Source file src/crypto/tls/auth.go 

     1  // Copyright 2017 The Go Authors. All rights reserved.
     2  // Use of this source code is governed by a BSD-style
     3  // license that can be found in the LICENSE file.
     4  
     5  package tls
     6  
     7  import (
     8  	"bytes"
     9  	"crypto"
    10  	"crypto/ecdsa"
    11  	"crypto/ed25519"
    12  	"crypto/elliptic"
    13  	"crypto/rsa"
    14  	"errors"
    15  	"fmt"
    16  	"hash"
    17  	"io"
    18  	"slices"
    19  )
    20  
    21  // verifyHandshakeSignature verifies a signature against unhashed handshake contents.
    22  func verifyHandshakeSignature(sigType uint8, pubkey crypto.PublicKey, hashFunc crypto.Hash, signed, sig []byte) error {
    23  	if hashFunc != directSigning {
    24  		h := hashFunc.New()
    25  		h.Write(signed)
    26  		signed = h.Sum(nil)
    27  	}
    28  	switch sigType {
    29  	case signatureECDSA:
    30  		pubKey, ok := pubkey.(*ecdsa.PublicKey)
    31  		if !ok {
    32  			return fmt.Errorf("expected an ECDSA public key, got %T", pubkey)
    33  		}
    34  		if !ecdsa.VerifyASN1(pubKey, signed, sig) {
    35  			return errors.New("ECDSA verification failure")
    36  		}
    37  	case signatureEd25519:
    38  		pubKey, ok := pubkey.(ed25519.PublicKey)
    39  		if !ok {
    40  			return fmt.Errorf("expected an Ed25519 public key, got %T", pubkey)
    41  		}
    42  		if !ed25519.Verify(pubKey, signed, sig) {
    43  			return errors.New("Ed25519 verification failure")
    44  		}
    45  	case signaturePKCS1v15:
    46  		pubKey, ok := pubkey.(*rsa.PublicKey)
    47  		if !ok {
    48  			return fmt.Errorf("expected an RSA public key, got %T", pubkey)
    49  		}
    50  		if err := rsa.VerifyPKCS1v15(pubKey, hashFunc, signed, sig); err != nil {
    51  			return err
    52  		}
    53  	case signatureRSAPSS:
    54  		pubKey, ok := pubkey.(*rsa.PublicKey)
    55  		if !ok {
    56  			return fmt.Errorf("expected an RSA public key, got %T", pubkey)
    57  		}
    58  		signOpts := &rsa.PSSOptions{SaltLength: rsa.PSSSaltLengthEqualsHash}
    59  		if err := rsa.VerifyPSS(pubKey, hashFunc, signed, sig, signOpts); err != nil {
    60  			return err
    61  		}
    62  	default:
    63  		return errors.New("internal error: unknown signature type")
    64  	}
    65  	return nil
    66  }
    67  
    68  // verifyLegacyHandshakeSignature verifies a TLS 1.0 and 1.1 signature against
    69  // pre-hashed handshake contents.
    70  func verifyLegacyHandshakeSignature(sigType uint8, pubkey crypto.PublicKey, hashFunc crypto.Hash, hashed, sig []byte) error {
    71  	switch sigType {
    72  	case signatureECDSA:
    73  		pubKey, ok := pubkey.(*ecdsa.PublicKey)
    74  		if !ok {
    75  			return fmt.Errorf("expected an ECDSA public key, got %T", pubkey)
    76  		}
    77  		if !ecdsa.VerifyASN1(pubKey, hashed, sig) {
    78  			return errors.New("ECDSA verification failure")
    79  		}
    80  	case signaturePKCS1v15:
    81  		pubKey, ok := pubkey.(*rsa.PublicKey)
    82  		if !ok {
    83  			return fmt.Errorf("expected an RSA public key, got %T", pubkey)
    84  		}
    85  		if err := rsa.VerifyPKCS1v15(pubKey, hashFunc, hashed, sig); err != nil {
    86  			return err
    87  		}
    88  	default:
    89  		return errors.New("internal error: unknown signature type")
    90  	}
    91  	return nil
    92  }
    93  
    94  const (
    95  	serverSignatureContext = "TLS 1.3, server CertificateVerify\x00"
    96  	clientSignatureContext = "TLS 1.3, client CertificateVerify\x00"
    97  )
    98  
    99  var signaturePadding = []byte{
   100  	0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
   101  	0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
   102  	0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
   103  	0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
   104  	0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
   105  	0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
   106  	0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
   107  	0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
   108  }
   109  
   110  // signedMessage returns the (unhashed) message to be signed by certificate keys
   111  // in TLS 1.3. See RFC 8446, Section 4.4.3.
   112  func signedMessage(context string, transcript hash.Hash) []byte {
   113  	const maxSize = 64 /* signaturePadding */ + len(serverSignatureContext) + 512/8 /* SHA-512 */
   114  	b := bytes.NewBuffer(make([]byte, 0, maxSize))
   115  	b.Write(signaturePadding)
   116  	io.WriteString(b, context)
   117  	b.Write(transcript.Sum(nil))
   118  	return b.Bytes()
   119  }
   120  
   121  // typeAndHashFromSignatureScheme returns the corresponding signature type and
   122  // crypto.Hash for a given TLS SignatureScheme.
   123  func typeAndHashFromSignatureScheme(signatureAlgorithm SignatureScheme) (sigType uint8, hash crypto.Hash, err error) {
   124  	switch signatureAlgorithm {
   125  	case PKCS1WithSHA1, PKCS1WithSHA256, PKCS1WithSHA384, PKCS1WithSHA512:
   126  		sigType = signaturePKCS1v15
   127  	case PSSWithSHA256, PSSWithSHA384, PSSWithSHA512:
   128  		sigType = signatureRSAPSS
   129  	case ECDSAWithSHA1, ECDSAWithP256AndSHA256, ECDSAWithP384AndSHA384, ECDSAWithP521AndSHA512:
   130  		sigType = signatureECDSA
   131  	case Ed25519:
   132  		sigType = signatureEd25519
   133  	default:
   134  		return 0, 0, fmt.Errorf("unsupported signature algorithm: %v", signatureAlgorithm)
   135  	}
   136  	switch signatureAlgorithm {
   137  	case PKCS1WithSHA1, ECDSAWithSHA1:
   138  		hash = crypto.SHA1
   139  	case PKCS1WithSHA256, PSSWithSHA256, ECDSAWithP256AndSHA256:
   140  		hash = crypto.SHA256
   141  	case PKCS1WithSHA384, PSSWithSHA384, ECDSAWithP384AndSHA384:
   142  		hash = crypto.SHA384
   143  	case PKCS1WithSHA512, PSSWithSHA512, ECDSAWithP521AndSHA512:
   144  		hash = crypto.SHA512
   145  	case Ed25519:
   146  		hash = directSigning
   147  	default:
   148  		return 0, 0, fmt.Errorf("unsupported signature algorithm: %v", signatureAlgorithm)
   149  	}
   150  	return sigType, hash, nil
   151  }
   152  
   153  // legacyTypeAndHashFromPublicKey returns the fixed signature type and crypto.Hash for
   154  // a given public key used with TLS 1.0 and 1.1, before the introduction of
   155  // signature algorithm negotiation.
   156  func legacyTypeAndHashFromPublicKey(pub crypto.PublicKey) (sigType uint8, hash crypto.Hash, err error) {
   157  	switch pub.(type) {
   158  	case *rsa.PublicKey:
   159  		return signaturePKCS1v15, crypto.MD5SHA1, nil
   160  	case *ecdsa.PublicKey:
   161  		return signatureECDSA, crypto.SHA1, nil
   162  	case ed25519.PublicKey:
   163  		// RFC 8422 specifies support for Ed25519 in TLS 1.0 and 1.1,
   164  		// but it requires holding on to a handshake transcript to do a
   165  		// full signature, and not even OpenSSL bothers with the
   166  		// complexity, so we can't even test it properly.
   167  		return 0, 0, fmt.Errorf("tls: Ed25519 public keys are not supported before TLS 1.2")
   168  	default:
   169  		return 0, 0, fmt.Errorf("tls: unsupported public key: %T", pub)
   170  	}
   171  }
   172  
   173  var rsaSignatureSchemes = []struct {
   174  	scheme          SignatureScheme
   175  	minModulusBytes int
   176  }{
   177  	// RSA-PSS is used with PSSSaltLengthEqualsHash, and requires
   178  	//    emLen >= hLen + sLen + 2
   179  	{PSSWithSHA256, crypto.SHA256.Size()*2 + 2},
   180  	{PSSWithSHA384, crypto.SHA384.Size()*2 + 2},
   181  	{PSSWithSHA512, crypto.SHA512.Size()*2 + 2},
   182  	// PKCS #1 v1.5 uses prefixes from hashPrefixes in crypto/rsa, and requires
   183  	//    emLen >= len(prefix) + hLen + 11
   184  	{PKCS1WithSHA256, 19 + crypto.SHA256.Size() + 11},
   185  	{PKCS1WithSHA384, 19 + crypto.SHA384.Size() + 11},
   186  	{PKCS1WithSHA512, 19 + crypto.SHA512.Size() + 11},
   187  	{PKCS1WithSHA1, 15 + crypto.SHA1.Size() + 11},
   188  }
   189  
   190  func signatureSchemesForPublicKey(version uint16, pub crypto.PublicKey) []SignatureScheme {
   191  	switch pub := pub.(type) {
   192  	case *ecdsa.PublicKey:
   193  		if version < VersionTLS13 {
   194  			// In TLS 1.2 and earlier, ECDSA algorithms are not
   195  			// constrained to a single curve.
   196  			return []SignatureScheme{
   197  				ECDSAWithP256AndSHA256,
   198  				ECDSAWithP384AndSHA384,
   199  				ECDSAWithP521AndSHA512,
   200  				ECDSAWithSHA1,
   201  			}
   202  		}
   203  		switch pub.Curve {
   204  		case elliptic.P256():
   205  			return []SignatureScheme{ECDSAWithP256AndSHA256}
   206  		case elliptic.P384():
   207  			return []SignatureScheme{ECDSAWithP384AndSHA384}
   208  		case elliptic.P521():
   209  			return []SignatureScheme{ECDSAWithP521AndSHA512}
   210  		default:
   211  			return nil
   212  		}
   213  	case *rsa.PublicKey:
   214  		size := pub.Size()
   215  		sigAlgs := make([]SignatureScheme, 0, len(rsaSignatureSchemes))
   216  		for _, candidate := range rsaSignatureSchemes {
   217  			if size >= candidate.minModulusBytes {
   218  				sigAlgs = append(sigAlgs, candidate.scheme)
   219  			}
   220  		}
   221  		return sigAlgs
   222  	case ed25519.PublicKey:
   223  		return []SignatureScheme{Ed25519}
   224  	default:
   225  		return nil
   226  	}
   227  }
   228  
   229  // selectSignatureScheme picks a SignatureScheme from the peer's preference list
   230  // that works with the selected certificate. It's only called for protocol
   231  // versions that support signature algorithms, so TLS 1.2 and 1.3.
   232  func selectSignatureScheme(vers uint16, c *Certificate, peerAlgs []SignatureScheme) (SignatureScheme, error) {
   233  	priv, ok := c.PrivateKey.(crypto.Signer)
   234  	if !ok {
   235  		return 0, unsupportedCertificateError(c)
   236  	}
   237  	supportedAlgs := signatureSchemesForPublicKey(vers, priv.Public())
   238  	if c.SupportedSignatureAlgorithms != nil {
   239  		supportedAlgs = slices.DeleteFunc(supportedAlgs, func(sigAlg SignatureScheme) bool {
   240  			return !isSupportedSignatureAlgorithm(sigAlg, c.SupportedSignatureAlgorithms)
   241  		})
   242  	}
   243  	// Filter out any unsupported signature algorithms, for example due to
   244  	// FIPS 140-3 policy, tlssha1=0, or protocol version.
   245  	supportedAlgs = slices.DeleteFunc(supportedAlgs, func(sigAlg SignatureScheme) bool {
   246  		return isDisabledSignatureAlgorithm(vers, sigAlg, false)
   247  	})
   248  	if len(supportedAlgs) == 0 {
   249  		return 0, unsupportedCertificateError(c)
   250  	}
   251  	if len(peerAlgs) == 0 && vers == VersionTLS12 {
   252  		// For TLS 1.2, if the client didn't send signature_algorithms then we
   253  		// can assume that it supports SHA1. See RFC 5246, Section 7.4.1.4.1.
   254  		// RFC 9155 made signature_algorithms mandatory in TLS 1.2, and we gated
   255  		// it behind the tlssha1 GODEBUG setting.
   256  		if tlssha1.Value() != "1" {
   257  			return 0, errors.New("tls: missing signature_algorithms from TLS 1.2 peer")
   258  		}
   259  		peerAlgs = []SignatureScheme{PKCS1WithSHA1, ECDSAWithSHA1}
   260  	}
   261  	// Pick signature scheme in the peer's preference order, as our
   262  	// preference order is not configurable.
   263  	for _, preferredAlg := range peerAlgs {
   264  		if isSupportedSignatureAlgorithm(preferredAlg, supportedAlgs) {
   265  			return preferredAlg, nil
   266  		}
   267  	}
   268  	return 0, errors.New("tls: peer doesn't support any of the certificate's signature algorithms")
   269  }
   270  
   271  // unsupportedCertificateError returns a helpful error for certificates with
   272  // an unsupported private key.
   273  func unsupportedCertificateError(cert *Certificate) error {
   274  	switch cert.PrivateKey.(type) {
   275  	case rsa.PrivateKey, ecdsa.PrivateKey:
   276  		return fmt.Errorf("tls: unsupported certificate: private key is %T, expected *%T",
   277  			cert.PrivateKey, cert.PrivateKey)
   278  	case *ed25519.PrivateKey:
   279  		return fmt.Errorf("tls: unsupported certificate: private key is *ed25519.PrivateKey, expected ed25519.PrivateKey")
   280  	}
   281  
   282  	signer, ok := cert.PrivateKey.(crypto.Signer)
   283  	if !ok {
   284  		return fmt.Errorf("tls: certificate private key (%T) does not implement crypto.Signer",
   285  			cert.PrivateKey)
   286  	}
   287  
   288  	switch pub := signer.Public().(type) {
   289  	case *ecdsa.PublicKey:
   290  		switch pub.Curve {
   291  		case elliptic.P256():
   292  		case elliptic.P384():
   293  		case elliptic.P521():
   294  		default:
   295  			return fmt.Errorf("tls: unsupported certificate curve (%s)", pub.Curve.Params().Name)
   296  		}
   297  	case *rsa.PublicKey:
   298  		return fmt.Errorf("tls: certificate RSA key size too small for supported signature algorithms")
   299  	case ed25519.PublicKey:
   300  	default:
   301  		return fmt.Errorf("tls: unsupported certificate key (%T)", pub)
   302  	}
   303  
   304  	if cert.SupportedSignatureAlgorithms != nil {
   305  		return fmt.Errorf("tls: peer doesn't support the certificate custom signature algorithms")
   306  	}
   307  
   308  	return fmt.Errorf("tls: internal error: unsupported key (%T)", cert.PrivateKey)
   309  }
   310  

View as plain text

go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.