Black Lives Matter. Support the Equal Justice Initiative.

Source file src/crypto/tls/auth.go

Documentation: crypto/tls

     1  // Copyright 2017 The Go Authors. All rights reserved.
     2  // Use of this source code is governed by a BSD-style
     3  // license that can be found in the LICENSE file.
     4  
     5  package tls
     6  
     7  import (
     8  	"bytes"
     9  	"crypto"
    10  	"crypto/ecdsa"
    11  	"crypto/ed25519"
    12  	"crypto/elliptic"
    13  	"crypto/rsa"
    14  	"encoding/asn1"
    15  	"errors"
    16  	"fmt"
    17  	"hash"
    18  	"io"
    19  )
    20  
    21  // verifyHandshakeSignature verifies a signature against pre-hashed
    22  // (if required) handshake contents.
    23  func verifyHandshakeSignature(sigType uint8, pubkey crypto.PublicKey, hashFunc crypto.Hash, signed, sig []byte) error {
    24  	switch sigType {
    25  	case signatureECDSA:
    26  		pubKey, ok := pubkey.(*ecdsa.PublicKey)
    27  		if !ok {
    28  			return fmt.Errorf("expected an ECDSA public key, got %T", pubkey)
    29  		}
    30  		ecdsaSig := new(ecdsaSignature)
    31  		if _, err := asn1.Unmarshal(sig, ecdsaSig); err != nil {
    32  			return err
    33  		}
    34  		if ecdsaSig.R.Sign() <= 0 || ecdsaSig.S.Sign() <= 0 {
    35  			return errors.New("ECDSA signature contained zero or negative values")
    36  		}
    37  		if !ecdsa.Verify(pubKey, signed, ecdsaSig.R, ecdsaSig.S) {
    38  			return errors.New("ECDSA verification failure")
    39  		}
    40  	case signatureEd25519:
    41  		pubKey, ok := pubkey.(ed25519.PublicKey)
    42  		if !ok {
    43  			return fmt.Errorf("expected an Ed25519 public key, got %T", pubkey)
    44  		}
    45  		if !ed25519.Verify(pubKey, signed, sig) {
    46  			return errors.New("Ed25519 verification failure")
    47  		}
    48  	case signaturePKCS1v15:
    49  		pubKey, ok := pubkey.(*rsa.PublicKey)
    50  		if !ok {
    51  			return fmt.Errorf("expected an RSA public key, got %T", pubkey)
    52  		}
    53  		if err := rsa.VerifyPKCS1v15(pubKey, hashFunc, signed, sig); err != nil {
    54  			return err
    55  		}
    56  	case signatureRSAPSS:
    57  		pubKey, ok := pubkey.(*rsa.PublicKey)
    58  		if !ok {
    59  			return fmt.Errorf("expected an RSA public key, got %T", pubkey)
    60  		}
    61  		signOpts := &rsa.PSSOptions{SaltLength: rsa.PSSSaltLengthEqualsHash}
    62  		if err := rsa.VerifyPSS(pubKey, hashFunc, signed, sig, signOpts); err != nil {
    63  			return err
    64  		}
    65  	default:
    66  		return errors.New("internal error: unknown signature type")
    67  	}
    68  	return nil
    69  }
    70  
    71  const (
    72  	serverSignatureContext = "TLS 1.3, server CertificateVerify\x00"
    73  	clientSignatureContext = "TLS 1.3, client CertificateVerify\x00"
    74  )
    75  
    76  var signaturePadding = []byte{
    77  	0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
    78  	0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
    79  	0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
    80  	0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
    81  	0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
    82  	0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
    83  	0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
    84  	0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
    85  }
    86  
    87  // signedMessage returns the pre-hashed (if necessary) message to be signed by
    88  // certificate keys in TLS 1.3. See RFC 8446, Section 4.4.3.
    89  func signedMessage(sigHash crypto.Hash, context string, transcript hash.Hash) []byte {
    90  	if sigHash == directSigning {
    91  		b := &bytes.Buffer{}
    92  		b.Write(signaturePadding)
    93  		io.WriteString(b, context)
    94  		b.Write(transcript.Sum(nil))
    95  		return b.Bytes()
    96  	}
    97  	h := sigHash.New()
    98  	h.Write(signaturePadding)
    99  	io.WriteString(h, context)
   100  	h.Write(transcript.Sum(nil))
   101  	return h.Sum(nil)
   102  }
   103  
   104  // typeAndHashFromSignatureScheme returns the corresponding signature type and
   105  // crypto.Hash for a given TLS SignatureScheme.
   106  func typeAndHashFromSignatureScheme(signatureAlgorithm SignatureScheme) (sigType uint8, hash crypto.Hash, err error) {
   107  	switch signatureAlgorithm {
   108  	case PKCS1WithSHA1, PKCS1WithSHA256, PKCS1WithSHA384, PKCS1WithSHA512:
   109  		sigType = signaturePKCS1v15
   110  	case PSSWithSHA256, PSSWithSHA384, PSSWithSHA512:
   111  		sigType = signatureRSAPSS
   112  	case ECDSAWithSHA1, ECDSAWithP256AndSHA256, ECDSAWithP384AndSHA384, ECDSAWithP521AndSHA512:
   113  		sigType = signatureECDSA
   114  	case Ed25519:
   115  		sigType = signatureEd25519
   116  	default:
   117  		return 0, 0, fmt.Errorf("unsupported signature algorithm: %#04x", signatureAlgorithm)
   118  	}
   119  	switch signatureAlgorithm {
   120  	case PKCS1WithSHA1, ECDSAWithSHA1:
   121  		hash = crypto.SHA1
   122  	case PKCS1WithSHA256, PSSWithSHA256, ECDSAWithP256AndSHA256:
   123  		hash = crypto.SHA256
   124  	case PKCS1WithSHA384, PSSWithSHA384, ECDSAWithP384AndSHA384:
   125  		hash = crypto.SHA384
   126  	case PKCS1WithSHA512, PSSWithSHA512, ECDSAWithP521AndSHA512:
   127  		hash = crypto.SHA512
   128  	case Ed25519:
   129  		hash = directSigning
   130  	default:
   131  		return 0, 0, fmt.Errorf("unsupported signature algorithm: %#04x", signatureAlgorithm)
   132  	}
   133  	return sigType, hash, nil
   134  }
   135  
   136  // legacyTypeAndHashFromPublicKey returns the fixed signature type and crypto.Hash for
   137  // a given public key used with TLS 1.0 and 1.1, before the introduction of
   138  // signature algorithm negotiation.
   139  func legacyTypeAndHashFromPublicKey(pub crypto.PublicKey) (sigType uint8, hash crypto.Hash, err error) {
   140  	switch pub.(type) {
   141  	case *rsa.PublicKey:
   142  		return signaturePKCS1v15, crypto.MD5SHA1, nil
   143  	case *ecdsa.PublicKey:
   144  		return signatureECDSA, crypto.SHA1, nil
   145  	case ed25519.PublicKey:
   146  		// RFC 8422 specifies support for Ed25519 in TLS 1.0 and 1.1,
   147  		// but it requires holding on to a handshake transcript to do a
   148  		// full signature, and not even OpenSSL bothers with the
   149  		// complexity, so we can't even test it properly.
   150  		return 0, 0, fmt.Errorf("tls: Ed25519 public keys are not supported before TLS 1.2")
   151  	default:
   152  		return 0, 0, fmt.Errorf("tls: unsupported public key: %T", pub)
   153  	}
   154  }
   155  
   156  var rsaSignatureSchemes = []struct {
   157  	scheme          SignatureScheme
   158  	minModulusBytes int
   159  	maxVersion      uint16
   160  }{
   161  	// RSA-PSS is used with PSSSaltLengthEqualsHash, and requires
   162  	//    emLen >= hLen + sLen + 2
   163  	{PSSWithSHA256, crypto.SHA256.Size()*2 + 2, VersionTLS13},
   164  	{PSSWithSHA384, crypto.SHA384.Size()*2 + 2, VersionTLS13},
   165  	{PSSWithSHA512, crypto.SHA512.Size()*2 + 2, VersionTLS13},
   166  	// PKCS#1 v1.5 uses prefixes from hashPrefixes in crypto/rsa, and requires
   167  	//    emLen >= len(prefix) + hLen + 11
   168  	// TLS 1.3 dropped support for PKCS#1 v1.5 in favor of RSA-PSS.
   169  	{PKCS1WithSHA256, 19 + crypto.SHA256.Size() + 11, VersionTLS12},
   170  	{PKCS1WithSHA384, 19 + crypto.SHA384.Size() + 11, VersionTLS12},
   171  	{PKCS1WithSHA512, 19 + crypto.SHA512.Size() + 11, VersionTLS12},
   172  	{PKCS1WithSHA1, 15 + crypto.SHA1.Size() + 11, VersionTLS12},
   173  }
   174  
   175  // signatureSchemesForCertificate returns the list of supported SignatureSchemes
   176  // for a given certificate, based on the public key and the protocol version,
   177  // and optionally filtered by its explicit SupportedSignatureAlgorithms.
   178  //
   179  // This function must be kept in sync with supportedSignatureAlgorithms.
   180  func signatureSchemesForCertificate(version uint16, cert *Certificate) []SignatureScheme {
   181  	priv, ok := cert.PrivateKey.(crypto.Signer)
   182  	if !ok {
   183  		return nil
   184  	}
   185  
   186  	var sigAlgs []SignatureScheme
   187  	switch pub := priv.Public().(type) {
   188  	case *ecdsa.PublicKey:
   189  		if version != VersionTLS13 {
   190  			// In TLS 1.2 and earlier, ECDSA algorithms are not
   191  			// constrained to a single curve.
   192  			sigAlgs = []SignatureScheme{
   193  				ECDSAWithP256AndSHA256,
   194  				ECDSAWithP384AndSHA384,
   195  				ECDSAWithP521AndSHA512,
   196  				ECDSAWithSHA1,
   197  			}
   198  			break
   199  		}
   200  		switch pub.Curve {
   201  		case elliptic.P256():
   202  			sigAlgs = []SignatureScheme{ECDSAWithP256AndSHA256}
   203  		case elliptic.P384():
   204  			sigAlgs = []SignatureScheme{ECDSAWithP384AndSHA384}
   205  		case elliptic.P521():
   206  			sigAlgs = []SignatureScheme{ECDSAWithP521AndSHA512}
   207  		default:
   208  			return nil
   209  		}
   210  	case *rsa.PublicKey:
   211  		size := pub.Size()
   212  		sigAlgs = make([]SignatureScheme, 0, len(rsaSignatureSchemes))
   213  		for _, candidate := range rsaSignatureSchemes {
   214  			if size >= candidate.minModulusBytes && version <= candidate.maxVersion {
   215  				sigAlgs = append(sigAlgs, candidate.scheme)
   216  			}
   217  		}
   218  	case ed25519.PublicKey:
   219  		sigAlgs = []SignatureScheme{Ed25519}
   220  	default:
   221  		return nil
   222  	}
   223  
   224  	if cert.SupportedSignatureAlgorithms != nil {
   225  		var filteredSigAlgs []SignatureScheme
   226  		for _, sigAlg := range sigAlgs {
   227  			if isSupportedSignatureAlgorithm(sigAlg, cert.SupportedSignatureAlgorithms) {
   228  				filteredSigAlgs = append(filteredSigAlgs, sigAlg)
   229  			}
   230  		}
   231  		return filteredSigAlgs
   232  	}
   233  	return sigAlgs
   234  }
   235  
   236  // selectSignatureScheme picks a SignatureScheme from the peer's preference list
   237  // that works with the selected certificate. It's only called for protocol
   238  // versions that support signature algorithms, so TLS 1.2 and 1.3.
   239  func selectSignatureScheme(vers uint16, c *Certificate, peerAlgs []SignatureScheme) (SignatureScheme, error) {
   240  	supportedAlgs := signatureSchemesForCertificate(vers, c)
   241  	if len(supportedAlgs) == 0 {
   242  		return 0, unsupportedCertificateError(c)
   243  	}
   244  	if len(peerAlgs) == 0 && vers == VersionTLS12 {
   245  		// For TLS 1.2, if the client didn't send signature_algorithms then we
   246  		// can assume that it supports SHA1. See RFC 5246, Section 7.4.1.4.1.
   247  		peerAlgs = []SignatureScheme{PKCS1WithSHA1, ECDSAWithSHA1}
   248  	}
   249  	// Pick signature scheme in the peer's preference order, as our
   250  	// preference order is not configurable.
   251  	for _, preferredAlg := range peerAlgs {
   252  		if isSupportedSignatureAlgorithm(preferredAlg, supportedAlgs) {
   253  			return preferredAlg, nil
   254  		}
   255  	}
   256  	return 0, errors.New("tls: peer doesn't support any of the certificate's signature algorithms")
   257  }
   258  
   259  // unsupportedCertificateError returns a helpful error for certificates with
   260  // an unsupported private key.
   261  func unsupportedCertificateError(cert *Certificate) error {
   262  	switch cert.PrivateKey.(type) {
   263  	case rsa.PrivateKey, ecdsa.PrivateKey:
   264  		return fmt.Errorf("tls: unsupported certificate: private key is %T, expected *%T",
   265  			cert.PrivateKey, cert.PrivateKey)
   266  	case *ed25519.PrivateKey:
   267  		return fmt.Errorf("tls: unsupported certificate: private key is *ed25519.PrivateKey, expected ed25519.PrivateKey")
   268  	}
   269  
   270  	signer, ok := cert.PrivateKey.(crypto.Signer)
   271  	if !ok {
   272  		return fmt.Errorf("tls: certificate private key (%T) does not implement crypto.Signer",
   273  			cert.PrivateKey)
   274  	}
   275  
   276  	switch pub := signer.Public().(type) {
   277  	case *ecdsa.PublicKey:
   278  		switch pub.Curve {
   279  		case elliptic.P256():
   280  		case elliptic.P384():
   281  		case elliptic.P521():
   282  		default:
   283  			return fmt.Errorf("tls: unsupported certificate curve (%s)", pub.Curve.Params().Name)
   284  		}
   285  	case *rsa.PublicKey:
   286  		return fmt.Errorf("tls: certificate RSA key size too small for supported signature algorithms")
   287  	case ed25519.PublicKey:
   288  	default:
   289  		return fmt.Errorf("tls: unsupported certificate key (%T)", pub)
   290  	}
   291  
   292  	if cert.SupportedSignatureAlgorithms != nil {
   293  		return fmt.Errorf("tls: peer doesn't support the certificate custom signature algorithms")
   294  	}
   295  
   296  	return fmt.Errorf("tls: internal error: unsupported key (%T)", cert.PrivateKey)
   297  }
   298  

View as plain text