From 4f170e825c200ed7c664e62fdf46db740d154c90 Mon Sep 17 00:00:00 2001 From: Mathias Date: Thu, 14 Mar 2024 19:22:35 +0100 Subject: [PATCH 1/3] Add three additional signature algorithms, offered by atleast AWS --- src/config.rs | 2 +- src/extensions/extension_data/signature_algorithms.rs | 8 ++++++++ src/extensions/messages.rs | 6 +++--- src/handshake/certificate_request.rs | 2 +- 4 files changed, 13 insertions(+), 5 deletions(-) diff --git a/src/config.rs b/src/config.rs index e147c179..bcfa2cb1 100644 --- a/src/config.rs +++ b/src/config.rs @@ -124,7 +124,7 @@ where pub struct TlsConfig<'a> { pub(crate) server_name: Option<&'a str>, pub(crate) psk: Option<(&'a [u8], Vec<&'a [u8], 4>)>, - pub(crate) signature_schemes: Vec, + pub(crate) signature_schemes: Vec, pub(crate) named_groups: Vec, pub(crate) max_fragment_length: Option, pub(crate) ca: Option>, diff --git a/src/extensions/extension_data/signature_algorithms.rs b/src/extensions/extension_data/signature_algorithms.rs index 70422355..0baf6401 100644 --- a/src/extensions/extension_data/signature_algorithms.rs +++ b/src/extensions/extension_data/signature_algorithms.rs @@ -33,6 +33,10 @@ pub enum SignatureScheme { RsaPssPssSha384 = 0x080a, RsaPssPssSha512 = 0x080b, + Sha224Ecdsa = 0x0303, + Sha224Rsa = 0x0301, + Sha224Dsa = 0x0302, + /* Legacy algorithms */ RsaPkcs1Sha1 = 0x0201, EcdsaSha1 = 0x0203, @@ -63,6 +67,10 @@ impl SignatureScheme { 0x080a => Ok(Self::RsaPssPssSha384), 0x080b => Ok(Self::RsaPssPssSha512), + 0x0303 => Ok(Self::Sha224Ecdsa), + 0x0301 => Ok(Self::Sha224Rsa), + 0x0302 => Ok(Self::Sha224Dsa), + 0x0201 => Ok(Self::RsaPkcs1Sha1), 0x0203 => Ok(Self::EcdsaSha1), _ => Err(ParseError::InvalidData), diff --git a/src/extensions/messages.rs b/src/extensions/messages.rs index c5e4e98b..370a7792 100644 --- a/src/extensions/messages.rs +++ b/src/extensions/messages.rs @@ -19,12 +19,12 @@ extension_group! { pub enum ClientHelloExtension<'a> { ServerName(ServerNameList<'a, 1>), SupportedVersions(SupportedVersionsClientHello<16>), - SignatureAlgorithms(SignatureAlgorithms<16>), + SignatureAlgorithms(SignatureAlgorithms<19>), SupportedGroups(SupportedGroups<16>), KeyShare(KeyShareClientHello<'a, 1>), PreSharedKey(PreSharedKeyClientHello<'a, 4>), PskKeyExchangeModes(PskKeyExchangeModes<4>), - SignatureAlgorithmsCert(SignatureAlgorithmsCert<16>), + SignatureAlgorithmsCert(SignatureAlgorithmsCert<19>), MaxFragmentLength(MaxFragmentLength), StatusRequest(Unimplemented<'a>), UseSrtp(Unimplemented<'a>), @@ -71,7 +71,7 @@ extension_group! { extension_group! { pub enum CertificateRequestExtension<'a> { StatusRequest(Unimplemented<'a>), - SignatureAlgorithms(SignatureAlgorithms<16>), + SignatureAlgorithms(SignatureAlgorithms<19>), SignedCertificateTimestamp(Unimplemented<'a>), CertificateAuthorities(Unimplemented<'a>), OidFilters(Unimplemented<'a>), diff --git a/src/handshake/certificate_request.rs b/src/handshake/certificate_request.rs index 1c78e485..17d95a00 100644 --- a/src/handshake/certificate_request.rs +++ b/src/handshake/certificate_request.rs @@ -34,7 +34,7 @@ impl<'a> CertificateRequestRef<'a> { #[cfg_attr(feature = "defmt", derive(defmt::Format))] pub struct CertificateRequest { pub(crate) request_context: Vec, - pub(crate) signature_algorithms: Option>, + pub(crate) signature_algorithms: Option>, } impl<'a> TryFrom> for CertificateRequest { From 363a8a92c961a113f9ee94dea4ff0de62ea51464 Mon Sep 17 00:00:00 2001 From: Mathias Date: Fri, 15 Mar 2024 11:07:32 +0100 Subject: [PATCH 2/3] Add script to generate test certificates and keys, and add new ong-lived certificates for tests --- tests/data/ca-cert.pem | 21 +++++++++++---------- tests/data/ca-key.pem | 10 +++++----- tests/data/client-cert.pem | 20 ++++++++++---------- tests/data/client-key.pem | 6 +++--- tests/data/client.csr | 8 ++++++++ tests/data/gen_certs_and_keys.sh | 14 ++++++++++++++ tests/data/server-cert.pem | 21 ++++++++++----------- tests/data/server-key.pem | 10 +++++----- tests/data/server.csr | 8 ++++++++ 9 files changed, 74 insertions(+), 44 deletions(-) create mode 100644 tests/data/client.csr create mode 100755 tests/data/gen_certs_and_keys.sh create mode 100644 tests/data/server.csr diff --git a/tests/data/ca-cert.pem b/tests/data/ca-cert.pem index 1015a352..16bcf987 100644 --- a/tests/data/ca-cert.pem +++ b/tests/data/ca-cert.pem @@ -1,12 +1,13 @@ -----BEGIN CERTIFICATE----- -MIIB2TCCAX+gAwIBAgIUZ+9dtzTSadaW+FC4m8dOGL40eBMwCgYIKoZIzj0EAwIw -QjELMAkGA1UEBhMCWFgxFTATBgNVBAcMDERlZmF1bHQgQ2l0eTEcMBoGA1UECgwT -RGVmYXVsdCBDb21wYW55IEx0ZDAeFw0yMTEwMTMwODIwNDJaFw0zMTEwMTEwODIw -NDJaMEIxCzAJBgNVBAYTAlhYMRUwEwYDVQQHDAxEZWZhdWx0IENpdHkxHDAaBgNV -BAoME0RlZmF1bHQgQ29tcGFueSBMdGQwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNC -AARwQ/jWAMuCH4qbcYVntGyq4RCYKiWiN9cVXKOnnDbSfIXS8IGnF7PFrCOck9yx -4A7Pfo/00rTf0x1/NKNOV5nio1MwUTAdBgNVHQ4EFgQU7HQ64pisg1MasN9wSLE/ -LC6PcjowHwYDVR0jBBgwFoAU7HQ64pisg1MasN9wSLE/LC6PcjowDwYDVR0TAQH/ -BAUwAwEB/zAKBggqhkjOPQQDAgNIADBFAiBMip1366r3oWgJFzkkmh3Sf2te54G5 -KWs0PcVLaoNiuAIhAIx5dhXti2FEQ4mkZUKaqxfH5GdboZa6JEv2yYTd6ZvK +MIIB4TCCAYegAwIBAgIUQg+MEmSRVTK2bmxap0ML1hrSlWYwCgYIKoZIzj0EAwIw +RTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGElu +dGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAgFw0yNDAzMTUxMDA0MTRaGA8yMDUxMDgw +MTEwMDQxNFowRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAf +BgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDBZMBMGByqGSM49AgEGCCqG +SM49AwEHA0IABB2pswE2gtPH89n4Wt0G4s8DomZAB7nkUgUOt5cs6vEJLoPTiPo8 +3KXH3neFwooXK1OX+pCtwyun+EMDxbzZAyujUzBRMB0GA1UdDgQWBBTCzl8UW2Kl +0hJcSAmVz0/TKyCdXDAfBgNVHSMEGDAWgBTCzl8UW2Kl0hJcSAmVz0/TKyCdXDAP +BgNVHRMBAf8EBTADAQH/MAoGCCqGSM49BAMCA0gAMEUCIECp2SXHt3BkjkxCovuE +5v8TmyuZqgyte95t9B28kDExAiEAqSM8ngckj9JqgKUijOMRYIE+frU9RtlawtUi +7n2KQV0= -----END CERTIFICATE----- diff --git a/tests/data/ca-key.pem b/tests/data/ca-key.pem index d29266b4..2a84dfb6 100644 --- a/tests/data/ca-key.pem +++ b/tests/data/ca-key.pem @@ -1,5 +1,5 @@ ------BEGIN PRIVATE KEY----- -MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgb2Ff7kE1XJA3FKLl -sNqHvI6ALhbh3pZjzeWTa+BrfvKhRANCAARwQ/jWAMuCH4qbcYVntGyq4RCYKiWi -N9cVXKOnnDbSfIXS8IGnF7PFrCOck9yx4A7Pfo/00rTf0x1/NKNOV5ni ------END PRIVATE KEY----- +-----BEGIN EC PRIVATE KEY----- +MHcCAQEEINFi5sVVW/2beOSKPlg8ef4Daez9wW2md3vBQ/XGzxKmoAoGCCqGSM49 +AwEHoUQDQgAEHamzATaC08fz2fha3QbizwOiZkAHueRSBQ63lyzq8Qkug9OI+jzc +pcfed4XCihcrU5f6kK3DK6f4QwPFvNkDKw== +-----END EC PRIVATE KEY----- diff --git a/tests/data/client-cert.pem b/tests/data/client-cert.pem index cb04a1a3..cfd11764 100644 --- a/tests/data/client-cert.pem +++ b/tests/data/client-cert.pem @@ -1,12 +1,12 @@ -----BEGIN CERTIFICATE----- -MIIBzDCCAXGgAwIBAgIUVB+wKMT9vfrrgAOVt5qON8J8onMwCgYIKoZIzj0EAwIw -QjELMAkGA1UEBhMCWFgxFTATBgNVBAcMDERlZmF1bHQgQ2l0eTEcMBoGA1UECgwT -RGVmYXVsdCBDb21wYW55IEx0ZDAeFw0yNDAyMDkwOTI3NDlaFw0yNDAzMTAwOTI3 -NDlaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQK -DBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwWTATBgcqhkjOPQIBBggqhkjOPQMB -BwNCAAQzXKrX05qlw3NP1k6+kSiTnmI6Mo3ffT6VY71oPQIcqYiD1+hY7tIkk9kV -ke11ZNdGZR0r/o+4TzYJcxcgkNhLo0IwQDAdBgNVHQ4EFgQUBH7ViSdnDzmkYtsO -/f+BpHjeJHcwHwYDVR0jBBgwFoAU7HQ64pisg1MasN9wSLE/LC6PcjowCgYIKoZI -zj0EAwIDSQAwRgIhAONbHGkd+/wpgELOk/az5ELfrB7YO2o4a6Uix5KQOnARAiEA -tDGyTnCEmHjB/GGsLwLa8DRplNXFESDH2erfhutw8ME= +MIIBzTCCAXSgAwIBAgIUGQYrxI6lMa1yflVNpTO7VPPEwSgwCgYIKoZIzj0EAwIw +RTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGElu +dGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0yNDAzMTUxMDA0MTVaFw0yNjEyMTAx +MDA0MTVaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYD +VQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwWTATBgcqhkjOPQIBBggqhkjO +PQMBBwNCAATBRnKMD+6BTcFuurE4Qt4pMgjUaWLOP/kTdGzyaZkVlPfp0fIKTRKv +EgHJlmTjsZfHkIm7nVD078BrfRoP6DqIo0IwQDAdBgNVHQ4EFgQUghgnu06bRUBN +bZHPn38zSTpb70UwHwYDVR0jBBgwFoAUws5fFFtipdISXEgJlc9P0ysgnVwwCgYI +KoZIzj0EAwIDRwAwRAIgOu6eFOYVbuWpIyDs2WrLXqHybAYlv4y4qqD6LZtITawC +IHNgKyB1PNV0CN7VOexBVJQv4edB8etbVxAF+WqztDT+ -----END CERTIFICATE----- diff --git a/tests/data/client-key.pem b/tests/data/client-key.pem index 3f0ba5af..a956640d 100644 --- a/tests/data/client-key.pem +++ b/tests/data/client-key.pem @@ -1,5 +1,5 @@ -----BEGIN EC PRIVATE KEY----- -MHcCAQEEIIMoxSnX9BbbgLSGk2rVi0o+NLwzisbbfce/pLGkHwvooAoGCCqGSM49 -AwEHoUQDQgAEM1yq19OapcNzT9ZOvpEok55iOjKN330+lWO9aD0CHKmIg9foWO7S -JJPZFZHtdWTXRmUdK/6PuE82CXMXIJDYSw== +MHcCAQEEIFllWPnIPExTk23tY4nSbss9UJ3EgDG91qZqajC/FBrkoAoGCCqGSM49 +AwEHoUQDQgAEwUZyjA/ugU3BbrqxOELeKTII1Glizj/5E3Rs8mmZFZT36dHyCk0S +rxIByZZk47GXx5CJu51Q9O/Aa30aD+g6iA== -----END EC PRIVATE KEY----- diff --git a/tests/data/client.csr b/tests/data/client.csr new file mode 100644 index 00000000..c13ea0d9 --- /dev/null +++ b/tests/data/client.csr @@ -0,0 +1,8 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIH/MIGnAgEAMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw +HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwWTATBgcqhkjOPQIBBggq +hkjOPQMBBwNCAATBRnKMD+6BTcFuurE4Qt4pMgjUaWLOP/kTdGzyaZkVlPfp0fIK +TRKvEgHJlmTjsZfHkIm7nVD078BrfRoP6DqIoAAwCgYIKoZIzj0EAwIDRwAwRAIg +Lz4amy52zltB01+MsIbEs0prvo3IscABIjJ5fmDbfKwCIBIHDrmrMLpSQmC6IhtD +dbx7onV8yn6akJxA8tYjW6em +-----END CERTIFICATE REQUEST----- diff --git a/tests/data/gen_certs_and_keys.sh b/tests/data/gen_certs_and_keys.sh new file mode 100755 index 00000000..99e33401 --- /dev/null +++ b/tests/data/gen_certs_and_keys.sh @@ -0,0 +1,14 @@ +# Create CA private key and certificate +openssl ecparam -name prime256v1 -genkey -noout -out ca-key.pem +openssl req -new -x509 -sha256 -key ca-key.pem -days 10000 -out ca-cert.pem + + +# Create private key, certificate signing request (CSR) and certificate for client +openssl ecparam -name prime256v1 -genkey -noout -out client-key.pem +openssl req -new -sha256 -key client-key.pem -out client.csr +openssl x509 -req -in client.csr -CA ca-cert.pem -CAkey ca-key.pem -CAcreateserial -out client-cert.pem -days 1000 -sha256 + +# Create private key, certificate signing request (CSR) and certificate for server +openssl ecparam -name prime256v1 -genkey -noout -out server-key.pem +openssl req -new -sha256 -key server-key.pem -out server.csr +openssl x509 -req -in server.csr -CA ca-cert.pem -CAkey ca-key.pem -CAcreateserial -out server-cert.pem -days 10000 -sha256 diff --git a/tests/data/server-cert.pem b/tests/data/server-cert.pem index 34f54a37..6fa4002c 100644 --- a/tests/data/server-cert.pem +++ b/tests/data/server-cert.pem @@ -1,13 +1,12 @@ -----BEGIN CERTIFICATE----- -MIICBjCCAa2gAwIBAgIULDyCYYteka2S6hEC2890o7k+0Z0wCgYIKoZIzj0EAwIw -QjELMAkGA1UEBhMCWFgxFTATBgNVBAcMDERlZmF1bHQgQ2l0eTEcMBoGA1UECgwT -RGVmYXVsdCBDb21wYW55IEx0ZDAeFw0yMTEwMTMwODIwNDJaFw0zMTEwMTEwODIw -NDJaMHIxCzAJBgNVBAYTAk5PMQ4wDAYDVQQIDAVIYW1hcjEOMAwGA1UEBwwFSGFt -YXIxGDAWBgNVBAoMD0dsb2JhbCBTZWN1cml0eTEVMBMGA1UECwwMSG9sc2V0YmFr -a2VuMRIwEAYDVQQDDAlsb2NhbGhvc3QwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNC -AATEmfbzqqHiZwCKXgEfjAWjk6zPlK9Fs3bXfjo2gt1NuqA4yCdOULKa6aIFHyAv -fM3zHNiL5vk5pbBtzja6vaIjo1EwTzAfBgNVHSMEGDAWgBTsdDrimKyDUxqw33BI -sT8sLo9yOjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIE8DAUBgNVHREEDTALgglsb2Nh -bGhvc3QwCgYIKoZIzj0EAwIDRwAwRAIgbzQX/FohpbrME+QE6bo0UrYdXI1hSaSs -8yjdM7dr4HoCIEM+dbqDGm+QG+tkhH7jB35czbBWmC/Y5ObMM29i/u2h +MIIBzzCCAXagAwIBAgIUGQYrxI6lMa1yflVNpTO7VPPEwSkwCgYIKoZIzj0EAwIw +RTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGElu +dGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAgFw0yNDAzMTUxMDA0MTdaGA8yMDUxMDgw +MTEwMDQxN1owRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAf +BgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDBZMBMGByqGSM49AgEGCCqG +SM49AwEHA0IABETSCUisGGdCnccDgjSkSnk7W9AwUJVV4fLeP7c0G1QH1KBjQFib +fOiWiVi28vSFmqjsTDIMx9kdWLeUnBi9zwGjQjBAMB0GA1UdDgQWBBQDKzwiywv5 +9mVBb18zMizxhf9YgzAfBgNVHSMEGDAWgBTCzl8UW2Kl0hJcSAmVz0/TKyCdXDAK +BggqhkjOPQQDAgNHADBEAiBRY8JvchuVF8+3ZKKHK5479LHIKGrLunjAiUct6x9J +nQIgXzQlpSfpbSiZJc1vyfePkiyiDq02t3TQg7vhpmZeonU= -----END CERTIFICATE----- diff --git a/tests/data/server-key.pem b/tests/data/server-key.pem index 693c93cf..3f756da1 100644 --- a/tests/data/server-key.pem +++ b/tests/data/server-key.pem @@ -1,5 +1,5 @@ ------BEGIN PRIVATE KEY----- -MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgKoaBrAdXxdzKFph6 -tXe2+WYYMV0HUz9KWdnz81f38YKhRANCAATEmfbzqqHiZwCKXgEfjAWjk6zPlK9F -s3bXfjo2gt1NuqA4yCdOULKa6aIFHyAvfM3zHNiL5vk5pbBtzja6vaIj ------END PRIVATE KEY----- +-----BEGIN EC PRIVATE KEY----- +MHcCAQEEINr4rPfkzpj7lJtJSoAwhLlTw5EQbHq+prwpWL5NlUlHoAoGCCqGSM49 +AwEHoUQDQgAERNIJSKwYZ0KdxwOCNKRKeTtb0DBQlVXh8t4/tzQbVAfUoGNAWJt8 +6JaJWLby9IWaqOxMMgzH2R1Yt5ScGL3PAQ== +-----END EC PRIVATE KEY----- diff --git a/tests/data/server.csr b/tests/data/server.csr new file mode 100644 index 00000000..c6def0f7 --- /dev/null +++ b/tests/data/server.csr @@ -0,0 +1,8 @@ +-----BEGIN CERTIFICATE REQUEST----- +MIH/MIGnAgEAMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw +HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwWTATBgcqhkjOPQIBBggq +hkjOPQMBBwNCAARE0glIrBhnQp3HA4I0pEp5O1vQMFCVVeHy3j+3NBtUB9SgY0BY +m3zololYtvL0hZqo7EwyDMfZHVi3lJwYvc8BoAAwCgYIKoZIzj0EAwIDRwAwRAIg +PrWAWWiMXPKHsx6zzEkzzonesjnUJc3YsbGfmGn8xXACIHLTD3XYL/X1Naoi1CMq +nNcthxjBCwiHfVB2cqaf8N19 +-----END CERTIFICATE REQUEST----- From 9b3c9d7f6fc83a9915c710599fe61b01173ee055 Mon Sep 17 00:00:00 2001 From: Mathias Date: Fri, 15 Mar 2024 11:12:52 +0100 Subject: [PATCH 3/3] Fix webpki --- src/webpki.rs | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/src/webpki.rs b/src/webpki.rs index 2734d76b..e96b62cc 100644 --- a/src/webpki.rs +++ b/src/webpki.rs @@ -34,6 +34,10 @@ impl TryInto<&'static webpki::SignatureAlgorithm> for SignatureScheme { SignatureScheme::Ed25519 => Ok(&webpki::ED25519), SignatureScheme::Ed448 => Err(TlsError::InvalidSignatureScheme), + SignatureScheme::Sha224Ecdsa => Err(TlsError::InvalidSignatureScheme), + SignatureScheme::Sha224Rsa => Err(TlsError::InvalidSignatureScheme), + SignatureScheme::Sha224Dsa => Err(TlsError::InvalidSignatureScheme), + /* RSASSA-PSS algorithms with public key OID RSASSA-PSS */ SignatureScheme::RsaPssPssSha256 => Err(TlsError::InvalidSignatureScheme), SignatureScheme::RsaPssPssSha384 => Err(TlsError::InvalidSignatureScheme), @@ -69,6 +73,10 @@ impl TryInto<&'static webpki::SignatureAlgorithm> for SignatureScheme { SignatureScheme::Ed25519 => Ok(&webpki::ED25519), SignatureScheme::Ed448 => Err(TlsError::InvalidSignatureScheme), + SignatureScheme::Sha224Ecdsa => Err(TlsError::InvalidSignatureScheme), + SignatureScheme::Sha224Rsa => Err(TlsError::InvalidSignatureScheme), + SignatureScheme::Sha224Dsa => Err(TlsError::InvalidSignatureScheme), + /* RSASSA-PSS algorithms with public key OID RSASSA-PSS */ SignatureScheme::RsaPssPssSha256 => Err(TlsError::InvalidSignatureScheme), SignatureScheme::RsaPssPssSha384 => Err(TlsError::InvalidSignatureScheme),