crypto/tls: advertise and accept rsa_pss_rsae signature algorithms

crypto/x509 already supports PSS signatures (with rsaEncryption OID), and crypto/tls support was added in CL 79736. Advertise support for the algorithms and accept them as a peer. Note that this is about PSS signatures from regular RSA public keys. RSA-PSS only public keys (with RSASSA-PSS OID) are supported in neither crypto/tls nor crypto/x509. See RFC 8446, Section 4.2.3. testdata/Server-TLSv12-ClientAuthRequested* got modified because the CertificateRequest carries the supported signature algorithms. The net/smtp tests changed because 512 bits keys are too small for PSS. Based on Peter Wu's CL 79738, who did all the actual work in CL 79736. Updates #9671 Change-Id: I4a31e9c6e152ff4c50a5c8a274edd610d5fff231 Reviewed-on: https://go-review.googlesource.com/c/146258 Run-TryBot: Filippo Valsorda <[email protected]> TryBot-Result: Gobot Gobot <[email protected]> Reviewed-by: Adam Langley <[email protected]>
golang · Nov 2, 2018 · ee7e443 · ee7e443
1 parent 7f5dce0
commit ee7e443
Show file tree

Hide file tree

Showing 13 changed files with 798 additions and 155 deletions.
diff --git a/src/crypto/tls/common.go b/src/crypto/tls/common.go
@@ -175,6 +175,9 @@ const (
 // CertificateRequest. The two fields are merged to match with TLS 1.3.
 // Note that in TLS 1.2, the ECDSA algorithms are not constrained to P-256, etc.
 var supportedSignatureAlgorithms = []SignatureScheme{
+	PSSWithSHA256,
+	PSSWithSHA384,
+	PSSWithSHA512,
 	PKCS1WithSHA256,
 	ECDSAWithP256AndSHA256,
 	PKCS1WithSHA384,
@@ -266,6 +269,7 @@ const (
 	PKCS1WithSHA384 SignatureScheme = 0x0501
 	PKCS1WithSHA512 SignatureScheme = 0x0601
 
+	// RSASSA-PSS algorithms with public key OID rsaEncryption.
 	PSSWithSHA256 SignatureScheme = 0x0804
 	PSSWithSHA384 SignatureScheme = 0x0805
 	PSSWithSHA512 SignatureScheme = 0x0806

diff --git a/src/crypto/tls/handshake_client_test.go b/src/crypto/tls/handshake_client_test.go
@@ -668,6 +668,51 @@ func TestHandshakeClientCertECDSA(t *testing.T) {
 	runClientTestTLS12(t, test)
 }
 
+// TestHandshakeClientCertRSAPSS tests a few separate things:
+//  * that our client can serve a PSS-signed certificate
+//  * that our client can validate a PSS-signed certificate
+//  * that our client can use rsa_pss_rsae_sha256 in its CertificateVerify
+//  * that our client can accpet rsa_pss_rsae_sha256 in the server CertificateVerify
+func TestHandshakeClientCertRSAPSS(t *testing.T) {
+	issuer, err := x509.ParseCertificate(testRSAPSSCertificate)
+	if err != nil {
+		panic(err)
+	}
+	rootCAs := x509.NewCertPool()
+	rootCAs.AddCert(issuer)
+
+	config := testConfig.Clone()
+	cert, _ := X509KeyPair([]byte(clientCertificatePEM), []byte(clientKeyPEM))
+	config.Certificates = []Certificate{cert}
+	config.RootCAs = rootCAs
+
+	test := &clientTest{
+		name: "ClientCert-RSA-RSAPSS",
+		command: []string{"openssl", "s_server", "-cipher", "AES128", "-verify", "1",
+			"-client_sigalgs", "rsa_pss_rsae_sha256", "-sigalgs", "rsa_pss_rsae_sha256"},
+		config: config,
+		cert:   testRSAPSSCertificate,
+		key:    testRSAPrivateKey,
+	}
+
+	runClientTestTLS12(t, test)
+}
+
+func TestHandshakeClientCertRSAPKCS1v15(t *testing.T) {
+	config := testConfig.Clone()
+	cert, _ := X509KeyPair([]byte(clientCertificatePEM), []byte(clientKeyPEM))
+	config.Certificates = []Certificate{cert}
+
+	test := &clientTest{
+		name: "ClientCert-RSA-RSAPKCS1v15",
+		command: []string{"openssl", "s_server", "-cipher", "AES128", "-verify", "1",
+			"-client_sigalgs", "rsa_pkcs1_sha256", "-sigalgs", "rsa_pkcs1_sha256"},
+		config: config,
+	}
+
+	runClientTestTLS12(t, test)
+}
+
 func TestClientResumption(t *testing.T) {
 	serverConfig := &Config{
 		CipherSuites: []uint16{TLS_RSA_WITH_RC4_128_SHA, TLS_ECDHE_RSA_WITH_RC4_128_SHA},
@@ -1606,9 +1651,9 @@ func TestGetClientCertificate(t *testing.T) {
 }
 
 func TestRSAPSSKeyError(t *testing.T) {
-	// crypto/tls does not support the rsa_pss_pss_xxx SignatureSchemes. If support for
+	// crypto/tls does not support the rsa_pss_pss_* SignatureSchemes. If support for
 	// public keys with OID RSASSA-PSS is added to crypto/x509, they will be misused with
-	// the rsa_pss_rsae_xxx SignatureSchemes. Assert that RSASSA-PSS certificates don't
+	// the rsa_pss_rsae_* SignatureSchemes. Assert that RSASSA-PSS certificates don't
 	// parse, or that they don't carry *rsa.PublicKey keys.
 	b, _ := pem.Decode([]byte(`
 -----BEGIN CERTIFICATE-----
@@ -1640,7 +1685,7 @@ RwBA9Xk1KBNF
 		return
 	}
 	if _, ok := cert.PublicKey.(*rsa.PublicKey); ok {
-		t.Error("A RSA-PSS certificate was parsed like a PKCS1 one, and it will be mistakenly used with rsa_pss_rsae_xxx signature algorithms")
+		t.Error("A RSASSA-PSS certificate was parsed like a PKCS#1 v1.5 one, and it will be mistakenly used with rsa_pss_rsae_* signature algorithms")
 	}
 }
 

diff --git a/src/crypto/tls/handshake_server_test.go b/src/crypto/tls/handshake_server_test.go
@@ -1039,6 +1039,22 @@ func TestHandshakeServerExportKeyingMaterial(t *testing.T) {
 	runServerTestTLS12(t, test)
 }
 
+func TestHandshakeServerRSAPKCS1v15(t *testing.T) {
+	test := &serverTest{
+		name:    "RSA-RSAPKCS1v15",
+		command: []string{"openssl", "s_client", "-no_ticket", "-sigalgs", "rsa_pkcs1_sha256"},
+	}
+	runServerTestTLS12(t, test)
+}
+
+func TestHandshakeServerRSAPSS(t *testing.T) {
+	test := &serverTest{
+		name:    "RSA-RSAPSS",
+		command: []string{"openssl", "s_client", "-no_ticket", "-sigalgs", "rsa_pss_rsae_sha256"},
+	}
+	runServerTestTLS12(t, test)
+}
+
 func benchmarkHandshakeServer(b *testing.B, cipherSuite uint16, curve CurveID, cert []byte, key crypto.PrivateKey) {
 	config := testConfig.Clone()
 	config.CipherSuites = []uint16{cipherSuite}
@@ -1120,10 +1136,6 @@ func BenchmarkHandshakeServer(b *testing.B) {
 	})
 }
 
-// clientCertificatePEM and clientKeyPEM were generated with generate_cert.go
-// Thus, they have no ExtKeyUsage fields and trigger an error when verification
-// is turned on.
-
 const clientCertificatePEM = `
 -----BEGIN CERTIFICATE-----
 MIIB7zCCAVigAwIBAgIQXBnBiWWDVW/cC8m5k5/pvDANBgkqhkiG9w0BAQsFADAS
@@ -1209,20 +1221,31 @@ func TestClientAuth(t *testing.T) {
 	runServerTestTLS12(t, test)
 
 	test = &serverTest{
-		name:              "ClientAuthRequestedAndGiven",
-		command:           []string{"openssl", "s_client", "-no_ticket", "-cipher", "AES128-SHA", "-cert", certPath, "-key", keyPath},
+		name: "ClientAuthRequestedAndGiven",
+		command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "AES128-SHA",
+			"-cert", certPath, "-key", keyPath, "-sigalgs", "rsa_pss_rsae_sha256"},
 		config:            config,
 		expectedPeerCerts: []string{clientCertificatePEM},
 	}
 	runServerTestTLS12(t, test)
 
 	test = &serverTest{
-		name:              "ClientAuthRequestedAndECDSAGiven",
-		command:           []string{"openssl", "s_client", "-no_ticket", "-cipher", "AES128-SHA", "-cert", ecdsaCertPath, "-key", ecdsaKeyPath},
+		name: "ClientAuthRequestedAndECDSAGiven",
+		command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "AES128-SHA",
+			"-cert", ecdsaCertPath, "-key", ecdsaKeyPath},
 		config:            config,
 		expectedPeerCerts: []string{clientECDSACertificatePEM},
 	}
 	runServerTestTLS12(t, test)
+
+	test = &serverTest{
+		name: "ClientAuthRequestedAndPKCS1v15Given",
+		command: []string{"openssl", "s_client", "-no_ticket", "-cipher", "AES128-SHA",
+			"-cert", certPath, "-key", keyPath, "-sigalgs", "rsa_pkcs1_sha256"},
+		config:            config,
+		expectedPeerCerts: []string{clientCertificatePEM},
+	}
+	runServerTestTLS12(t, test)
 }
 
 func TestSNIGivenOnFailure(t *testing.T) {
@@ -1417,6 +1440,11 @@ var testRSACertificate = fromHex("3082024b308201b4a003020102020900e8f09d3fe25bea
 
 var testRSACertificateIssuer = fromHex("3082021930820182a003020102020900ca5e4e811a965964300d06092a864886f70d01010b0500301f310b3009060355040a1302476f3110300e06035504031307476f20526f6f74301e170d3136303130313030303030305a170d3235303130313030303030305a301f310b3009060355040a1302476f3110300e06035504031307476f20526f6f7430819f300d06092a864886f70d010101050003818d0030818902818100d667b378bb22f34143b6cd2008236abefaf2852adf3ab05e01329e2c14834f5105df3f3073f99dab5442d45ee5f8f57b0111c8cb682fbb719a86944eebfffef3406206d898b8c1b1887797c9c5006547bb8f00e694b7a063f10839f269f2c34fff7a1f4b21fbcd6bfdfb13ac792d1d11f277b5c5b48600992203059f2a8f8cc50203010001a35d305b300e0603551d0f0101ff040403020204301d0603551d250416301406082b0601050507030106082b06010505070302300f0603551d130101ff040530030101ff30190603551d0e041204104813494d137e1631bba301d5acab6e7b300d06092a864886f70d01010b050003818100c1154b4bab5266221f293766ae4138899bd4c5e36b13cee670ceeaa4cbdf4f6679017e2fe649765af545749fe4249418a56bd38a04b81e261f5ce86b8d5c65413156a50d12449554748c59a30c515bc36a59d38bddf51173e899820b282e40aa78c806526fd184fb6b4cf186ec728edffa585440d2b3225325f7ab580e87dd76")
 
+// testRSAPSSCertificate has signatureAlgorithm rsassaPss, and subjectPublicKeyInfo
+// algorithm rsaEncryption, for use with the rsa_pss_rsae_* SignatureSchemes.
+// See also TestRSAPSSKeyError. testRSAPSSCertificate is self-signed.
+var testRSAPSSCertificate = fromHex("308202583082018da003020102021100f29926eb87ea8a0db9fcc247347c11b0304106092a864886f70d01010a3034a00f300d06096086480165030402010500a11c301a06092a864886f70d010108300d06096086480165030402010500a20302012030123110300e060355040a130741636d6520436f301e170d3137313132333136313631305a170d3138313132333136313631305a30123110300e060355040a130741636d6520436f30819f300d06092a864886f70d010101050003818d0030818902818100db467d932e12270648bc062821ab7ec4b6a25dfe1e5245887a3647a5080d92425bc281c0be97799840fb4f6d14fd2b138bc2a52e67d8d4099ed62238b74a0b74732bc234f1d193e596d9747bf3589f6c613cc0b041d4d92b2b2423775b1c3bbd755dce2054cfa163871d1e24c4f31d1a508baab61443ed97a77562f414c852d70203010001a3463044300e0603551d0f0101ff0404030205a030130603551d25040c300a06082b06010505070301300c0603551d130101ff04023000300f0603551d110408300687047f000001304106092a864886f70d01010a3034a00f300d06096086480165030402010500a11c301a06092a864886f70d010108300d06096086480165030402010500a20302012003818100cdac4ef2ce5f8d79881042707f7cbf1b5a8a00ef19154b40151771006cd41626e5496d56da0c1a139fd84695593cb67f87765e18aa03ea067522dd78d2a589b8c92364e12838ce346c6e067b51f1a7e6f4b37ffab13f1411896679d18e880e0ba09e302ac067efca460288e9538122692297ad8093d4f7dd701424d7700a46a1")
+
 var testECDSACertificate = fromHex("3082020030820162020900b8bf2d47a0d2ebf4300906072a8648ce3d04013045310b3009060355040613024155311330110603550408130a536f6d652d53746174653121301f060355040a1318496e7465726e6574205769646769747320507479204c7464301e170d3132313132323135303633325a170d3232313132303135303633325a3045310b3009060355040613024155311330110603550408130a536f6d652d53746174653121301f060355040a1318496e7465726e6574205769646769747320507479204c746430819b301006072a8648ce3d020106052b81040023038186000400c4a1edbe98f90b4873367ec316561122f23d53c33b4d213dcd6b75e6f6b0dc9adf26c1bcb287f072327cb3642f1c90bcea6823107efee325c0483a69e0286dd33700ef0462dd0da09c706283d881d36431aa9e9731bd96b068c09b23de76643f1a5c7fe9120e5858b65f70dd9bd8ead5d7f5d5ccb9b69f30665b669a20e227e5bffe3b300906072a8648ce3d040103818c0030818802420188a24febe245c5487d1bacf5ed989dae4770c05e1bb62fbdf1b64db76140d311a2ceee0b7e927eff769dc33b7ea53fcefa10e259ec472d7cacda4e970e15a06fd00242014dfcbe67139c2d050ebd3fa38c25c13313830d9406bbd4377af6ec7ac9862eddd711697f857c56defb31782be4c7780daecbbe9e4e3624317b6a0f399512078f2a")
 
 var testSNICertificate = fromHex("0441883421114c81480804c430820237308201a0a003020102020900e8f09d3fe25beaa6300d06092a864886f70d01010b0500301f310b3009060355040a1302476f3110300e06035504031307476f20526f6f74301e170d3136303130313030303030305a170d3235303130313030303030305a3023310b3009060355040a1302476f311430120603550403130b736e69746573742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100db467d932e12270648bc062821ab7ec4b6a25dfe1e5245887a3647a5080d92425bc281c0be97799840fb4f6d14fd2b138bc2a52e67d8d4099ed62238b74a0b74732bc234f1d193e596d9747bf3589f6c613cc0b041d4d92b2b2423775b1c3bbd755dce2054cfa163871d1e24c4f31d1a508baab61443ed97a77562f414c852d70203010001a3773075300e0603551d0f0101ff0404030205a0301d0603551d250416301406082b0601050507030106082b06010505070302300c0603551d130101ff0402300030190603551d0e041204109f91161f43433e49a6de6db680d79f60301b0603551d230414301280104813494d137e1631bba301d5acab6e7b300d06092a864886f70d01010b0500038181007beeecff0230dbb2e7a334af65430b7116e09f327c3bbf918107fc9c66cb497493207ae9b4dbb045cb63d605ec1b5dd485bb69124d68fa298dc776699b47632fd6d73cab57042acb26f083c4087459bc5a3bb3ca4d878d7fe31016b7bc9a627438666566e3389bfaeebe6becc9a0093ceed18d0f9ac79d56f3a73f18188988ed")

diff --git a/src/crypto/tls/handshake_test.go b/src/crypto/tls/handshake_test.go
@@ -68,17 +68,17 @@ func testOpenSSLVersion() {
 	}
 
 	version := string(output)
-	if strings.HasPrefix(version, "OpenSSL 1.1.0") {
+	if strings.HasPrefix(version, "OpenSSL 1.1.1") {
 		return
 	}
 
 	println("***********************************************")
 	println("")
-	println("You need to build OpenSSL 1.1.0 from source in order")
+	println("You need to build OpenSSL 1.1.1 from source in order")
 	println("to update the test data.")
 	println("")
 	println("Configure it with:")
-	println("./Configure enable-weak-ssl-ciphers enable-ssl3 enable-ssl3-method -static linux-x86_64")
+	println("./Configure enable-weak-ssl-ciphers enable-ssl3 enable-ssl3-method")
 	println("and then add the apps/ directory at the front of your PATH.")
 	println("***********************************************")