1// Copyright 2017 The Go Authors. All rights reserved. 2// Use of this source code is governed by a BSD-style 3// license that can be found in the LICENSE file. 4 5package tls 6 7import ( 8 "bytes" 9 "crypto" 10 "crypto/ecdsa" 11 "crypto/ed25519" 12 "crypto/elliptic" 13 "crypto/rsa" 14 "errors" 15 "fmt" 16 "hash" 17 "io" 18) 19 20// verifyHandshakeSignature verifies a signature against pre-hashed 21// (if required) handshake contents. 22func verifyHandshakeSignature(sigType uint8, pubkey crypto.PublicKey, hashFunc crypto.Hash, signed, sig []byte) error { 23 switch sigType { 24 case signatureECDSA: 25 pubKey, ok := pubkey.(*ecdsa.PublicKey) 26 if !ok { 27 return fmt.Errorf("expected an ECDSA public key, got %T", pubkey) 28 } 29 if !ecdsa.VerifyASN1(pubKey, signed, sig) { 30 return errors.New("ECDSA verification failure") 31 } 32 case signatureEd25519: 33 pubKey, ok := pubkey.(ed25519.PublicKey) 34 if !ok { 35 return fmt.Errorf("expected an Ed25519 public key, got %T", pubkey) 36 } 37 if !ed25519.Verify(pubKey, signed, sig) { 38 return errors.New("Ed25519 verification failure") 39 } 40 case signaturePKCS1v15: 41 pubKey, ok := pubkey.(*rsa.PublicKey) 42 if !ok { 43 return fmt.Errorf("expected an RSA public key, got %T", pubkey) 44 } 45 if err := rsa.VerifyPKCS1v15(pubKey, hashFunc, signed, sig); err != nil { 46 return err 47 } 48 case signatureRSAPSS: 49 pubKey, ok := pubkey.(*rsa.PublicKey) 50 if !ok { 51 return fmt.Errorf("expected an RSA public key, got %T", pubkey) 52 } 53 signOpts := &rsa.PSSOptions{SaltLength: rsa.PSSSaltLengthEqualsHash} 54 if err := rsa.VerifyPSS(pubKey, hashFunc, signed, sig, signOpts); err != nil { 55 return err 56 } 57 default: 58 return errors.New("internal error: unknown signature type") 59 } 60 return nil 61} 62 63const ( 64 serverSignatureContext = "TLS 1.3, server CertificateVerify\x00" 65 clientSignatureContext = "TLS 1.3, client CertificateVerify\x00" 66) 67 68var signaturePadding = []byte{ 69 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 70 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 71 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 72 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 73 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 74 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 75 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 76 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 77} 78 79// signedMessage returns the pre-hashed (if necessary) message to be signed by 80// certificate keys in TLS 1.3. See RFC 8446, Section 4.4.3. 81func signedMessage(sigHash crypto.Hash, context string, transcript hash.Hash) []byte { 82 if sigHash == directSigning { 83 b := &bytes.Buffer{} 84 b.Write(signaturePadding) 85 io.WriteString(b, context) 86 b.Write(transcript.Sum(nil)) 87 return b.Bytes() 88 } 89 h := sigHash.New() 90 h.Write(signaturePadding) 91 io.WriteString(h, context) 92 h.Write(transcript.Sum(nil)) 93 return h.Sum(nil) 94} 95 96// typeAndHashFromSignatureScheme returns the corresponding signature type and 97// crypto.Hash for a given TLS SignatureScheme. 98func typeAndHashFromSignatureScheme(signatureAlgorithm SignatureScheme) (sigType uint8, hash crypto.Hash, err error) { 99 switch signatureAlgorithm { 100 case PKCS1WithSHA1, PKCS1WithSHA256, PKCS1WithSHA384, PKCS1WithSHA512: 101 sigType = signaturePKCS1v15 102 case PSSWithSHA256, PSSWithSHA384, PSSWithSHA512: 103 sigType = signatureRSAPSS 104 case ECDSAWithSHA1, ECDSAWithP256AndSHA256, ECDSAWithP384AndSHA384, ECDSAWithP521AndSHA512: 105 sigType = signatureECDSA 106 case Ed25519: 107 sigType = signatureEd25519 108 default: 109 return 0, 0, fmt.Errorf("unsupported signature algorithm: %v", signatureAlgorithm) 110 } 111 switch signatureAlgorithm { 112 case PKCS1WithSHA1, ECDSAWithSHA1: 113 hash = crypto.SHA1 114 case PKCS1WithSHA256, PSSWithSHA256, ECDSAWithP256AndSHA256: 115 hash = crypto.SHA256 116 case PKCS1WithSHA384, PSSWithSHA384, ECDSAWithP384AndSHA384: 117 hash = crypto.SHA384 118 case PKCS1WithSHA512, PSSWithSHA512, ECDSAWithP521AndSHA512: 119 hash = crypto.SHA512 120 case Ed25519: 121 hash = directSigning 122 default: 123 return 0, 0, fmt.Errorf("unsupported signature algorithm: %v", signatureAlgorithm) 124 } 125 return sigType, hash, nil 126} 127 128// legacyTypeAndHashFromPublicKey returns the fixed signature type and crypto.Hash for 129// a given public key used with TLS 1.0 and 1.1, before the introduction of 130// signature algorithm negotiation. 131func legacyTypeAndHashFromPublicKey(pub crypto.PublicKey) (sigType uint8, hash crypto.Hash, err error) { 132 switch pub.(type) { 133 case *rsa.PublicKey: 134 return signaturePKCS1v15, crypto.MD5SHA1, nil 135 case *ecdsa.PublicKey: 136 return signatureECDSA, crypto.SHA1, nil 137 case ed25519.PublicKey: 138 // RFC 8422 specifies support for Ed25519 in TLS 1.0 and 1.1, 139 // but it requires holding on to a handshake transcript to do a 140 // full signature, and not even OpenSSL bothers with the 141 // complexity, so we can't even test it properly. 142 return 0, 0, fmt.Errorf("tls: Ed25519 public keys are not supported before TLS 1.2") 143 default: 144 return 0, 0, fmt.Errorf("tls: unsupported public key: %T", pub) 145 } 146} 147 148var rsaSignatureSchemes = []struct { 149 scheme SignatureScheme 150 minModulusBytes int 151 maxVersion uint16 152}{ 153 // RSA-PSS is used with PSSSaltLengthEqualsHash, and requires 154 // emLen >= hLen + sLen + 2 155 {PSSWithSHA256, crypto.SHA256.Size()*2 + 2, VersionTLS13}, 156 {PSSWithSHA384, crypto.SHA384.Size()*2 + 2, VersionTLS13}, 157 {PSSWithSHA512, crypto.SHA512.Size()*2 + 2, VersionTLS13}, 158 // PKCS #1 v1.5 uses prefixes from hashPrefixes in crypto/rsa, and requires 159 // emLen >= len(prefix) + hLen + 11 160 // TLS 1.3 dropped support for PKCS #1 v1.5 in favor of RSA-PSS. 161 {PKCS1WithSHA256, 19 + crypto.SHA256.Size() + 11, VersionTLS12}, 162 {PKCS1WithSHA384, 19 + crypto.SHA384.Size() + 11, VersionTLS12}, 163 {PKCS1WithSHA512, 19 + crypto.SHA512.Size() + 11, VersionTLS12}, 164 {PKCS1WithSHA1, 15 + crypto.SHA1.Size() + 11, VersionTLS12}, 165} 166 167// signatureSchemesForCertificate returns the list of supported SignatureSchemes 168// for a given certificate, based on the public key and the protocol version, 169// and optionally filtered by its explicit SupportedSignatureAlgorithms. 170// 171// This function must be kept in sync with supportedSignatureAlgorithms. 172// FIPS filtering is applied in the caller, selectSignatureScheme. 173func signatureSchemesForCertificate(version uint16, cert *Certificate) []SignatureScheme { 174 priv, ok := cert.PrivateKey.(crypto.Signer) 175 if !ok { 176 return nil 177 } 178 179 var sigAlgs []SignatureScheme 180 switch pub := priv.Public().(type) { 181 case *ecdsa.PublicKey: 182 if version != VersionTLS13 { 183 // In TLS 1.2 and earlier, ECDSA algorithms are not 184 // constrained to a single curve. 185 sigAlgs = []SignatureScheme{ 186 ECDSAWithP256AndSHA256, 187 ECDSAWithP384AndSHA384, 188 ECDSAWithP521AndSHA512, 189 ECDSAWithSHA1, 190 } 191 break 192 } 193 switch pub.Curve { 194 case elliptic.P256(): 195 sigAlgs = []SignatureScheme{ECDSAWithP256AndSHA256} 196 case elliptic.P384(): 197 sigAlgs = []SignatureScheme{ECDSAWithP384AndSHA384} 198 case elliptic.P521(): 199 sigAlgs = []SignatureScheme{ECDSAWithP521AndSHA512} 200 default: 201 return nil 202 } 203 case *rsa.PublicKey: 204 size := pub.Size() 205 sigAlgs = make([]SignatureScheme, 0, len(rsaSignatureSchemes)) 206 for _, candidate := range rsaSignatureSchemes { 207 if size >= candidate.minModulusBytes && version <= candidate.maxVersion { 208 sigAlgs = append(sigAlgs, candidate.scheme) 209 } 210 } 211 case ed25519.PublicKey: 212 sigAlgs = []SignatureScheme{Ed25519} 213 default: 214 return nil 215 } 216 217 if cert.SupportedSignatureAlgorithms != nil { 218 var filteredSigAlgs []SignatureScheme 219 for _, sigAlg := range sigAlgs { 220 if isSupportedSignatureAlgorithm(sigAlg, cert.SupportedSignatureAlgorithms) { 221 filteredSigAlgs = append(filteredSigAlgs, sigAlg) 222 } 223 } 224 return filteredSigAlgs 225 } 226 return sigAlgs 227} 228 229// selectSignatureScheme picks a SignatureScheme from the peer's preference list 230// that works with the selected certificate. It's only called for protocol 231// versions that support signature algorithms, so TLS 1.2 and 1.3. 232func selectSignatureScheme(vers uint16, c *Certificate, peerAlgs []SignatureScheme) (SignatureScheme, error) { 233 supportedAlgs := signatureSchemesForCertificate(vers, c) 234 if len(supportedAlgs) == 0 { 235 return 0, unsupportedCertificateError(c) 236 } 237 if len(peerAlgs) == 0 && vers == VersionTLS12 { 238 // For TLS 1.2, if the client didn't send signature_algorithms then we 239 // can assume that it supports SHA1. See RFC 5246, Section 7.4.1.4.1. 240 peerAlgs = []SignatureScheme{PKCS1WithSHA1, ECDSAWithSHA1} 241 } 242 // Pick signature scheme in the peer's preference order, as our 243 // preference order is not configurable. 244 for _, preferredAlg := range peerAlgs { 245 if needFIPS() && !isSupportedSignatureAlgorithm(preferredAlg, defaultSupportedSignatureAlgorithmsFIPS) { 246 continue 247 } 248 if isSupportedSignatureAlgorithm(preferredAlg, supportedAlgs) { 249 return preferredAlg, nil 250 } 251 } 252 return 0, errors.New("tls: peer doesn't support any of the certificate's signature algorithms") 253} 254 255// unsupportedCertificateError returns a helpful error for certificates with 256// an unsupported private key. 257func unsupportedCertificateError(cert *Certificate) error { 258 switch cert.PrivateKey.(type) { 259 case rsa.PrivateKey, ecdsa.PrivateKey: 260 return fmt.Errorf("tls: unsupported certificate: private key is %T, expected *%T", 261 cert.PrivateKey, cert.PrivateKey) 262 case *ed25519.PrivateKey: 263 return fmt.Errorf("tls: unsupported certificate: private key is *ed25519.PrivateKey, expected ed25519.PrivateKey") 264 } 265 266 signer, ok := cert.PrivateKey.(crypto.Signer) 267 if !ok { 268 return fmt.Errorf("tls: certificate private key (%T) does not implement crypto.Signer", 269 cert.PrivateKey) 270 } 271 272 switch pub := signer.Public().(type) { 273 case *ecdsa.PublicKey: 274 switch pub.Curve { 275 case elliptic.P256(): 276 case elliptic.P384(): 277 case elliptic.P521(): 278 default: 279 return fmt.Errorf("tls: unsupported certificate curve (%s)", pub.Curve.Params().Name) 280 } 281 case *rsa.PublicKey: 282 return fmt.Errorf("tls: certificate RSA key size too small for supported signature algorithms") 283 case ed25519.PublicKey: 284 default: 285 return fmt.Errorf("tls: unsupported certificate key (%T)", pub) 286 } 287 288 if cert.SupportedSignatureAlgorithms != nil { 289 return fmt.Errorf("tls: peer doesn't support the certificate custom signature algorithms") 290 } 291 292 return fmt.Errorf("tls: internal error: unsupported key (%T)", cert.PrivateKey) 293} 294