aboutsummaryrefslogtreecommitdiffstats
path: root/lib
diff options
context:
space:
mode:
authorPéter Dimitrov <[email protected]>2019-03-06 16:50:00 +0100
committerPéter Dimitrov <[email protected]>2019-03-07 10:42:03 +0100
commit36ddf40a42d028a8b99fd8994de64e29c2780f78 (patch)
treec7a7d9040434dbc94a5eaf550cee453ac322f074 /lib
parent839207c411f8cb09347f9497e5db931d7a30d5da (diff)
downloadotp-36ddf40a42d028a8b99fd8994de64e29c2780f78.tar.gz
otp-36ddf40a42d028a8b99fd8994de64e29c2780f78.tar.bz2
otp-36ddf40a42d028a8b99fd8994de64e29c2780f78.zip
ssl: Verify signature algorithm in CV
Verify if the signature algorithm used in the signature of CertificateVerify is one of those present in the supported_signature_algorithms field of the "signature_algorithms" extension in the CertificateRequest message. Change-Id: I7d3b5f10e3205447fb9a9a7e59b93568d1696432
Diffstat (limited to 'lib')
-rw-r--r--lib/ssl/src/tls_handshake_1_3.erl55
1 files changed, 34 insertions, 21 deletions
diff --git a/lib/ssl/src/tls_handshake_1_3.erl b/lib/ssl/src/tls_handshake_1_3.erl
index 858a1acdac..c250e95029 100644
--- a/lib/ssl/src/tls_handshake_1_3.erl
+++ b/lib/ssl/src/tls_handshake_1_3.erl
@@ -434,7 +434,6 @@ do_start(#client_hello{cipher_suites = ClientCiphers,
#state{connection_states = _ConnectionStates0,
ssl_options = #ssl_options{ciphers = ServerCiphers,
signature_algs = ServerSignAlgs,
- signature_algs_cert = _SignatureSchemes, %% TODO: check!
supported_groups = ServerGroups0},
session = #session{own_certificate = Cert}} = State0) ->
@@ -746,7 +745,6 @@ process_client_certificate(#certificate_1_3{certificate_list = Certs0},
State1 = calculate_traffic_secrets(State0),
State = ssl_record:step_encryption_state(State1),
{error, {Reason, State}};
- %% TODO: refactor!?
#alert{} = Alert ->
State1 = calculate_traffic_secrets(State0),
State = ssl_record:step_encryption_state(State1),
@@ -768,17 +766,19 @@ validate_certificate_chain(Certs, CertDbHandle, CertDbRef, SslOptions, CRLDbHand
SslOptions#ssl_options.crl_check, CRLDbHandle, CertPath),
Options = [{max_path_length, SslOptions#ssl_options.depth},
{verify_fun, ValidationFunAndState}],
- case public_key:pkix_path_validation(TrustedCert, CertPath, Options) of
- {ok, {PublicKeyInfo,_}} ->
- {ok, {PeerCert, PublicKeyInfo}};
- {error, Reason} ->
- ssl_handshake:handle_path_validation_error(Reason, PeerCert, ChainCerts,
+ %% TODO: Validate if Certificate is using a supported signature algorithm
+ %% (signature_algs_cert)!
+ case public_key:pkix_path_validation(TrustedCert, CertPath, Options) of
+ {ok, {PublicKeyInfo,_}} ->
+ {ok, {PeerCert, PublicKeyInfo}};
+ {error, Reason} ->
+ ssl_handshake:handle_path_validation_error(Reason, PeerCert, ChainCerts,
SslOptions, Options,
CertDbHandle, CertDbRef)
- end
+ end
catch
- error:{badmatch,{asn1, Asn1Reason}} ->
- %% ASN-1 decode of certificate somehow failed
+ error:{badmatch,{asn1, Asn1Reason}} ->
+ %% ASN-1 decode of certificate somehow failed
{error, {certificate_unknown, {failed_to_decode_certificate, Asn1Reason}}};
error:OtherReason ->
{error, {internal_error, {unexpected_error, OtherReason}}}
@@ -1047,20 +1047,33 @@ get_handshake_context(L) ->
L.
-verify_signature_algorithm(#state{session = #session{sign_alg = SignatureScheme}} = State,
- #certificate_verify_1_3{algorithm = SignatureScheme2}) ->
- %% TODO
- ok.
+%% If sent by a client, the signature algorithm used in the signature
+%% MUST be one of those present in the supported_signature_algorithms
+%% field of the "signature_algorithms" extension in the
+%% CertificateRequest message.
+verify_signature_algorithm(#state{ssl_options =
+ #ssl_options{
+ signature_algs = ServerSignAlgs}} = State0,
+ #certificate_verify_1_3{algorithm = ClientSignAlg}) ->
+ case lists:member(ClientSignAlg, ServerSignAlgs) of
+ true ->
+ ok;
+ false ->
+ State1 = calculate_traffic_secrets(State0),
+ State = ssl_record:step_encryption_state(State1),
+ {error, {{handshake_failure,
+ "CertificateVerify has a not supported signature algorithm"}, State}}
+ end.
verify_certificate_verify(#state{connection_states = ConnectionStates,
- handshake_env =
- #handshake_env{
- public_key_info = PublicKeyInfo,
- tls_handshake_history = HHistory}} = State0,
- #certificate_verify_1_3{
- algorithm = SignatureScheme,
- signature = Signature}) ->
+ handshake_env =
+ #handshake_env{
+ public_key_info = PublicKeyInfo,
+ tls_handshake_history = HHistory}} = State0,
+ #certificate_verify_1_3{
+ algorithm = SignatureScheme,
+ signature = Signature}) ->
#{security_parameters := SecParamsR} =
ssl_record:pending_connection_state(ConnectionStates, write),
#security_parameters{prf_algorithm = HKDFAlgo} = SecParamsR,