Skip to content

Commit

Permalink
DC-10
Browse files Browse the repository at this point in the history
crypto/tls: Implement draft-ietf-tls-subcerts-10

crypto/tls: fixes individual testing by adding insecure verify #62

crypto/tls: define api for delegated credentials so they are fetched using the same mechanisms used to fetch certificates #67 (#69)

Refactor new API

Address comments from review

Address comments from review 2

Address comments from review 3

crypto/tls: allow the usage of other keyUsage when checking for the dc extension #72 (#73)
  • Loading branch information
claucece authored and cjpatton committed Aug 20, 2021
1 parent c594904 commit becfdae
Show file tree
Hide file tree
Showing 17 changed files with 1,771 additions and 33 deletions.
68 changes: 68 additions & 0 deletions src/crypto/tls/auth.go
Original file line number Diff line number Diff line change
Expand Up @@ -259,6 +259,74 @@ func signatureSchemesForCertificate(version uint16, cert *Certificate) []Signatu
return sigAlgs
}

// signatureSchemeForDelegatedCredential returns the list of supported
// SignatureSchemes for a given delegated credential, based on the public
// key, and optionally filtered by its explicit
// SupportedSignatureAlgorithmsDC.
//
// This function must be kept in sync with supportedSignatureAlgorithmsDC.
func signatureSchemeForDelegatedCredential(version uint16, dc *DelegatedCredential) []SignatureScheme {
pub := dc.cred.publicKey

var sigAlgs []SignatureScheme
switch pub.(type) {
case *ecdsa.PublicKey:
pk, ok := pub.(*ecdsa.PublicKey)
if !ok {
return nil
}
switch pk.Curve {
case elliptic.P256():
sigAlgs = []SignatureScheme{ECDSAWithP256AndSHA256}
case elliptic.P384():
sigAlgs = []SignatureScheme{ECDSAWithP384AndSHA384}
case elliptic.P521():
sigAlgs = []SignatureScheme{ECDSAWithP521AndSHA512}
default:
return nil
}
case ed25519.PublicKey:
sigAlgs = []SignatureScheme{Ed25519}
case circlSign.PublicKey:
pk, ok := pub.(circlSign.PublicKey)
if !ok {
return nil
}
scheme := pk.Scheme()
tlsScheme, ok := scheme.(circlPki.TLSScheme)
if !ok {
return nil
}
sigAlgs = []SignatureScheme{SignatureScheme(tlsScheme.TLSIdentifier())}
default:
return nil
}

return sigAlgs
}

// selectSignatureSchemeDC picks a SignatureScheme from the peer's preference list
// that works with the selected delegated credential. It's only called for protocol
// versions that support delegated credential, so TLS 1.3.
func selectSignatureSchemeDC(vers uint16, dc *DelegatedCredential, peerAlgs []SignatureScheme) (SignatureScheme, error) {
if vers != VersionTLS13 {
return 0, errors.New("unsupported TLS version for dc")
}

supportedAlgs := signatureSchemeForDelegatedCredential(vers, dc)
if len(supportedAlgs) == 0 {
return 0, errors.New("unsupported scheme for dc")
}
// Pick signature scheme in the peer's preference order, as our
// preference order is not configurable.
for _, preferredAlg := range peerAlgs {
if isSupportedSignatureAlgorithm(preferredAlg, supportedAlgs) {
return preferredAlg, nil
}
}
return 0, errors.New("tls: peer doesn't support any of the delegated credential's signature algorithms")
}

// selectSignatureScheme picks a SignatureScheme from the peer's preference list
// that works with the selected certificate. It's only called for protocol
// versions that support signature algorithms, so TLS 1.2 and 1.3.
Expand Down
66 changes: 66 additions & 0 deletions src/crypto/tls/common.go
Original file line number Diff line number Diff line change
Expand Up @@ -92,6 +92,7 @@ const (
extensionSignatureAlgorithms uint16 = 13
extensionALPN uint16 = 16
extensionSCT uint16 = 18
extensionDelegatedCredentials uint16 = 34
extensionSessionTicket uint16 = 35
extensionPreSharedKey uint16 = 41
extensionEarlyData uint16 = 42
Expand Down Expand Up @@ -195,6 +196,16 @@ var supportedSignatureAlgorithms = []SignatureScheme{
ECDSAWithSHA1,
}

// supportedSignatureAlgorithmsDC contains the signature and hash algorithms that
// the code advertises as supported in a TLS 1.3 ClientHello and in a TLS 1.3
// CertificateRequest. This excludes 'rsa_pss_rsae_' algorithms.
var supportedSignatureAlgorithmsDC = []SignatureScheme{
ECDSAWithP256AndSHA256,
Ed25519,
ECDSAWithP384AndSHA384,
ECDSAWithP521AndSHA512,
}

// helloRetryRequestRandom is set as the Random value of a ServerHello
// to signal that the message is actually a HelloRetryRequest.
var helloRetryRequestRandom = []byte{ // See RFC 8446, Section 4.1.3.
Expand Down Expand Up @@ -301,6 +312,11 @@ type ConnectionState struct {
// (and the peer provided a certificate) or RequireAndVerifyClientCert.
VerifiedChains [][]*x509.Certificate

// VerifiedDC indicates that the Delegated Credential sent by the peer (if advertised
// and correctly processed), which has been verified against the leaf certificate,
// has been used.
VerifiedDC bool

// SignedCertificateTimestamps is a list of SCTs provided by the peer
// through the TLS handshake for the leaf certificate, if any.
SignedCertificateTimestamps [][]byte
Expand Down Expand Up @@ -474,6 +490,13 @@ type ClientHelloInfo struct {
// Algorithms Extension is being used (see RFC 5246, Section 7.4.1.4.1).
SignatureSchemes []SignatureScheme

// SignatureSchemesDC lists the signature schemes that the client
// is willing to verify when using Delegated Credentials.
// This is and can be different from SignatureSchemes. SignatureSchemesDC
// is set only if the DelegatedCredentials Extension is being used.
// If Delegated Credentials are supported, this list should not be nil.
SignatureSchemesDC []SignatureScheme

// SupportedProtos lists the application protocols supported by the client.
// SupportedProtos is set only if the Application-Layer Protocol
// Negotiation Extension is being used (see RFC 7301, Section 3.1).
Expand All @@ -488,6 +511,10 @@ type ClientHelloInfo struct {
// might be rejected if used.
SupportedVersions []uint16

// SupportDelegatedCredential is true if the client indicated willingness
// to negotiate the Delegated Credential extension.
SupportsDelegatedCredential bool

// Conn is the underlying net.Conn for the connection. Do not read
// from, or write to, this connection; that will cause the TLS
// connection to fail.
Expand All @@ -508,10 +535,21 @@ type CertificateRequestInfo struct {
// empty slice indicates that the server has no preference.
AcceptableCAs [][]byte

// SupportDelegatedCredential is true if the server indicated willingness
// to negotiate the Delegated Credential extension.
SupportsDelegatedCredential bool

// SignatureSchemes lists the signature schemes that the server is
// willing to verify.
SignatureSchemes []SignatureScheme

// SignatureSchemesDC lists the signature schemes that the server
// is willing to verify when using Delegated Credentials.
// This is and can be different from SignatureSchemes. SignatureSchemesDC
// is set only if the DelegatedCredentials Extension is being used.
// If Delegated Credentials are supported, this list should not be nil.
SignatureSchemesDC []SignatureScheme

// Version is the TLS version that was negotiated for this connection.
Version uint16
}
Expand Down Expand Up @@ -774,6 +812,13 @@ type Config struct {
// This feature is unstable and applications MUST NOT depend on it.
CFControl interface{}

// SupportDelegatedCredential is true if the client or server is willing
// to negotiate the delegated credential extension.
// This can only be used with TLS 1.3.
//
// See https://tools.ietf.org/html/draft-ietf-tls-subcerts.
SupportDelegatedCredential bool

// mutex protects sessionTicketKeys and autoSessionTicketKeys.
mutex sync.RWMutex
// sessionTicketKeys contains zero or more ticket keys. If set, it means the
Expand Down Expand Up @@ -863,6 +908,7 @@ func (c *Config) Clone() *Config {
DynamicRecordSizingDisabled: c.DynamicRecordSizingDisabled,
Renegotiation: c.Renegotiation,
KeyLogWriter: c.KeyLogWriter,
SupportDelegatedCredential: c.SupportDelegatedCredential,
ECHEnabled: c.ECHEnabled,
ClientECHConfigs: c.ClientECHConfigs,
ServerECHProvider: c.ServerECHProvider,
Expand Down Expand Up @@ -1407,6 +1453,16 @@ func (c *Config) writeKeyLog(label string, clientRandom, secret []byte) error {
// and is only for debugging, so a global mutex saves space.
var writerMutex sync.Mutex

// A DelegatedCredentialPair contains a Delegated Credential and its
// associated private key.
type DelegatedCredentialPair struct {
// DC is the delegated credential.
DC *DelegatedCredential
// PrivateKey is the private key used to derive the public key of
// contained in DC. PrivateKey must implement crypto.Signer.
PrivateKey crypto.PrivateKey
}

// A Certificate is a chain of one or more certificates, leaf first.
type Certificate struct {
Certificate [][]byte
Expand All @@ -1424,6 +1480,16 @@ type Certificate struct {
// SignedCertificateTimestamps contains an optional list of Signed
// Certificate Timestamps which will be served to clients that request it.
SignedCertificateTimestamps [][]byte
// DelegatedCredentials are a list of Delegated Credentials with their
// corresponding private keys, signed by the leaf certificate.
// If there are no delegated credentials, this field is nil.
DelegatedCredentials []DelegatedCredentialPair
// DelegatedCredential is the delegated credential to be used in the
// handshake.
// If there are no delegated credentials, this field is nil.
// NOTE: Do not fill this field, as it will be filled depending on
// the provided list of delegated credentials.
DelegatedCredential []byte
// Leaf is the parsed form of the leaf certificate, which may be initialized
// using x509.ParseCertificate to reduce per-handshake processing. If nil,
// the leaf certificate will be parsed as needed.
Expand Down
6 changes: 6 additions & 0 deletions src/crypto/tls/conn.go
Original file line number Diff line number Diff line change
Expand Up @@ -52,6 +52,9 @@ type Conn struct {
// verifiedChains contains the certificate chains that we built, as
// opposed to the ones presented by the server.
verifiedChains [][]*x509.Certificate
// verifiedDC contains the Delegated Credential sent by the peer (if advertised
// and correctly processed), which has been verified against the leaf certificate.
verifiedDC *DelegatedCredential
// serverName contains the server name indicated by the client, if any.
serverName string
// secureRenegotiation is true if the server echoed the secure
Expand Down Expand Up @@ -1466,6 +1469,9 @@ func (c *Conn) connectionStateLocked() ConnectionState {
state.CipherSuite = c.cipherSuite
state.PeerCertificates = c.peerCertificates
state.VerifiedChains = c.verifiedChains
if c.verifiedDC != nil {
state.VerifiedDC = true
}
state.SignedCertificateTimestamps = c.scts
state.OCSPResponse = c.ocspResponse
state.ECHAccepted = c.ech.accepted
Expand Down
Loading

0 comments on commit becfdae

Please sign in to comment.