From 031b1ba8a5935e427d58cbc061c5eedc3e184c53 Mon Sep 17 00:00:00 2001 From: Peter Dettman Date: Mon, 20 May 2013 18:02:10 +0700 Subject: Cleanup TODOs --- .../org/bouncycastle/crypto/tls/DTLSServerProtocol.java | 16 ++-------------- .../org/bouncycastle/crypto/tls/TlsServerProtocol.java | 16 ++-------------- src/main/java/org/bouncycastle/crypto/tls/TlsUtils.java | 8 +++++++- 3 files changed, 11 insertions(+), 29 deletions(-) diff --git a/src/main/java/org/bouncycastle/crypto/tls/DTLSServerProtocol.java b/src/main/java/org/bouncycastle/crypto/tls/DTLSServerProtocol.java index 79a182e1..7ecabba3 100644 --- a/src/main/java/org/bouncycastle/crypto/tls/DTLSServerProtocol.java +++ b/src/main/java/org/bouncycastle/crypto/tls/DTLSServerProtocol.java @@ -332,26 +332,14 @@ public class DTLSServerProtocol extends DTLSProtocol { state.keyExchange.skipClientCredentials(); } else { - state.clientCertificateType = TlsUtils.getClientCertificateType(clientCertificate, - state.serverCredentials.getCertificate()); - - /* - * TODO RFC 5246 7.4.6. The end-entity certificate's public key (and associated - * restrictions) has to be compatible with the certificate types listed in - * CertificateRequest. - */ - /* * TODO RFC 5246 7.4.6. If the certificate_authorities list in the certificate request * message was non-empty, one of the certificates in the certificate chain SHOULD be * issued by one of the listed CAs. */ - /* - * TODO RFC 5246 7.4.6. The certificates MUST be signed using an acceptable hash/ - * signature algorithm pair, as described in Section 7.4.4. Note that this relaxes the - * constraints on certificate-signing algorithms found in prior versions of TLS. - */ + state.clientCertificateType = TlsUtils.getClientCertificateType(clientCertificate, + state.serverCredentials.getCertificate()); state.keyExchange.processClientCertificate(clientCertificate); } diff --git a/src/main/java/org/bouncycastle/crypto/tls/TlsServerProtocol.java b/src/main/java/org/bouncycastle/crypto/tls/TlsServerProtocol.java index 15e7632e..874eecd0 100644 --- a/src/main/java/org/bouncycastle/crypto/tls/TlsServerProtocol.java +++ b/src/main/java/org/bouncycastle/crypto/tls/TlsServerProtocol.java @@ -338,26 +338,14 @@ public class TlsServerProtocol extends TlsProtocol { this.keyExchange.skipClientCredentials(); } else { - this.clientCertificateType = TlsUtils.getClientCertificateType(clientCertificate, - this.serverCredentials.getCertificate()); - - /* - * TODO RFC 5246 7.4.6. The end-entity certificate's public key (and associated - * restrictions) has to be compatible with the certificate types listed in - * CertificateRequest. - */ - /* * TODO RFC 5246 7.4.6. If the certificate_authorities list in the certificate request * message was non-empty, one of the certificates in the certificate chain SHOULD be * issued by one of the listed CAs. */ - /* - * TODO RFC 5246 7.4.6. The certificates MUST be signed using an acceptable hash/ - * signature algorithm pair, as described in Section 7.4.4. Note that this relaxes the - * constraints on certificate-signing algorithms found in prior versions of TLS. - */ + this.clientCertificateType = TlsUtils.getClientCertificateType(clientCertificate, + this.serverCredentials.getCertificate()); this.keyExchange.processClientCertificate(clientCertificate); } diff --git a/src/main/java/org/bouncycastle/crypto/tls/TlsUtils.java b/src/main/java/org/bouncycastle/crypto/tls/TlsUtils.java index 8f428240..e5219768 100644 --- a/src/main/java/org/bouncycastle/crypto/tls/TlsUtils.java +++ b/src/main/java/org/bouncycastle/crypto/tls/TlsUtils.java @@ -815,7 +815,13 @@ public class TlsUtils } /* - * RFC 7.4.6. Client Certificate + * TODO RFC 5246 7.4.6. The certificates MUST be signed using an acceptable hash/ + * signature algorithm pair, as described in Section 7.4.4. Note that this relaxes the + * constraints on certificate-signing algorithms found in prior versions of TLS. + */ + + /* + * RFC 5246 7.4.6. Client Certificate */ /* -- cgit v1.2.3