Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

crypto/tls: TLS 1.2 SupportedSignatureAlgorithms not honored in Server Hello Certificate Request #40344

Closed
ryarnyah opened this issue Jul 22, 2020 · 5 comments
Labels
FrozenDueToAge NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.

Comments

@ryarnyah
Copy link

What version of Go are you using (go version)?

$ go version
go version go1.14.5 windows/amd64
...

Does this issue reproduce with the latest release?

Yes

What operating system and processor architecture are you using (go env)?

Windows 10 & GNU/Linux x64 & OSX

go env Output
$ go env

What did you do?

Limit SupportedSignatureAlgorithms on Certificate.

Snippet:

package main

import (
	"log"
	"crypto/tls"
	"crypto/x509"
	"net"
	"bufio"
	"io/ioutil"
)

func main() {
	log.SetFlags(log.Lshortfile)

	cer, err := tls.LoadX509KeyPair("server.crt", "server.key")
	if err != nil {
		log.Println(err)
		return
	}
	cer.SupportedSignatureAlgorithms = []tls.SignatureScheme{
		tls.PKCS1WithSHA256,
		tls.PKCS1WithSHA384,
		tls.PKCS1WithSHA512,
		tls.PKCS1WithSHA1,
		tls.ECDSAWithSHA1,
	}

	ca, _ := ioutil.ReadFile("ca.crt")
	pool := x509.NewCertPool()
	pool.AppendCertsFromPEM(ca)
	config := &tls.Config{
		Certificates: []tls.Certificate{cer},
		ClientAuth: tls.VerifyClientCertIfGiven,
		ClientCAs: pool,
		RootCAs: pool,
		CipherSuites: []uint16{
			tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
			tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
			tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
			tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
			tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
			tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
			tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
			tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
		},
		PreferServerCipherSuites: true,
		MinVersion: tls.VersionTLS12,
		MaxVersion: tls.VersionTLS12,
	}
	ln, err := tls.Listen("tcp", ":6443", config)
	if err != nil {
		log.Println(err)
		return
	}
	defer ln.Close()

	for {
		conn, err := ln.Accept()
		if err != nil {
			log.Println(err)
			continue
		}
		go handleConnection(conn)
	}
}

func handleConnection(conn net.Conn) {
	defer conn.Close()
	r := bufio.NewReader(conn)
	for {
		msg, err := r.ReadString('\n')
		if err != nil {
			log.Println(err)
			return
		}

		println(msg)

		n, err := conn.Write([]byte("world\n"))
		if err != nil {
			log.Println(n, err)
			return
		}
	}
}

What did you expect to see?

Only SupportedSignatureAlgorithms values in Server Hello Certificate Request.

What did you see instead?

All common.go/supportedSignatureAlgorithms values.

common.go:

var supportedSignatureAlgorithms = []SignatureScheme{
	PSSWithSHA256,
	ECDSAWithP256AndSHA256,
	Ed25519,
	PSSWithSHA384,
	PSSWithSHA512,
	PKCS1WithSHA256,
	PKCS1WithSHA384,
	PKCS1WithSHA512,
	ECDSAWithP384AndSHA384,
	ECDSAWithP521AndSHA512,
	PKCS1WithSHA1,
	ECDSAWithSHA1,
}

handshake_server.go/doFullHandshake:

        var certReq *certificateRequestMsg
	if c.config.ClientAuth >= RequestClientCert {
		// Request a client certificate
		certReq = new(certificateRequestMsg)
		certReq.certificateTypes = []byte{
			byte(certTypeRSASign),
			byte(certTypeECDSASign),
		}
		if c.vers >= VersionTLS12 {
			certReq.hasSignatureAlgorithm = true
			certReq.supportedSignatureAlgorithms = supportedSignatureAlgorithms
		}

		// An empty list of certificateAuthorities signals to
		// the client that it may send any certificate in response
		// to our request. When we know the CAs we trust, then
		// we can send them down, so that the client can choose
		// an appropriate certificate to give to us.
		if c.config.ClientCAs != nil {
			certReq.certificateAuthorities = c.config.ClientCAs.Subjects()
		}
		hs.finishedHash.Write(certReq.marshal())
		if _, err := c.writeRecord(recordTypeHandshake, certReq.marshal()); err != nil {
			return err
		}
	}
@ALTree ALTree changed the title [TLS 1.2] SupportedSignatureAlgorithms not honored in Server Hello Certificate Request crypto/tls: TLS 1.2 SupportedSignatureAlgorithms not honored in Server Hello Certificate Request Jul 22, 2020
@ALTree ALTree added the NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one. label Jul 22, 2020
@ALTree
Copy link
Member

ALTree commented Jul 22, 2020

cc @FiloSottile

@ryarnyah
Copy link
Author

ryarnyah commented Jul 22, 2020

Maybe change

                if c.vers >= VersionTLS12 {
			certReq.hasSignatureAlgorithm = true
			certReq.supportedSignatureAlgorithms = supportedSignatureAlgorithms
		}

With

		if c.vers >= VersionTLS12 {
			certReq.hasSignatureAlgorithm = true
			certReq.supportedSignatureAlgorithms = hs.cert.SupportedSignatureAlgorithms
		}

Can do the tricks?

Or maybe filter Signature Algorithms like in https://github.com/golang/go/blob/master/src/crypto/tls/auth.go#L148

var rsaSignatureSchemes = []struct {
	scheme          SignatureScheme
	minModulusBytes int
	maxVersion      uint16
}{
	// RSA-PSS is used with PSSSaltLengthEqualsHash, and requires
	//    emLen >= hLen + sLen + 2
	{PSSWithSHA256, crypto.SHA256.Size()*2 + 2, VersionTLS13},
	{PSSWithSHA384, crypto.SHA384.Size()*2 + 2, VersionTLS13},
	{PSSWithSHA512, crypto.SHA512.Size()*2 + 2, VersionTLS13},
	// PKCS #1 v1.5 uses prefixes from hashPrefixes in crypto/rsa, and requires
	//    emLen >= len(prefix) + hLen + 11
	// TLS 1.3 dropped support for PKCS #1 v1.5 in favor of RSA-PSS.
	{PKCS1WithSHA256, 19 + crypto.SHA256.Size() + 11, VersionTLS12},
	{PKCS1WithSHA384, 19 + crypto.SHA384.Size() + 11, VersionTLS12},
	{PKCS1WithSHA512, 19 + crypto.SHA512.Size() + 11, VersionTLS12},
	{PKCS1WithSHA1, 15 + crypto.SHA1.Size() + 11, VersionTLS12},
}

& https://github.com/golang/go/blob/master/src/crypto/tls/auth.go#L205

		for _, candidate := range rsaSignatureSchemes {
			if size >= candidate.minModulusBytes && version <= candidate.maxVersion {
				sigAlgs = append(sigAlgs, candidate.scheme)
			}
		}

?

@FiloSottile
Copy link
Contributor

This seems to be mixing up two separate sets of signature algorithms: Certificate.SupportedSignatureAlgorithms are the ones that can be used to make a signature from the certificate; certReq.supportedSignatureAlgorithms are the algorithms that the client is allowed to use. The former is limited by the private key of the certificate (if for example it's an a hardware token that can't do RSA-PSS), the latter is only limited by what out implementation can verify, which is always the same set.

Why do you need to configure certReq.supportedSignatureAlgorithms?

@ryarnyah
Copy link
Author

I need to configure it with some hardware token (HID activekey sim) to work with Firefox which doesn't seem to support well RSA-PSS with it. To get it working fully i need to disable rsa-pss algorithm in Server Hello Certificate Request.

In Go < 1.14, everything where good but after upgrading it broke. The snippet reproduce the behaviour of Traefik which recently upgrade to to Go 1.14.

I think we need something to be able to configure certReq.supportedSignatureAlgorithms to make it backward compatible with previous behaviour.

@FiloSottile
Copy link
Contributor

This sounds like it should be reported to Firefox. They should not use signature algorithms that are not supported by the token. We had the equivalent issue with Go clients using tokens that don't support RSA-PSS, and we fixed it by adding Certificate.SupportedSignatureAlgorithms.

The solution to a client using the wrong algorithm can't be to make the whole ecosystem turn off that algorithm, especially when there is already a negotiation process where the server just says "here are the algorithms I support" (and indeed supports them) and the client gets to pick which one to use.

In general, we don't add configuration options if not strictly necessary, sorry. If you have to support a niche, broken client, you'll have to fork because it does not justify adding complexity for the whole ecosystem.

@golang golang locked and limited conversation to collaborators Jul 23, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
FrozenDueToAge NeedsInvestigation Someone must examine and confirm this is a valid issue and not a duplicate of an existing one.
Projects
None yet
Development

No branches or pull requests

4 participants