mirror of
https://github.com/refraction-networking/utls.git
synced 2025-04-04 20:47:36 +03:00
crypto/tls: implement (*ClientHelloInfo).SupportsCertificate
We'll also use this function for a better selection logic from Config.Certificates in a later CL. Updates #32426 Change-Id: Ie239574d02eb7fd2cf025ec36721c8c7e082d0bc Reviewed-on: https://go-review.googlesource.com/c/go/+/205057 Reviewed-by: Katie Hockman <katie@golang.org>
This commit is contained in:
Filippo Valsorda
parent
0c490ab182
commit
da96d661d8
3 changed files with 329 additions and 0 deletions
169
common.go
169
common.go
|
|
@ -7,7 +7,11 @@ package tls
|
|||
import (
|
||||
"container/list"
|
||||
"crypto"
|
||||
"crypto/ecdsa"
|
||||
"crypto/ed25519"
|
||||
"crypto/elliptic"
|
||||
"crypto/rand"
|
||||
"crypto/rsa"
|
||||
"crypto/sha512"
|
||||
"crypto/x509"
|
||||
"errors"
|
||||
|
|
@ -384,6 +388,10 @@ type ClientHelloInfo struct {
|
|||
// from, or write to, this connection; that will cause the TLS
|
||||
// connection to fail.
|
||||
Conn net.Conn
|
||||
|
||||
// config is embedded by the GetCertificate or GetConfigForClient caller,
|
||||
// for use with SupportsCertificate.
|
||||
config *Config
|
||||
}
|
||||
|
||||
// CertificateRequestInfo contains information from a server's
|
||||
|
|
@ -901,6 +909,167 @@ func (c *Config) getCertificate(clientHello *ClientHelloInfo) (*Certificate, err
|
|||
return &c.Certificates[0], nil
|
||||
}
|
||||
|
||||
// SupportsCertificate returns nil if the provided certificate is supported by
|
||||
// the client that sent the ClientHello. Otherwise, it returns an error
|
||||
// describing the reason for the incompatibility.
|
||||
//
|
||||
// If this ClientHelloInfo was passed to a GetConfigForClient or GetCertificate
|
||||
// callback, this method will take into account the associated Config. Note that
|
||||
// if GetConfigForClient returns a different Config, the change can't be
|
||||
// accounted for by this method.
|
||||
//
|
||||
// This function will call x509.ParseCertificate unless c.Leaf is set, which can
|
||||
// incur a significant performance cost.
|
||||
func (chi *ClientHelloInfo) SupportsCertificate(c *Certificate) error {
|
||||
// Note we don't currently support certificate_authorities nor
|
||||
// signature_algorithms_cert, and don't check the algorithms of the
|
||||
// signatures on the chain (which anyway are a SHOULD, see RFC 8446,
|
||||
// Section 4.4.2.2).
|
||||
|
||||
config := chi.config
|
||||
if config == nil {
|
||||
config = &Config{}
|
||||
}
|
||||
vers, ok := config.mutualVersion(chi.SupportedVersions)
|
||||
if !ok {
|
||||
return errors.New("no mutually supported protocol versions")
|
||||
}
|
||||
|
||||
// If the client specified the name they are trying to connect to, the
|
||||
// certificate needs to be valid for it.
|
||||
if chi.ServerName != "" {
|
||||
x509Cert, err := c.leaf()
|
||||
if err != nil {
|
||||
return fmt.Errorf("failed to parse certificate: %w", err)
|
||||
}
|
||||
if err := x509Cert.VerifyHostname(chi.ServerName); err != nil {
|
||||
return fmt.Errorf("certificate is not valid for requested server name: %w", err)
|
||||
}
|
||||
}
|
||||
|
||||
// supportsRSAFallback returns nil if the certificate and connection support
|
||||
// the static RSA key exchange, and unsupported otherwise. The logic for
|
||||
// supporting static RSA is completely disjoint from the logic for
|
||||
// supporting signed key exchanges, so we just check it as a fallback.
|
||||
supportsRSAFallback := func(unsupported error) error {
|
||||
// TLS 1.3 dropped support for the static RSA key exchange.
|
||||
if vers == VersionTLS13 {
|
||||
return unsupported
|
||||
}
|
||||
// The static RSA key exchange works by decrypting a challenge with the
|
||||
// RSA private key, not by signing, so check the PrivateKey implements
|
||||
// crypto.Decrypter, like *rsa.PrivateKey does.
|
||||
if priv, ok := c.PrivateKey.(crypto.Decrypter); ok {
|
||||
if _, ok := priv.Public().(*rsa.PublicKey); !ok {
|
||||
return unsupported
|
||||
}
|
||||
} else {
|
||||
return unsupported
|
||||
}
|
||||
// Finally, there needs to be a mutual cipher suite that uses the static
|
||||
// RSA key exchange instead of ECDHE.
|
||||
rsaCipherSuite := selectCipherSuite(chi.CipherSuites, config.cipherSuites(), func(c *cipherSuite) bool {
|
||||
if c.flags&suiteECDHE != 0 {
|
||||
return false
|
||||
}
|
||||
if vers < VersionTLS12 && c.flags&suiteTLS12 != 0 {
|
||||
return false
|
||||
}
|
||||
return true
|
||||
})
|
||||
if rsaCipherSuite == nil {
|
||||
return unsupported
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
// If the client sent the signature_algorithms extension, ensure it supports
|
||||
// schemes we can use with this certificate and TLS version.
|
||||
if len(chi.SignatureSchemes) > 0 {
|
||||
if _, err := selectSignatureScheme(vers, c, chi.SignatureSchemes); err != nil {
|
||||
return supportsRSAFallback(err)
|
||||
}
|
||||
}
|
||||
|
||||
// In TLS 1.3 we are done because supported_groups is only relevant to the
|
||||
// ECDHE computation, point format negotiation is removed, cipher suites are
|
||||
// only relevant to the AEAD choice, and static RSA does not exist.
|
||||
if vers == VersionTLS13 {
|
||||
return nil
|
||||
}
|
||||
|
||||
// The only signed key exchange we support is ECDHE.
|
||||
if !supportsECDHE(config, chi.SupportedCurves, chi.SupportedPoints) {
|
||||
return supportsRSAFallback(errors.New("client doesn't support ECDHE, can only use legacy RSA key exchange"))
|
||||
}
|
||||
|
||||
var ecdsaCipherSuite bool
|
||||
if priv, ok := c.PrivateKey.(crypto.Signer); ok {
|
||||
switch pub := priv.Public().(type) {
|
||||
case *ecdsa.PublicKey:
|
||||
var curve CurveID
|
||||
switch pub.Curve {
|
||||
case elliptic.P256():
|
||||
curve = CurveP256
|
||||
case elliptic.P384():
|
||||
curve = CurveP384
|
||||
case elliptic.P521():
|
||||
curve = CurveP521
|
||||
default:
|
||||
return supportsRSAFallback(unsupportedCertificateError(c))
|
||||
}
|
||||
var curveOk bool
|
||||
for _, c := range chi.SupportedCurves {
|
||||
if c == curve && config.supportsCurve(c) {
|
||||
curveOk = true
|
||||
break
|
||||
}
|
||||
}
|
||||
if !curveOk {
|
||||
return errors.New("client doesn't support certificate curve")
|
||||
}
|
||||
ecdsaCipherSuite = true
|
||||
case ed25519.PublicKey:
|
||||
if vers < VersionTLS12 || len(chi.SignatureSchemes) == 0 {
|
||||
return errors.New("connection doesn't support Ed25519")
|
||||
}
|
||||
ecdsaCipherSuite = true
|
||||
case *rsa.PublicKey:
|
||||
default:
|
||||
return supportsRSAFallback(unsupportedCertificateError(c))
|
||||
}
|
||||
} else {
|
||||
return supportsRSAFallback(unsupportedCertificateError(c))
|
||||
}
|
||||
|
||||
// Make sure that there is a mutually supported cipher suite that works with
|
||||
// this certificate. Cipher suite selection will then apply the logic in
|
||||
// reverse to pick it. See also serverHandshakeState.cipherSuiteOk.
|
||||
cipherSuite := selectCipherSuite(chi.CipherSuites, config.cipherSuites(), func(c *cipherSuite) bool {
|
||||
if c.flags&suiteECDHE == 0 {
|
||||
return false
|
||||
}
|
||||
if c.flags&suiteECSign != 0 {
|
||||
if !ecdsaCipherSuite {
|
||||
return false
|
||||
}
|
||||
} else {
|
||||
if ecdsaCipherSuite {
|
||||
return false
|
||||
}
|
||||
}
|
||||
if vers < VersionTLS12 && c.flags&suiteTLS12 != 0 {
|
||||
return false
|
||||
}
|
||||
return true
|
||||
})
|
||||
if cipherSuite == nil {
|
||||
return supportsRSAFallback(errors.New("client doesn't support any cipher suites compatible with the certificate"))
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
||||
// BuildNameToCertificate parses c.Certificates and builds c.NameToCertificate
|
||||
// from the CommonName and SubjectAlternateName fields of each of the leaf
|
||||
// certificates.
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue