1 // Copyright 2017 The Go Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style
3 // license that can be found in the LICENSE file.
21 // verifyHandshakeSignature verifies a signature against pre-hashed
22 // (if required) handshake contents.
23 func verifyHandshakeSignature(sigType uint8, pubkey crypto.PublicKey, hashFunc crypto.Hash, signed, sig []byte) error {
26 pubKey, ok := pubkey.(*ecdsa.PublicKey)
28 return fmt.Errorf("expected an ECDSA public key, got %T", pubkey)
30 ecdsaSig := new(ecdsaSignature)
31 if _, err := asn1.Unmarshal(sig, ecdsaSig); err != nil {
34 if ecdsaSig.R.Sign() <= 0 || ecdsaSig.S.Sign() <= 0 {
35 return errors.New("ECDSA signature contained zero or negative values")
37 if !ecdsa.Verify(pubKey, signed, ecdsaSig.R, ecdsaSig.S) {
38 return errors.New("ECDSA verification failure")
40 case signatureEd25519:
41 pubKey, ok := pubkey.(ed25519.PublicKey)
43 return fmt.Errorf("expected an Ed25519 public key, got %T", pubkey)
45 if !ed25519.Verify(pubKey, signed, sig) {
46 return errors.New("Ed25519 verification failure")
48 case signaturePKCS1v15:
49 pubKey, ok := pubkey.(*rsa.PublicKey)
51 return fmt.Errorf("expected an RSA public key, got %T", pubkey)
53 if err := rsa.VerifyPKCS1v15(pubKey, hashFunc, signed, sig); err != nil {
57 pubKey, ok := pubkey.(*rsa.PublicKey)
59 return fmt.Errorf("expected an RSA public key, got %T", pubkey)
61 signOpts := &rsa.PSSOptions{SaltLength: rsa.PSSSaltLengthEqualsHash}
62 if err := rsa.VerifyPSS(pubKey, hashFunc, signed, sig, signOpts); err != nil {
66 return errors.New("internal error: unknown signature type")
72 serverSignatureContext = "TLS 1.3, server CertificateVerify\x00"
73 clientSignatureContext = "TLS 1.3, client CertificateVerify\x00"
76 var signaturePadding = []byte{
77 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
78 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
79 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
80 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
81 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
82 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
83 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
84 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
87 // signedMessage returns the pre-hashed (if necessary) message to be signed by
88 // certificate keys in TLS 1.3. See RFC 8446, Section 4.4.3.
89 func signedMessage(sigHash crypto.Hash, context string, transcript hash.Hash) []byte {
90 if sigHash == directSigning {
92 b.Write(signaturePadding)
93 io.WriteString(b, context)
94 b.Write(transcript.Sum(nil))
98 h.Write(signaturePadding)
99 io.WriteString(h, context)
100 h.Write(transcript.Sum(nil))
104 // typeAndHashFromSignatureScheme returns the corresponding signature type and
105 // crypto.Hash for a given TLS SignatureScheme.
106 func typeAndHashFromSignatureScheme(signatureAlgorithm SignatureScheme) (sigType uint8, hash crypto.Hash, err error) {
107 switch signatureAlgorithm {
108 case PKCS1WithSHA1, PKCS1WithSHA256, PKCS1WithSHA384, PKCS1WithSHA512:
109 sigType = signaturePKCS1v15
110 case PSSWithSHA256, PSSWithSHA384, PSSWithSHA512:
111 sigType = signatureRSAPSS
112 case ECDSAWithSHA1, ECDSAWithP256AndSHA256, ECDSAWithP384AndSHA384, ECDSAWithP521AndSHA512:
113 sigType = signatureECDSA
115 sigType = signatureEd25519
117 return 0, 0, fmt.Errorf("unsupported signature algorithm: %#04x", signatureAlgorithm)
119 switch signatureAlgorithm {
120 case PKCS1WithSHA1, ECDSAWithSHA1:
122 case PKCS1WithSHA256, PSSWithSHA256, ECDSAWithP256AndSHA256:
124 case PKCS1WithSHA384, PSSWithSHA384, ECDSAWithP384AndSHA384:
126 case PKCS1WithSHA512, PSSWithSHA512, ECDSAWithP521AndSHA512:
131 return 0, 0, fmt.Errorf("unsupported signature algorithm: %#04x", signatureAlgorithm)
133 return sigType, hash, nil
136 // legacyTypeAndHashFromPublicKey returns the fixed signature type and crypto.Hash for
137 // a given public key used with TLS 1.0 and 1.1, before the introduction of
138 // signature algorithm negotiation.
139 func legacyTypeAndHashFromPublicKey(pub crypto.PublicKey) (sigType uint8, hash crypto.Hash, err error) {
142 return signaturePKCS1v15, crypto.MD5SHA1, nil
143 case *ecdsa.PublicKey:
144 return signatureECDSA, crypto.SHA1, nil
145 case ed25519.PublicKey:
146 // RFC 8422 specifies support for Ed25519 in TLS 1.0 and 1.1,
147 // but it requires holding on to a handshake transcript to do a
148 // full signature, and not even OpenSSL bothers with the
149 // complexity, so we can't even test it properly.
150 return 0, 0, fmt.Errorf("tls: Ed25519 public keys are not supported before TLS 1.2")
152 return 0, 0, fmt.Errorf("tls: unsupported public key: %T", pub)
156 // signatureSchemesForCertificate returns the list of supported SignatureSchemes
157 // for a given certificate, based on the public key and the protocol version,
158 // and optionally filtered by its explicit SupportedSignatureAlgorithms.
160 // This function must be kept in sync with supportedSignatureAlgorithms.
161 func signatureSchemesForCertificate(version uint16, cert *Certificate) []SignatureScheme {
162 priv, ok := cert.PrivateKey.(crypto.Signer)
167 var sigAlgs []SignatureScheme
168 switch pub := priv.Public().(type) {
169 case *ecdsa.PublicKey:
170 if version != VersionTLS13 {
171 // In TLS 1.2 and earlier, ECDSA algorithms are not
172 // constrained to a single curve.
173 sigAlgs = []SignatureScheme{
174 ECDSAWithP256AndSHA256,
175 ECDSAWithP384AndSHA384,
176 ECDSAWithP521AndSHA512,
182 case elliptic.P256():
183 sigAlgs = []SignatureScheme{ECDSAWithP256AndSHA256}
184 case elliptic.P384():
185 sigAlgs = []SignatureScheme{ECDSAWithP384AndSHA384}
186 case elliptic.P521():
187 sigAlgs = []SignatureScheme{ECDSAWithP521AndSHA512}
192 if version != VersionTLS13 {
193 sigAlgs = []SignatureScheme{
204 // TLS 1.3 dropped support for PKCS#1 v1.5 in favor of RSA-PSS.
205 sigAlgs = []SignatureScheme{
210 case ed25519.PublicKey:
211 sigAlgs = []SignatureScheme{Ed25519}
216 if cert.SupportedSignatureAlgorithms != nil {
217 var filteredSigAlgs []SignatureScheme
218 for _, sigAlg := range sigAlgs {
219 if isSupportedSignatureAlgorithm(sigAlg, cert.SupportedSignatureAlgorithms) {
220 filteredSigAlgs = append(filteredSigAlgs, sigAlg)
223 return filteredSigAlgs
228 // selectSignatureScheme picks a SignatureScheme from the peer's preference list
229 // that works with the selected certificate. It's only called for protocol
230 // versions that support signature algorithms, so TLS 1.2 and 1.3.
231 func selectSignatureScheme(vers uint16, c *Certificate, peerAlgs []SignatureScheme) (SignatureScheme, error) {
232 supportedAlgs := signatureSchemesForCertificate(vers, c)
233 if len(supportedAlgs) == 0 {
234 return 0, unsupportedCertificateError(c)
236 if len(peerAlgs) == 0 && vers == VersionTLS12 {
237 // For TLS 1.2, if the client didn't send signature_algorithms then we
238 // can assume that it supports SHA1. See RFC 5246, Section 7.4.1.4.1.
239 peerAlgs = []SignatureScheme{PKCS1WithSHA1, ECDSAWithSHA1}
241 // Pick signature scheme in the peer's preference order, as our
242 // preference order is not configurable.
243 for _, preferredAlg := range peerAlgs {
244 if isSupportedSignatureAlgorithm(preferredAlg, supportedAlgs) {
245 return preferredAlg, nil
248 return 0, errors.New("tls: peer doesn't support any of the certificate's signature algorithms")
251 // unsupportedCertificateError returns a helpful error for certificates with
252 // an unsupported private key.
253 func unsupportedCertificateError(cert *Certificate) error {
254 switch cert.PrivateKey.(type) {
255 case rsa.PrivateKey, ecdsa.PrivateKey:
256 return fmt.Errorf("tls: unsupported certificate: private key is %T, expected *%T",
257 cert.PrivateKey, cert.PrivateKey)
258 case *ed25519.PrivateKey:
259 return fmt.Errorf("tls: unsupported certificate: private key is *ed25519.PrivateKey, expected ed25519.PrivateKey")
262 signer, ok := cert.PrivateKey.(crypto.Signer)
264 return fmt.Errorf("tls: certificate private key (%T) does not implement crypto.Signer",
268 switch pub := signer.Public().(type) {
269 case *ecdsa.PublicKey:
271 case elliptic.P256():
272 case elliptic.P384():
273 case elliptic.P521():
275 return fmt.Errorf("tls: unsupported certificate curve (%s)", pub.Curve.Params().Name)
278 case ed25519.PublicKey:
280 return fmt.Errorf("tls: unsupported certificate key (%T)", pub)
283 if cert.SupportedSignatureAlgorithms != nil {
284 return fmt.Errorf("tls: peer doesn't support the certificate custom signature algorithms")
287 return fmt.Errorf("tls: internal error: unsupported key (%T)", cert.PrivateKey)