Add cert key type checking to chooseClientAlias #2417
Merged
Commits on Jan 24, 2022
-
Add cert key type checking to chooseClientAlias
Previously, these functions ignored the keyType (or 'strings') argument to the chooseClientAlias function. Some libraries (e.g. Bouncy Castle) expect that when chooseClientAlias is called and key types are passed in, that it will return null if the cert doesn't use one of the given key types. For example, if ['EC'] was passed in for keyType and the cert contained an RSA key, since this would return 'user' rather than null in that case, it would cause Bouncy Castle to assume using an ECDSA signing algorithm was okay, and cause problems during the Certificate Verify part of the handshake. This modifies these functions to only return 'user' if keyType is passed in and the cert contains a key of that type. If keyType is empty or null, it will ignore this and continue to check only the issuer.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.