1 // Copyright 2017 The Go Authors. All rights reserved.
2 // Use of this source code is governed by a BSD-style
3 // license that can be found in the LICENSE file.
12 func TestSignatureSelection(t *testing.T) {
13 rsaCert := &Certificate{
14 Certificate: [][]byte{testRSACertificate},
15 PrivateKey: testRSAPrivateKey,
17 ecdsaCert := &Certificate{
18 Certificate: [][]byte{testP256Certificate},
19 PrivateKey: testP256PrivateKey,
21 ed25519Cert := &Certificate{
22 Certificate: [][]byte{testEd25519Certificate},
23 PrivateKey: testEd25519PrivateKey,
28 peerSigAlgs []SignatureScheme
31 expectedSigAlg SignatureScheme
33 expectedHash crypto.Hash
35 {rsaCert, []SignatureScheme{PKCS1WithSHA1, PKCS1WithSHA256}, VersionTLS12, PKCS1WithSHA1, signaturePKCS1v15, crypto.SHA1},
36 {rsaCert, []SignatureScheme{PKCS1WithSHA512, PKCS1WithSHA1}, VersionTLS12, PKCS1WithSHA512, signaturePKCS1v15, crypto.SHA512},
37 {rsaCert, []SignatureScheme{PSSWithSHA256, PKCS1WithSHA256}, VersionTLS12, PKCS1WithSHA256, signaturePKCS1v15, crypto.SHA256},
38 {rsaCert, []SignatureScheme{PSSWithSHA384, PKCS1WithSHA1}, VersionTLS13, PSSWithSHA384, signatureRSAPSS, crypto.SHA384},
39 {ecdsaCert, []SignatureScheme{ECDSAWithSHA1}, VersionTLS12, ECDSAWithSHA1, signatureECDSA, crypto.SHA1},
40 {ecdsaCert, []SignatureScheme{ECDSAWithP256AndSHA256}, VersionTLS12, ECDSAWithP256AndSHA256, signatureECDSA, crypto.SHA256},
41 {ecdsaCert, []SignatureScheme{ECDSAWithP256AndSHA256}, VersionTLS13, ECDSAWithP256AndSHA256, signatureECDSA, crypto.SHA256},
42 {ed25519Cert, []SignatureScheme{Ed25519}, VersionTLS12, Ed25519, signatureEd25519, directSigning},
43 {ed25519Cert, []SignatureScheme{Ed25519}, VersionTLS13, Ed25519, signatureEd25519, directSigning},
45 // TLS 1.2 without signature_algorithms extension
46 {rsaCert, nil, VersionTLS12, PKCS1WithSHA1, signaturePKCS1v15, crypto.SHA1},
47 {ecdsaCert, nil, VersionTLS12, ECDSAWithSHA1, signatureECDSA, crypto.SHA1},
49 // TLS 1.2 does not restrict the ECDSA curve (our ecdsaCert is P-256)
50 {ecdsaCert, []SignatureScheme{ECDSAWithP384AndSHA384}, VersionTLS12, ECDSAWithP384AndSHA384, signatureECDSA, crypto.SHA384},
53 for testNo, test := range tests {
54 sigAlg, err := selectSignatureScheme(test.tlsVersion, test.cert, test.peerSigAlgs)
56 t.Errorf("test[%d]: unexpected selectSignatureScheme error: %v", testNo, err)
58 if test.expectedSigAlg != sigAlg {
59 t.Errorf("test[%d]: expected signature scheme %#x, got %#x", testNo, test.expectedSigAlg, sigAlg)
61 sigType, hashFunc, err := typeAndHashFromSignatureScheme(sigAlg)
63 t.Errorf("test[%d]: unexpected typeAndHashFromSignatureScheme error: %v", testNo, err)
65 if test.expectedSigType != sigType {
66 t.Errorf("test[%d]: expected signature algorithm %#x, got %#x", testNo, test.expectedSigType, sigType)
68 if test.expectedHash != hashFunc {
69 t.Errorf("test[%d]: expected hash function %#x, got %#x", testNo, test.expectedHash, hashFunc)
73 badTests := []struct {
75 peerSigAlgs []SignatureScheme
78 {rsaCert, []SignatureScheme{ECDSAWithP256AndSHA256, ECDSAWithSHA1}, VersionTLS12},
79 {ecdsaCert, []SignatureScheme{PKCS1WithSHA256, PKCS1WithSHA1}, VersionTLS12},
80 {rsaCert, []SignatureScheme{0}, VersionTLS12},
81 {ed25519Cert, []SignatureScheme{ECDSAWithP256AndSHA256, ECDSAWithSHA1}, VersionTLS12},
82 {ecdsaCert, []SignatureScheme{Ed25519}, VersionTLS12},
83 // RFC 5246, Section 7.4.1.4.1, says to only consider {sha1,ecdsa} as
84 // default when the extension is missing, and RFC 8422 does not update
85 // it. Anyway, if a stack supports Ed25519 it better support sigalgs.
86 {ed25519Cert, nil, VersionTLS12},
87 // TLS 1.3 has no default signature_algorithms.
88 {rsaCert, nil, VersionTLS13},
89 {ecdsaCert, nil, VersionTLS13},
90 {ed25519Cert, nil, VersionTLS13},
91 // Wrong curve, which TLS 1.3 checks
92 {ecdsaCert, []SignatureScheme{ECDSAWithP384AndSHA384}, VersionTLS13},
93 // TLS 1.3 does not support PKCS1v1.5 or SHA-1.
94 {rsaCert, []SignatureScheme{PKCS1WithSHA256}, VersionTLS13},
95 {ecdsaCert, []SignatureScheme{ECDSAWithSHA1}, VersionTLS13},
98 for testNo, test := range badTests {
99 sigAlg, err := selectSignatureScheme(test.tlsVersion, test.cert, test.peerSigAlgs)
101 t.Errorf("test[%d]: unexpected success, got %#x", testNo, sigAlg)
106 func TestLegacyTypeAndHash(t *testing.T) {
107 sigType, hashFunc, err := legacyTypeAndHashFromPublicKey(testRSAPrivateKey.Public())
109 t.Errorf("RSA: unexpected error: %v", err)
111 if expectedSigType := signaturePKCS1v15; expectedSigType != sigType {
112 t.Errorf("RSA: expected signature type %#x, got %#x", expectedSigType, sigType)
114 if expectedHashFunc := crypto.MD5SHA1; expectedHashFunc != hashFunc {
115 t.Errorf("RSA: expected hash %#x, got %#x", expectedHashFunc, sigType)
118 sigType, hashFunc, err = legacyTypeAndHashFromPublicKey(testECDSAPrivateKey.Public())
120 t.Errorf("ECDSA: unexpected error: %v", err)
122 if expectedSigType := signatureECDSA; expectedSigType != sigType {
123 t.Errorf("ECDSA: expected signature type %#x, got %#x", expectedSigType, sigType)
125 if expectedHashFunc := crypto.SHA1; expectedHashFunc != hashFunc {
126 t.Errorf("ECDSA: expected hash %#x, got %#x", expectedHashFunc, sigType)
129 // Ed25519 is not supported by TLS 1.0 and 1.1.
130 _, _, err = legacyTypeAndHashFromPublicKey(testEd25519PrivateKey.Public())
132 t.Errorf("Ed25519: unexpected success")
136 // TestSupportedSignatureAlgorithms checks that all supportedSignatureAlgorithms
137 // have valid type and hash information.
138 func TestSupportedSignatureAlgorithms(t *testing.T) {
139 for _, sigAlg := range supportedSignatureAlgorithms() {
140 sigType, hash, err := typeAndHashFromSignatureScheme(sigAlg)
142 t.Errorf("%#04x: unexpected error: %v", sigAlg, err)
145 t.Errorf("%#04x: missing signature type", sigAlg)
147 if hash == 0 && sigAlg != Ed25519 {
148 t.Errorf("%#04x: missing hash", sigAlg)