1 // Copyright 2017 The Go Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style
3 // license that can be found in the LICENSE file.
16 // pickSignatureAlgorithm selects a signature algorithm that is compatible with
17 // the given public key and the list of algorithms from the peer and this side.
18 // The lists of signature algorithms (peerSigAlgs and ourSigAlgs) are ignored
19 // for tlsVersion < VersionTLS12.
21 // The returned SignatureScheme codepoint is only meaningful for TLS 1.2,
22 // previous TLS versions have a fixed hash function.
23 func pickSignatureAlgorithm(pubkey crypto.PublicKey, peerSigAlgs, ourSigAlgs []SignatureScheme, tlsVersion uint16) (sigAlg SignatureScheme, sigType uint8, hashFunc crypto.Hash, err error) {
24 if tlsVersion < VersionTLS12 || len(peerSigAlgs) == 0 {
25 // For TLS 1.1 and before, the signature algorithm could not be
26 // negotiated and the hash is fixed based on the signature type. For TLS
27 // 1.2, if the client didn't send signature_algorithms extension then we
28 // can assume that it supports SHA1. See RFC 5246, Section 7.4.1.4.1.
29 switch pubkey.(type) {
31 if tlsVersion < VersionTLS12 {
32 return 0, signaturePKCS1v15, crypto.MD5SHA1, nil
34 return PKCS1WithSHA1, signaturePKCS1v15, crypto.SHA1, nil
36 case *ecdsa.PublicKey:
37 return ECDSAWithSHA1, signatureECDSA, crypto.SHA1, nil
39 return 0, 0, 0, fmt.Errorf("tls: unsupported public key: %T", pubkey)
42 for _, sigAlg := range peerSigAlgs {
43 if !isSupportedSignatureAlgorithm(sigAlg, ourSigAlgs) {
46 hashAlg, err := lookupTLSHash(sigAlg)
48 panic("tls: supported signature algorithm has an unknown hash function")
50 sigType := signatureFromSignatureScheme(sigAlg)
51 switch pubkey.(type) {
53 if sigType == signaturePKCS1v15 || sigType == signatureRSAPSS {
54 return sigAlg, sigType, hashAlg, nil
56 case *ecdsa.PublicKey:
57 if sigType == signatureECDSA {
58 return sigAlg, sigType, hashAlg, nil
61 return 0, 0, 0, fmt.Errorf("tls: unsupported public key: %T", pubkey)
64 return 0, 0, 0, errors.New("tls: peer doesn't support any common signature algorithms")
67 // verifyHandshakeSignature verifies a signature against pre-hashed handshake
69 func verifyHandshakeSignature(sigType uint8, pubkey crypto.PublicKey, hashFunc crypto.Hash, digest, sig []byte) error {
72 pubKey, ok := pubkey.(*ecdsa.PublicKey)
74 return errors.New("tls: ECDSA signing requires a ECDSA public key")
76 ecdsaSig := new(ecdsaSignature)
77 if _, err := asn1.Unmarshal(sig, ecdsaSig); err != nil {
80 if ecdsaSig.R.Sign() <= 0 || ecdsaSig.S.Sign() <= 0 {
81 return errors.New("tls: ECDSA signature contained zero or negative values")
83 if !ecdsa.Verify(pubKey, digest, ecdsaSig.R, ecdsaSig.S) {
84 return errors.New("tls: ECDSA verification failure")
86 case signaturePKCS1v15:
87 pubKey, ok := pubkey.(*rsa.PublicKey)
89 return errors.New("tls: RSA signing requires a RSA public key")
91 if err := rsa.VerifyPKCS1v15(pubKey, hashFunc, digest, sig); err != nil {
95 pubKey, ok := pubkey.(*rsa.PublicKey)
97 return errors.New("tls: RSA signing requires a RSA public key")
99 signOpts := &rsa.PSSOptions{SaltLength: rsa.PSSSaltLengthEqualsHash}
100 if err := rsa.VerifyPSS(pubKey, hashFunc, digest, sig, signOpts); err != nil {
104 return errors.New("tls: unknown signature algorithm")