auth_test.go

     1  // Copyright 2017 The Go Authors. All rights reserved.
     2  // Use of this source code is governed by a BSD-style
     3  // license that can be found in the LICENSE file.
     4  
     5  package tls
     6  
     7  import (
     8  	"crypto"
     9  	"crypto/tls/internal/fips140tls"
    10  	"internal/testenv"
    11  	"strconv"
    12  	"testing"
    13  )
    14  
    15  func TestSignatureSelection(t *testing.T) {
    16  	rsaCert := &Certificate{
    17  		Certificate: [][]byte{testRSACertificate},
    18  		PrivateKey:  testRSAPrivateKey,
    19  	}
    20  	pkcs1Cert := &Certificate{
    21  		Certificate:                  [][]byte{testRSACertificate},
    22  		PrivateKey:                   testRSAPrivateKey,
    23  		SupportedSignatureAlgorithms: []SignatureScheme{PKCS1WithSHA1, PKCS1WithSHA256},
    24  	}
    25  	ecdsaCert := &Certificate{
    26  		Certificate: [][]byte{testP256Certificate},
    27  		PrivateKey:  testP256PrivateKey,
    28  	}
    29  	ed25519Cert := &Certificate{
    30  		Certificate: [][]byte{testEd25519Certificate},
    31  		PrivateKey:  testEd25519PrivateKey,
    32  	}
    33  
    34  	tests := []struct {
    35  		cert        *Certificate
    36  		peerSigAlgs []SignatureScheme
    37  		tlsVersion  uint16
    38  		godebug     string
    39  
    40  		expectedSigAlg  SignatureScheme
    41  		expectedSigType uint8
    42  		expectedHash    crypto.Hash
    43  	}{
    44  		{rsaCert, []SignatureScheme{PKCS1WithSHA1, PKCS1WithSHA256}, VersionTLS12, "", PKCS1WithSHA256, signaturePKCS1v15, crypto.SHA256},
    45  		{rsaCert, []SignatureScheme{PKCS1WithSHA1, PKCS1WithSHA256}, VersionTLS12, "tlssha1=1", PKCS1WithSHA1, signaturePKCS1v15, crypto.SHA1},
    46  		{rsaCert, []SignatureScheme{PKCS1WithSHA512, PKCS1WithSHA1}, VersionTLS12, "", PKCS1WithSHA512, signaturePKCS1v15, crypto.SHA512},
    47  		{rsaCert, []SignatureScheme{PSSWithSHA256, PKCS1WithSHA256}, VersionTLS12, "", PSSWithSHA256, signatureRSAPSS, crypto.SHA256},
    48  		{pkcs1Cert, []SignatureScheme{PSSWithSHA256, PKCS1WithSHA256}, VersionTLS12, "", PKCS1WithSHA256, signaturePKCS1v15, crypto.SHA256},
    49  		{rsaCert, []SignatureScheme{PSSWithSHA384, PKCS1WithSHA1}, VersionTLS13, "", PSSWithSHA384, signatureRSAPSS, crypto.SHA384},
    50  		{rsaCert, []SignatureScheme{PKCS1WithSHA1, PSSWithSHA384}, VersionTLS13, "", PSSWithSHA384, signatureRSAPSS, crypto.SHA384},
    51  		{ecdsaCert, []SignatureScheme{ECDSAWithSHA1, ECDSAWithP256AndSHA256}, VersionTLS12, "", ECDSAWithP256AndSHA256, signatureECDSA, crypto.SHA256},
    52  		{ecdsaCert, []SignatureScheme{ECDSAWithSHA1}, VersionTLS12, "tlssha1=1", ECDSAWithSHA1, signatureECDSA, crypto.SHA1},
    53  		{ecdsaCert, []SignatureScheme{ECDSAWithP256AndSHA256}, VersionTLS12, "", ECDSAWithP256AndSHA256, signatureECDSA, crypto.SHA256},
    54  		{ecdsaCert, []SignatureScheme{ECDSAWithP256AndSHA256}, VersionTLS13, "", ECDSAWithP256AndSHA256, signatureECDSA, crypto.SHA256},
    55  		{ed25519Cert, []SignatureScheme{Ed25519}, VersionTLS12, "", Ed25519, signatureEd25519, directSigning},
    56  		{ed25519Cert, []SignatureScheme{Ed25519}, VersionTLS13, "", Ed25519, signatureEd25519, directSigning},
    57  
    58  		// TLS 1.2 without signature_algorithms extension
    59  		{rsaCert, nil, VersionTLS12, "tlssha1=1", PKCS1WithSHA1, signaturePKCS1v15, crypto.SHA1},
    60  		{ecdsaCert, nil, VersionTLS12, "tlssha1=1", ECDSAWithSHA1, signatureECDSA, crypto.SHA1},
    61  
    62  		// TLS 1.2 does not restrict the ECDSA curve (our ecdsaCert is P-256)
    63  		{ecdsaCert, []SignatureScheme{ECDSAWithP384AndSHA384}, VersionTLS12, "", ECDSAWithP384AndSHA384, signatureECDSA, crypto.SHA384},
    64  	}
    65  
    66  	for testNo, test := range tests {
    67  		t.Run(strconv.Itoa(testNo), func(t *testing.T) {
    68  			if fips140tls.Required() && test.expectedHash == crypto.SHA1 {
    69  				t.Skip("skipping test not compatible with TLS FIPS mode")
    70  			}
    71  			if test.godebug != "" {
    72  				testenv.SetGODEBUG(t, test.godebug)
    73  			} else {
    74  				t.Parallel()
    75  			}
    76  
    77  			sigAlg, err := selectSignatureScheme(test.tlsVersion, test.cert, test.peerSigAlgs)
    78  			if err != nil {
    79  				t.Errorf("unexpected selectSignatureScheme error: %v", err)
    80  			}
    81  			if test.expectedSigAlg != sigAlg {
    82  				t.Errorf("expected signature scheme %v, got %v", test.expectedSigAlg, sigAlg)
    83  			}
    84  			sigType, hashFunc, err := typeAndHashFromSignatureScheme(sigAlg)
    85  			if err != nil {
    86  				t.Errorf("unexpected typeAndHashFromSignatureScheme error: %v", err)
    87  			}
    88  			if test.expectedSigType != sigType {
    89  				t.Errorf("expected signature algorithm %#x, got %#x", test.expectedSigType, sigType)
    90  			}
    91  			if test.expectedHash != hashFunc {
    92  				t.Errorf("expected hash function %#x, got %#x", test.expectedHash, hashFunc)
    93  			}
    94  		})
    95  	}
    96  
    97  	brokenCert := &Certificate{
    98  		Certificate:                  [][]byte{testRSACertificate},
    99  		PrivateKey:                   testRSAPrivateKey,
   100  		SupportedSignatureAlgorithms: []SignatureScheme{Ed25519},
   101  	}
   102  
   103  	badTests := []struct {
   104  		cert        *Certificate
   105  		peerSigAlgs []SignatureScheme
   106  		tlsVersion  uint16
   107  	}{
   108  		{rsaCert, []SignatureScheme{ECDSAWithP256AndSHA256, ECDSAWithSHA1}, VersionTLS12},
   109  		{ecdsaCert, []SignatureScheme{PKCS1WithSHA256, PKCS1WithSHA1}, VersionTLS12},
   110  		{rsaCert, []SignatureScheme{0}, VersionTLS12},
   111  		{ed25519Cert, []SignatureScheme{ECDSAWithP256AndSHA256, ECDSAWithSHA1}, VersionTLS12},
   112  		{ecdsaCert, []SignatureScheme{Ed25519}, VersionTLS12},
   113  		{brokenCert, []SignatureScheme{Ed25519}, VersionTLS12},
   114  		{brokenCert, []SignatureScheme{PKCS1WithSHA256}, VersionTLS12},
   115  		// RFC 5246, Section 7.4.1.4.1, says to only consider {sha1,ecdsa} as
   116  		// default when the extension is missing, and RFC 8422 does not update
   117  		// it. Anyway, if a stack supports Ed25519 it better support sigalgs.
   118  		{ed25519Cert, nil, VersionTLS12},
   119  		// TLS 1.3 has no default signature_algorithms.
   120  		{rsaCert, nil, VersionTLS13},
   121  		{ecdsaCert, nil, VersionTLS13},
   122  		{ed25519Cert, nil, VersionTLS13},
   123  		// Wrong curve, which TLS 1.3 checks
   124  		{ecdsaCert, []SignatureScheme{ECDSAWithP384AndSHA384}, VersionTLS13},
   125  		// TLS 1.3 does not support PKCS1v1.5 or SHA-1.
   126  		{rsaCert, []SignatureScheme{PKCS1WithSHA256}, VersionTLS13},
   127  		{pkcs1Cert, []SignatureScheme{PSSWithSHA256, PKCS1WithSHA256}, VersionTLS13},
   128  		{ecdsaCert, []SignatureScheme{ECDSAWithSHA1}, VersionTLS13},
   129  		// The key can be too small for the hash.
   130  		{rsaCert, []SignatureScheme{PSSWithSHA512}, VersionTLS12},
   131  		// SHA-1 requires tlssha1=1
   132  		{rsaCert, []SignatureScheme{PKCS1WithSHA1}, VersionTLS12},
   133  		{ecdsaCert, []SignatureScheme{ECDSAWithSHA1}, VersionTLS12},
   134  		{rsaCert, nil, VersionTLS12},
   135  		{ecdsaCert, nil, VersionTLS12},
   136  	}
   137  
   138  	for testNo, test := range badTests {
   139  		sigAlg, err := selectSignatureScheme(test.tlsVersion, test.cert, test.peerSigAlgs)
   140  		if err == nil {
   141  			t.Errorf("test[%d]: unexpected success, got %v", testNo, sigAlg)
   142  		}
   143  	}
   144  }
   145  
   146  func TestLegacyTypeAndHash(t *testing.T) {
   147  	sigType, hashFunc, err := legacyTypeAndHashFromPublicKey(testRSAPrivateKey.Public())
   148  	if err != nil {
   149  		t.Errorf("RSA: unexpected error: %v", err)
   150  	}
   151  	if expectedSigType := signaturePKCS1v15; expectedSigType != sigType {
   152  		t.Errorf("RSA: expected signature type %#x, got %#x", expectedSigType, sigType)
   153  	}
   154  	if expectedHashFunc := crypto.MD5SHA1; expectedHashFunc != hashFunc {
   155  		t.Errorf("RSA: expected hash %#x, got %#x", expectedHashFunc, hashFunc)
   156  	}
   157  
   158  	sigType, hashFunc, err = legacyTypeAndHashFromPublicKey(testECDSAPrivateKey.Public())
   159  	if err != nil {
   160  		t.Errorf("ECDSA: unexpected error: %v", err)
   161  	}
   162  	if expectedSigType := signatureECDSA; expectedSigType != sigType {
   163  		t.Errorf("ECDSA: expected signature type %#x, got %#x", expectedSigType, sigType)
   164  	}
   165  	if expectedHashFunc := crypto.SHA1; expectedHashFunc != hashFunc {
   166  		t.Errorf("ECDSA: expected hash %#x, got %#x", expectedHashFunc, hashFunc)
   167  	}
   168  
   169  	// Ed25519 is not supported by TLS 1.0 and 1.1.
   170  	_, _, err = legacyTypeAndHashFromPublicKey(testEd25519PrivateKey.Public())
   171  	if err == nil {
   172  		t.Errorf("Ed25519: unexpected success")
   173  	}
   174  }
   175  
   176  // TestSupportedSignatureAlgorithms checks that all supportedSignatureAlgorithms
   177  // have valid type and hash information.
   178  func TestSupportedSignatureAlgorithms(t *testing.T) {
   179  	for _, sigAlg := range supportedSignatureAlgorithms(VersionTLS12) {
   180  		sigType, hash, err := typeAndHashFromSignatureScheme(sigAlg)
   181  		if err != nil {
   182  			t.Errorf("%v: unexpected error: %v", sigAlg, err)
   183  		}
   184  		if sigType == 0 {
   185  			t.Errorf("%v: missing signature type", sigAlg)
   186  		}
   187  		if hash == 0 && sigAlg != Ed25519 {
   188  			t.Errorf("%v: missing hash", sigAlg)
   189  		}
   190  	}
   191  }
   192
View as plain text