diff options
author | Péter Dimitrov <[email protected]> | 2019-03-06 16:50:00 +0100 |
---|---|---|
committer | Péter Dimitrov <[email protected]> | 2019-03-07 10:42:03 +0100 |
commit | 36ddf40a42d028a8b99fd8994de64e29c2780f78 (patch) | |
tree | c7a7d9040434dbc94a5eaf550cee453ac322f074 /lib/ssl/src/tls_handshake_1_3.erl | |
parent | 839207c411f8cb09347f9497e5db931d7a30d5da (diff) | |
download | otp-36ddf40a42d028a8b99fd8994de64e29c2780f78.tar.gz otp-36ddf40a42d028a8b99fd8994de64e29c2780f78.tar.bz2 otp-36ddf40a42d028a8b99fd8994de64e29c2780f78.zip |
ssl: Verify signature algorithm in CV
Verify if the signature algorithm used in the signature of
CertificateVerify is one of those present in the
supported_signature_algorithms field of the "signature_algorithms"
extension in the CertificateRequest message.
Change-Id: I7d3b5f10e3205447fb9a9a7e59b93568d1696432
Diffstat (limited to 'lib/ssl/src/tls_handshake_1_3.erl')
-rw-r--r-- | lib/ssl/src/tls_handshake_1_3.erl | 55 |
1 files changed, 34 insertions, 21 deletions
diff --git a/lib/ssl/src/tls_handshake_1_3.erl b/lib/ssl/src/tls_handshake_1_3.erl index 858a1acdac..c250e95029 100644 --- a/lib/ssl/src/tls_handshake_1_3.erl +++ b/lib/ssl/src/tls_handshake_1_3.erl @@ -434,7 +434,6 @@ do_start(#client_hello{cipher_suites = ClientCiphers, #state{connection_states = _ConnectionStates0, ssl_options = #ssl_options{ciphers = ServerCiphers, signature_algs = ServerSignAlgs, - signature_algs_cert = _SignatureSchemes, %% TODO: check! supported_groups = ServerGroups0}, session = #session{own_certificate = Cert}} = State0) -> @@ -746,7 +745,6 @@ process_client_certificate(#certificate_1_3{certificate_list = Certs0}, State1 = calculate_traffic_secrets(State0), State = ssl_record:step_encryption_state(State1), {error, {Reason, State}}; - %% TODO: refactor!? #alert{} = Alert -> State1 = calculate_traffic_secrets(State0), State = ssl_record:step_encryption_state(State1), @@ -768,17 +766,19 @@ validate_certificate_chain(Certs, CertDbHandle, CertDbRef, SslOptions, CRLDbHand SslOptions#ssl_options.crl_check, CRLDbHandle, CertPath), Options = [{max_path_length, SslOptions#ssl_options.depth}, {verify_fun, ValidationFunAndState}], - case public_key:pkix_path_validation(TrustedCert, CertPath, Options) of - {ok, {PublicKeyInfo,_}} -> - {ok, {PeerCert, PublicKeyInfo}}; - {error, Reason} -> - ssl_handshake:handle_path_validation_error(Reason, PeerCert, ChainCerts, + %% TODO: Validate if Certificate is using a supported signature algorithm + %% (signature_algs_cert)! + case public_key:pkix_path_validation(TrustedCert, CertPath, Options) of + {ok, {PublicKeyInfo,_}} -> + {ok, {PeerCert, PublicKeyInfo}}; + {error, Reason} -> + ssl_handshake:handle_path_validation_error(Reason, PeerCert, ChainCerts, SslOptions, Options, CertDbHandle, CertDbRef) - end + end catch - error:{badmatch,{asn1, Asn1Reason}} -> - %% ASN-1 decode of certificate somehow failed + error:{badmatch,{asn1, Asn1Reason}} -> + %% ASN-1 decode of certificate somehow failed {error, {certificate_unknown, {failed_to_decode_certificate, Asn1Reason}}}; error:OtherReason -> {error, {internal_error, {unexpected_error, OtherReason}}} @@ -1047,20 +1047,33 @@ get_handshake_context(L) -> L. -verify_signature_algorithm(#state{session = #session{sign_alg = SignatureScheme}} = State, - #certificate_verify_1_3{algorithm = SignatureScheme2}) -> - %% TODO - ok. +%% If sent by a client, the signature algorithm used in the signature +%% MUST be one of those present in the supported_signature_algorithms +%% field of the "signature_algorithms" extension in the +%% CertificateRequest message. +verify_signature_algorithm(#state{ssl_options = + #ssl_options{ + signature_algs = ServerSignAlgs}} = State0, + #certificate_verify_1_3{algorithm = ClientSignAlg}) -> + case lists:member(ClientSignAlg, ServerSignAlgs) of + true -> + ok; + false -> + State1 = calculate_traffic_secrets(State0), + State = ssl_record:step_encryption_state(State1), + {error, {{handshake_failure, + "CertificateVerify has a not supported signature algorithm"}, State}} + end. verify_certificate_verify(#state{connection_states = ConnectionStates, - handshake_env = - #handshake_env{ - public_key_info = PublicKeyInfo, - tls_handshake_history = HHistory}} = State0, - #certificate_verify_1_3{ - algorithm = SignatureScheme, - signature = Signature}) -> + handshake_env = + #handshake_env{ + public_key_info = PublicKeyInfo, + tls_handshake_history = HHistory}} = State0, + #certificate_verify_1_3{ + algorithm = SignatureScheme, + signature = Signature}) -> #{security_parameters := SecParamsR} = ssl_record:pending_connection_state(ConnectionStates, write), #security_parameters{prf_algorithm = HKDFAlgo} = SecParamsR, |