @@
QUIC_EXPORT_PRIVATE std::string KeyUpdateReasonString(KeyUpdateReason reason);
+using QuicSignatureAlgorithmVector = absl::InlinedVector<uint16_t, 8>;
+
// QuicSSLConfig contains configurations to be applied on a SSL object, which
// overrides the configurations in SSL_CTX.
struct QUIC_NO_EXPORT QuicSSLConfig {
@@ -839,7 +841,7 @@
absl::optional<bool> disable_ticket_support;
// If set, used to configure the SSL object with
// SSL_set_signing_algorithm_prefs.
- absl::optional<absl::InlinedVector<uint16_t, 8>> signing_algorithm_prefs;
+ absl::optional<QuicSignatureAlgorithmVector> signing_algorithm_prefs;
// Client certificate mode for mTLS support. Only used at server side.
ClientCertMode client_cert_mode = ClientCertMode::kNone;
};
