290 lines
9.8 KiB
Go
290 lines
9.8 KiB
Go
|
// Copyright 2017 The Go Authors. All rights reserved.
|
||
|
// Use of this source code is governed by a BSD-style
|
||
|
// license that can be found in the LICENSE file.
|
||
|
|
||
|
package qtls
|
||
|
|
||
|
import (
|
||
|
"bytes"
|
||
|
"crypto"
|
||
|
"crypto/ecdsa"
|
||
|
"crypto/ed25519"
|
||
|
"crypto/elliptic"
|
||
|
"crypto/rsa"
|
||
|
"errors"
|
||
|
"fmt"
|
||
|
"hash"
|
||
|
"io"
|
||
|
)
|
||
|
|
||
|
// verifyHandshakeSignature verifies a signature against pre-hashed
|
||
|
// (if required) handshake contents.
|
||
|
func verifyHandshakeSignature(sigType uint8, pubkey crypto.PublicKey, hashFunc crypto.Hash, signed, sig []byte) error {
|
||
|
switch sigType {
|
||
|
case signatureECDSA:
|
||
|
pubKey, ok := pubkey.(*ecdsa.PublicKey)
|
||
|
if !ok {
|
||
|
return fmt.Errorf("expected an ECDSA public key, got %T", pubkey)
|
||
|
}
|
||
|
if !ecdsa.VerifyASN1(pubKey, signed, sig) {
|
||
|
return errors.New("ECDSA verification failure")
|
||
|
}
|
||
|
case signatureEd25519:
|
||
|
pubKey, ok := pubkey.(ed25519.PublicKey)
|
||
|
if !ok {
|
||
|
return fmt.Errorf("expected an Ed25519 public key, got %T", pubkey)
|
||
|
}
|
||
|
if !ed25519.Verify(pubKey, signed, sig) {
|
||
|
return errors.New("Ed25519 verification failure")
|
||
|
}
|
||
|
case signaturePKCS1v15:
|
||
|
pubKey, ok := pubkey.(*rsa.PublicKey)
|
||
|
if !ok {
|
||
|
return fmt.Errorf("expected an RSA public key, got %T", pubkey)
|
||
|
}
|
||
|
if err := rsa.VerifyPKCS1v15(pubKey, hashFunc, signed, sig); err != nil {
|
||
|
return err
|
||
|
}
|
||
|
case signatureRSAPSS:
|
||
|
pubKey, ok := pubkey.(*rsa.PublicKey)
|
||
|
if !ok {
|
||
|
return fmt.Errorf("expected an RSA public key, got %T", pubkey)
|
||
|
}
|
||
|
signOpts := &rsa.PSSOptions{SaltLength: rsa.PSSSaltLengthEqualsHash}
|
||
|
if err := rsa.VerifyPSS(pubKey, hashFunc, signed, sig, signOpts); err != nil {
|
||
|
return err
|
||
|
}
|
||
|
default:
|
||
|
return errors.New("internal error: unknown signature type")
|
||
|
}
|
||
|
return nil
|
||
|
}
|
||
|
|
||
|
const (
|
||
|
serverSignatureContext = "TLS 1.3, server CertificateVerify\x00"
|
||
|
clientSignatureContext = "TLS 1.3, client CertificateVerify\x00"
|
||
|
)
|
||
|
|
||
|
var signaturePadding = []byte{
|
||
|
0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
|
||
|
0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
|
||
|
0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
|
||
|
0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
|
||
|
0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
|
||
|
0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
|
||
|
0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
|
||
|
0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
|
||
|
}
|
||
|
|
||
|
// signedMessage returns the pre-hashed (if necessary) message to be signed by
|
||
|
// certificate keys in TLS 1.3. See RFC 8446, Section 4.4.3.
|
||
|
func signedMessage(sigHash crypto.Hash, context string, transcript hash.Hash) []byte {
|
||
|
if sigHash == directSigning {
|
||
|
b := &bytes.Buffer{}
|
||
|
b.Write(signaturePadding)
|
||
|
io.WriteString(b, context)
|
||
|
b.Write(transcript.Sum(nil))
|
||
|
return b.Bytes()
|
||
|
}
|
||
|
h := sigHash.New()
|
||
|
h.Write(signaturePadding)
|
||
|
io.WriteString(h, context)
|
||
|
h.Write(transcript.Sum(nil))
|
||
|
return h.Sum(nil)
|
||
|
}
|
||
|
|
||
|
// typeAndHashFromSignatureScheme returns the corresponding signature type and
|
||
|
// crypto.Hash for a given TLS SignatureScheme.
|
||
|
func typeAndHashFromSignatureScheme(signatureAlgorithm SignatureScheme) (sigType uint8, hash crypto.Hash, err error) {
|
||
|
switch signatureAlgorithm {
|
||
|
case PKCS1WithSHA1, PKCS1WithSHA256, PKCS1WithSHA384, PKCS1WithSHA512:
|
||
|
sigType = signaturePKCS1v15
|
||
|
case PSSWithSHA256, PSSWithSHA384, PSSWithSHA512:
|
||
|
sigType = signatureRSAPSS
|
||
|
case ECDSAWithSHA1, ECDSAWithP256AndSHA256, ECDSAWithP384AndSHA384, ECDSAWithP521AndSHA512:
|
||
|
sigType = signatureECDSA
|
||
|
case Ed25519:
|
||
|
sigType = signatureEd25519
|
||
|
default:
|
||
|
return 0, 0, fmt.Errorf("unsupported signature algorithm: %v", signatureAlgorithm)
|
||
|
}
|
||
|
switch signatureAlgorithm {
|
||
|
case PKCS1WithSHA1, ECDSAWithSHA1:
|
||
|
hash = crypto.SHA1
|
||
|
case PKCS1WithSHA256, PSSWithSHA256, ECDSAWithP256AndSHA256:
|
||
|
hash = crypto.SHA256
|
||
|
case PKCS1WithSHA384, PSSWithSHA384, ECDSAWithP384AndSHA384:
|
||
|
hash = crypto.SHA384
|
||
|
case PKCS1WithSHA512, PSSWithSHA512, ECDSAWithP521AndSHA512:
|
||
|
hash = crypto.SHA512
|
||
|
case Ed25519:
|
||
|
hash = directSigning
|
||
|
default:
|
||
|
return 0, 0, fmt.Errorf("unsupported signature algorithm: %v", signatureAlgorithm)
|
||
|
}
|
||
|
return sigType, hash, nil
|
||
|
}
|
||
|
|
||
|
// legacyTypeAndHashFromPublicKey returns the fixed signature type and crypto.Hash for
|
||
|
// a given public key used with TLS 1.0 and 1.1, before the introduction of
|
||
|
// signature algorithm negotiation.
|
||
|
func legacyTypeAndHashFromPublicKey(pub crypto.PublicKey) (sigType uint8, hash crypto.Hash, err error) {
|
||
|
switch pub.(type) {
|
||
|
case *rsa.PublicKey:
|
||
|
return signaturePKCS1v15, crypto.MD5SHA1, nil
|
||
|
case *ecdsa.PublicKey:
|
||
|
return signatureECDSA, crypto.SHA1, nil
|
||
|
case ed25519.PublicKey:
|
||
|
// RFC 8422 specifies support for Ed25519 in TLS 1.0 and 1.1,
|
||
|
// but it requires holding on to a handshake transcript to do a
|
||
|
// full signature, and not even OpenSSL bothers with the
|
||
|
// complexity, so we can't even test it properly.
|
||
|
return 0, 0, fmt.Errorf("tls: Ed25519 public keys are not supported before TLS 1.2")
|
||
|
default:
|
||
|
return 0, 0, fmt.Errorf("tls: unsupported public key: %T", pub)
|
||
|
}
|
||
|
}
|
||
|
|
||
|
var rsaSignatureSchemes = []struct {
|
||
|
scheme SignatureScheme
|
||
|
minModulusBytes int
|
||
|
maxVersion uint16
|
||
|
}{
|
||
|
// RSA-PSS is used with PSSSaltLengthEqualsHash, and requires
|
||
|
// emLen >= hLen + sLen + 2
|
||
|
{PSSWithSHA256, crypto.SHA256.Size()*2 + 2, VersionTLS13},
|
||
|
{PSSWithSHA384, crypto.SHA384.Size()*2 + 2, VersionTLS13},
|
||
|
{PSSWithSHA512, crypto.SHA512.Size()*2 + 2, VersionTLS13},
|
||
|
// PKCS #1 v1.5 uses prefixes from hashPrefixes in crypto/rsa, and requires
|
||
|
// emLen >= len(prefix) + hLen + 11
|
||
|
// TLS 1.3 dropped support for PKCS #1 v1.5 in favor of RSA-PSS.
|
||
|
{PKCS1WithSHA256, 19 + crypto.SHA256.Size() + 11, VersionTLS12},
|
||
|
{PKCS1WithSHA384, 19 + crypto.SHA384.Size() + 11, VersionTLS12},
|
||
|
{PKCS1WithSHA512, 19 + crypto.SHA512.Size() + 11, VersionTLS12},
|
||
|
{PKCS1WithSHA1, 15 + crypto.SHA1.Size() + 11, VersionTLS12},
|
||
|
}
|
||
|
|
||
|
// signatureSchemesForCertificate returns the list of supported SignatureSchemes
|
||
|
// for a given certificate, based on the public key and the protocol version,
|
||
|
// and optionally filtered by its explicit SupportedSignatureAlgorithms.
|
||
|
//
|
||
|
// This function must be kept in sync with supportedSignatureAlgorithms.
|
||
|
func signatureSchemesForCertificate(version uint16, cert *Certificate) []SignatureScheme {
|
||
|
priv, ok := cert.PrivateKey.(crypto.Signer)
|
||
|
if !ok {
|
||
|
return nil
|
||
|
}
|
||
|
|
||
|
var sigAlgs []SignatureScheme
|
||
|
switch pub := priv.Public().(type) {
|
||
|
case *ecdsa.PublicKey:
|
||
|
if version != VersionTLS13 {
|
||
|
// In TLS 1.2 and earlier, ECDSA algorithms are not
|
||
|
// constrained to a single curve.
|
||
|
sigAlgs = []SignatureScheme{
|
||
|
ECDSAWithP256AndSHA256,
|
||
|
ECDSAWithP384AndSHA384,
|
||
|
ECDSAWithP521AndSHA512,
|
||
|
ECDSAWithSHA1,
|
||
|
}
|
||
|
break
|
||
|
}
|
||
|
switch pub.Curve {
|
||
|
case elliptic.P256():
|
||
|
sigAlgs = []SignatureScheme{ECDSAWithP256AndSHA256}
|
||
|
case elliptic.P384():
|
||
|
sigAlgs = []SignatureScheme{ECDSAWithP384AndSHA384}
|
||
|
case elliptic.P521():
|
||
|
sigAlgs = []SignatureScheme{ECDSAWithP521AndSHA512}
|
||
|
default:
|
||
|
return nil
|
||
|
}
|
||
|
case *rsa.PublicKey:
|
||
|
size := pub.Size()
|
||
|
sigAlgs = make([]SignatureScheme, 0, len(rsaSignatureSchemes))
|
||
|
for _, candidate := range rsaSignatureSchemes {
|
||
|
if size >= candidate.minModulusBytes && version <= candidate.maxVersion {
|
||
|
sigAlgs = append(sigAlgs, candidate.scheme)
|
||
|
}
|
||
|
}
|
||
|
case ed25519.PublicKey:
|
||
|
sigAlgs = []SignatureScheme{Ed25519}
|
||
|
default:
|
||
|
return nil
|
||
|
}
|
||
|
|
||
|
if cert.SupportedSignatureAlgorithms != nil {
|
||
|
var filteredSigAlgs []SignatureScheme
|
||
|
for _, sigAlg := range sigAlgs {
|
||
|
if isSupportedSignatureAlgorithm(sigAlg, cert.SupportedSignatureAlgorithms) {
|
||
|
filteredSigAlgs = append(filteredSigAlgs, sigAlg)
|
||
|
}
|
||
|
}
|
||
|
return filteredSigAlgs
|
||
|
}
|
||
|
return sigAlgs
|
||
|
}
|
||
|
|
||
|
// selectSignatureScheme picks a SignatureScheme from the peer's preference list
|
||
|
// that works with the selected certificate. It's only called for protocol
|
||
|
// versions that support signature algorithms, so TLS 1.2 and 1.3.
|
||
|
func selectSignatureScheme(vers uint16, c *Certificate, peerAlgs []SignatureScheme) (SignatureScheme, error) {
|
||
|
supportedAlgs := signatureSchemesForCertificate(vers, c)
|
||
|
if len(supportedAlgs) == 0 {
|
||
|
return 0, unsupportedCertificateError(c)
|
||
|
}
|
||
|
if len(peerAlgs) == 0 && vers == VersionTLS12 {
|
||
|
// For TLS 1.2, if the client didn't send signature_algorithms then we
|
||
|
// can assume that it supports SHA1. See RFC 5246, Section 7.4.1.4.1.
|
||
|
peerAlgs = []SignatureScheme{PKCS1WithSHA1, ECDSAWithSHA1}
|
||
|
}
|
||
|
// Pick signature scheme in the peer's preference order, as our
|
||
|
// preference order is not configurable.
|
||
|
for _, preferredAlg := range peerAlgs {
|
||
|
if isSupportedSignatureAlgorithm(preferredAlg, supportedAlgs) {
|
||
|
return preferredAlg, nil
|
||
|
}
|
||
|
}
|
||
|
return 0, errors.New("tls: peer doesn't support any of the certificate's signature algorithms")
|
||
|
}
|
||
|
|
||
|
// unsupportedCertificateError returns a helpful error for certificates with
|
||
|
// an unsupported private key.
|
||
|
func unsupportedCertificateError(cert *Certificate) error {
|
||
|
switch cert.PrivateKey.(type) {
|
||
|
case rsa.PrivateKey, ecdsa.PrivateKey:
|
||
|
return fmt.Errorf("tls: unsupported certificate: private key is %T, expected *%T",
|
||
|
cert.PrivateKey, cert.PrivateKey)
|
||
|
case *ed25519.PrivateKey:
|
||
|
return fmt.Errorf("tls: unsupported certificate: private key is *ed25519.PrivateKey, expected ed25519.PrivateKey")
|
||
|
}
|
||
|
|
||
|
signer, ok := cert.PrivateKey.(crypto.Signer)
|
||
|
if !ok {
|
||
|
return fmt.Errorf("tls: certificate private key (%T) does not implement crypto.Signer",
|
||
|
cert.PrivateKey)
|
||
|
}
|
||
|
|
||
|
switch pub := signer.Public().(type) {
|
||
|
case *ecdsa.PublicKey:
|
||
|
switch pub.Curve {
|
||
|
case elliptic.P256():
|
||
|
case elliptic.P384():
|
||
|
case elliptic.P521():
|
||
|
default:
|
||
|
return fmt.Errorf("tls: unsupported certificate curve (%s)", pub.Curve.Params().Name)
|
||
|
}
|
||
|
case *rsa.PublicKey:
|
||
|
return fmt.Errorf("tls: certificate RSA key size too small for supported signature algorithms")
|
||
|
case ed25519.PublicKey:
|
||
|
default:
|
||
|
return fmt.Errorf("tls: unsupported certificate key (%T)", pub)
|
||
|
}
|
||
|
|
||
|
if cert.SupportedSignatureAlgorithms != nil {
|
||
|
return fmt.Errorf("tls: peer doesn't support the certificate custom signature algorithms")
|
||
|
}
|
||
|
|
||
|
return fmt.Errorf("tls: internal error: unsupported key (%T)", cert.PrivateKey)
|
||
|
}
|