github.com/FISCO-BCOS/crypto@v0.0.0-20200202032121-bd8ab0b5d4f1/tls/auth.go (about) 1 // Copyright 2017 The Go Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style 3 // license that can be found in the LICENSE file. 4 5 package tls 6 7 import ( 8 "bytes" 9 "crypto" 10 "github.com/FISCO-BCOS/crypto/ecdsa" 11 "crypto/ed25519" 12 "github.com/FISCO-BCOS/crypto/elliptic" 13 "crypto/rsa" 14 "encoding/asn1" 15 "errors" 16 "fmt" 17 "hash" 18 "io" 19 ) 20 21 // pickSignatureAlgorithm selects a signature algorithm that is compatible with 22 // the given public key and the list of algorithms from the peer and this side. 23 // The lists of signature algorithms (peerSigAlgs and ourSigAlgs) are ignored 24 // for tlsVersion < VersionTLS12. 25 // 26 // The returned SignatureScheme codepoint is only meaningful for TLS 1.2, 27 // previous TLS versions have a fixed hash function. 28 func pickSignatureAlgorithm(pubkey crypto.PublicKey, peerSigAlgs, ourSigAlgs []SignatureScheme, tlsVersion uint16) (sigAlg SignatureScheme, sigType uint8, hashFunc crypto.Hash, err error) { 29 if tlsVersion < VersionTLS12 || len(peerSigAlgs) == 0 { 30 // For TLS 1.1 and before, the signature algorithm could not be 31 // negotiated and the hash is fixed based on the signature type. For TLS 32 // 1.2, if the client didn't send signature_algorithms extension then we 33 // can assume that it supports SHA1. See RFC 5246, Section 7.4.1.4.1. 34 switch pubkey.(type) { 35 case *rsa.PublicKey: 36 if tlsVersion < VersionTLS12 { 37 return 0, signaturePKCS1v15, crypto.MD5SHA1, nil 38 } else { 39 return PKCS1WithSHA1, signaturePKCS1v15, crypto.SHA1, nil 40 } 41 case *ecdsa.PublicKey: 42 return ECDSAWithSHA1, signatureECDSA, crypto.SHA1, nil 43 case ed25519.PublicKey: 44 if tlsVersion < VersionTLS12 { 45 // RFC 8422 specifies support for Ed25519 in TLS 1.0 and 1.1, 46 // but it requires holding on to a handshake transcript to do a 47 // full signature, and not even OpenSSL bothers with the 48 // complexity, so we can't even test it properly. 49 return 0, 0, 0, fmt.Errorf("tls: Ed25519 public keys are not supported before TLS 1.2") 50 } 51 return Ed25519, signatureEd25519, directSigning, nil 52 default: 53 return 0, 0, 0, fmt.Errorf("tls: unsupported public key: %T", pubkey) 54 } 55 } 56 for _, sigAlg := range peerSigAlgs { 57 if !isSupportedSignatureAlgorithm(sigAlg, ourSigAlgs) { 58 continue 59 } 60 hashAlg, err := hashFromSignatureScheme(sigAlg) 61 if err != nil { 62 panic("tls: supported signature algorithm has an unknown hash function") 63 } 64 sigType := signatureFromSignatureScheme(sigAlg) 65 switch pubkey.(type) { 66 case *rsa.PublicKey: 67 if sigType == signaturePKCS1v15 || sigType == signatureRSAPSS { 68 return sigAlg, sigType, hashAlg, nil 69 } 70 case *ecdsa.PublicKey: 71 if sigType == signatureECDSA { 72 return sigAlg, sigType, hashAlg, nil 73 } 74 case ed25519.PublicKey: 75 if sigType == signatureEd25519 { 76 return sigAlg, sigType, hashAlg, nil 77 } 78 default: 79 return 0, 0, 0, fmt.Errorf("tls: unsupported public key: %T", pubkey) 80 } 81 } 82 return 0, 0, 0, errors.New("tls: peer doesn't support any common signature algorithms") 83 } 84 85 // verifyHandshakeSignature verifies a signature against pre-hashed 86 // (if required) handshake contents. 87 func verifyHandshakeSignature(sigType uint8, pubkey crypto.PublicKey, hashFunc crypto.Hash, signed, sig []byte) error { 88 switch sigType { 89 case signatureECDSA: 90 pubKey, ok := pubkey.(*ecdsa.PublicKey) 91 if !ok { 92 return errors.New("tls: ECDSA signing requires a ECDSA public key") 93 } 94 ecdsaSig := new(ecdsaSignature) 95 if _, err := asn1.Unmarshal(sig, ecdsaSig); err != nil { 96 return err 97 } 98 if ecdsaSig.R.Sign() <= 0 || ecdsaSig.S.Sign() <= 0 { 99 return errors.New("tls: ECDSA signature contained zero or negative values") 100 } 101 if !ecdsa.Verify(pubKey, signed, ecdsaSig.R, ecdsaSig.S) { 102 return errors.New("tls: ECDSA verification failure") 103 } 104 case signatureEd25519: 105 pubKey, ok := pubkey.(ed25519.PublicKey) 106 if !ok { 107 return errors.New("tls: Ed25519 signing requires a Ed25519 public key") 108 } 109 if !ed25519.Verify(pubKey, signed, sig) { 110 return errors.New("tls: Ed25519 verification failure") 111 } 112 case signaturePKCS1v15: 113 pubKey, ok := pubkey.(*rsa.PublicKey) 114 if !ok { 115 return errors.New("tls: RSA signing requires a RSA public key") 116 } 117 if err := rsa.VerifyPKCS1v15(pubKey, hashFunc, signed, sig); err != nil { 118 return err 119 } 120 case signatureRSAPSS: 121 pubKey, ok := pubkey.(*rsa.PublicKey) 122 if !ok { 123 return errors.New("tls: RSA signing requires a RSA public key") 124 } 125 signOpts := &rsa.PSSOptions{SaltLength: rsa.PSSSaltLengthEqualsHash} 126 if err := rsa.VerifyPSS(pubKey, hashFunc, signed, sig, signOpts); err != nil { 127 return err 128 } 129 default: 130 return errors.New("tls: unknown signature algorithm") 131 } 132 return nil 133 } 134 135 const ( 136 serverSignatureContext = "TLS 1.3, server CertificateVerify\x00" 137 clientSignatureContext = "TLS 1.3, client CertificateVerify\x00" 138 ) 139 140 var signaturePadding = []byte{ 141 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 142 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 143 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 144 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 145 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 146 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 147 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 148 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 149 } 150 151 // signedMessage returns the pre-hashed (if necessary) message to be signed by 152 // certificate keys in TLS 1.3. See RFC 8446, Section 4.4.3. 153 func signedMessage(sigHash crypto.Hash, context string, transcript hash.Hash) []byte { 154 if sigHash == directSigning { 155 b := &bytes.Buffer{} 156 b.Write(signaturePadding) 157 io.WriteString(b, context) 158 b.Write(transcript.Sum(nil)) 159 return b.Bytes() 160 } 161 h := sigHash.New() 162 h.Write(signaturePadding) 163 io.WriteString(h, context) 164 h.Write(transcript.Sum(nil)) 165 return h.Sum(nil) 166 } 167 168 // signatureSchemesForCertificate returns the list of supported SignatureSchemes 169 // for a given certificate, based on the public key and the protocol version. 170 // 171 // It does not support the crypto.Decrypter interface, so shouldn't be used for 172 // server certificates in TLS 1.2 and earlier, and it must be kept in sync with 173 // supportedSignatureAlgorithms. 174 func signatureSchemesForCertificate(version uint16, cert *Certificate) []SignatureScheme { 175 priv, ok := cert.PrivateKey.(crypto.Signer) 176 if !ok { 177 return nil 178 } 179 180 switch pub := priv.Public().(type) { 181 case *ecdsa.PublicKey: 182 if version != VersionTLS13 { 183 // In TLS 1.2 and earlier, ECDSA algorithms are not 184 // constrained to a single curve. 185 return []SignatureScheme{ 186 ECDSAWithP256AndSHA256, 187 ECDSAWithP384AndSHA384, 188 ECDSAWithP521AndSHA512, 189 ECDSAWithSHA1, 190 } 191 } 192 switch pub.Curve { 193 case elliptic.P256(): 194 return []SignatureScheme{ECDSAWithP256AndSHA256} 195 case elliptic.P384(): 196 return []SignatureScheme{ECDSAWithP384AndSHA384} 197 case elliptic.P521(): 198 return []SignatureScheme{ECDSAWithP521AndSHA512} 199 default: 200 return nil 201 } 202 case *rsa.PublicKey: 203 if version != VersionTLS13 { 204 return []SignatureScheme{ 205 PKCS1WithSHA256, 206 PKCS1WithSHA384, 207 PKCS1WithSHA512, 208 PKCS1WithSHA1, 209 } 210 } 211 return []SignatureScheme{ 212 PSSWithSHA256, 213 PSSWithSHA384, 214 PSSWithSHA512, 215 } 216 case ed25519.PublicKey: 217 return []SignatureScheme{Ed25519} 218 default: 219 return nil 220 } 221 } 222 223 // unsupportedCertificateError returns a helpful error for certificates with 224 // an unsupported private key. 225 func unsupportedCertificateError(cert *Certificate) error { 226 switch cert.PrivateKey.(type) { 227 case rsa.PrivateKey, ecdsa.PrivateKey: 228 return fmt.Errorf("tls: unsupported certificate: private key is %T, expected *%T", 229 cert.PrivateKey, cert.PrivateKey) 230 case *ed25519.PrivateKey: 231 return fmt.Errorf("tls: unsupported certificate: private key is *ed25519.PrivateKey, expected ed25519.PrivateKey") 232 } 233 234 signer, ok := cert.PrivateKey.(crypto.Signer) 235 if !ok { 236 return fmt.Errorf("tls: certificate private key (%T) does not implement crypto.Signer", 237 cert.PrivateKey) 238 } 239 240 switch pub := signer.Public().(type) { 241 case *ecdsa.PublicKey: 242 switch pub.Curve { 243 case elliptic.P256(): 244 case elliptic.P384(): 245 case elliptic.P521(): 246 default: 247 return fmt.Errorf("tls: unsupported certificate curve (%s)", pub.Curve.Params().Name) 248 } 249 case *rsa.PublicKey: 250 case ed25519.PublicKey: 251 default: 252 return fmt.Errorf("tls: unsupported certificate key (%T)", pub) 253 } 254 255 return fmt.Errorf("tls: internal error: unsupported key (%T)", cert.PrivateKey) 256 }