From 7a07d24ff09c69c90f8bfa8ca69a0fe433245185 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?P=C3=A9ter=20Dimitrov?= <peterdmv@erlang.org>
Date: Fri, 7 Jun 2019 16:43:59 +0200
Subject: ssl: Handle ECDSA signatures in TLS 1.3

---
 lib/ssl/src/ssl_cipher.erl        | 18 ++++++++++++++----
 lib/ssl/src/tls_handshake_1_3.erl | 38 +++++++++++++++++++++++++++-----------
 2 files changed, 41 insertions(+), 15 deletions(-)

(limited to 'lib/ssl')

diff --git a/lib/ssl/src/ssl_cipher.erl b/lib/ssl/src/ssl_cipher.erl
index 21db887bb5..4aa6df6e0c 100644
--- a/lib/ssl/src/ssl_cipher.erl
+++ b/lib/ssl/src/ssl_cipher.erl
@@ -965,15 +965,25 @@ scheme_to_components(rsa_pkcs1_sha1) -> {sha1, rsa_pkcs1, undefined};
 scheme_to_components(ecdsa_sha1) -> {sha1, ecdsa, undefined}.
 
 
-%% TODO: Add support for EC and RSA-SSA signatures
-signature_algorithm_to_scheme(#'SignatureAlgorithm'{algorithm = ?sha1WithRSAEncryption}) ->
-    rsa_pkcs1_sha1;
+%% TODO: Add support for ed25519, ed448, rsa_pss*
 signature_algorithm_to_scheme(#'SignatureAlgorithm'{algorithm = ?sha256WithRSAEncryption}) ->
     rsa_pkcs1_sha256;
 signature_algorithm_to_scheme(#'SignatureAlgorithm'{algorithm = ?sha384WithRSAEncryption}) ->
     rsa_pkcs1_sha384;
 signature_algorithm_to_scheme(#'SignatureAlgorithm'{algorithm = ?sha512WithRSAEncryption}) ->
-    rsa_pkcs1_sha512.
+    rsa_pkcs1_sha512;
+signature_algorithm_to_scheme(#'SignatureAlgorithm'{algorithm = ?'ecdsa-with-SHA256'}) ->
+    ecdsa_secp256r1_sha256;
+signature_algorithm_to_scheme(#'SignatureAlgorithm'{algorithm = ?'ecdsa-with-SHA384'}) ->
+    ecdsa_secp384r1_sha384;
+signature_algorithm_to_scheme(#'SignatureAlgorithm'{algorithm = ?'ecdsa-with-SHA512'}) ->
+    ecdsa_secp512r1_sha512;
+signature_algorithm_to_scheme(#'SignatureAlgorithm'{algorithm = ?'sha-1WithRSAEncryption'}) ->
+    rsa_pkcs1_sha1;
+signature_algorithm_to_scheme(#'SignatureAlgorithm'{algorithm = ?sha1WithRSAEncryption}) ->
+    rsa_pkcs1_sha1;
+signature_algorithm_to_scheme(#'SignatureAlgorithm'{algorithm = ?'ecdsa-with-SHA1'}) ->
+    ecdsa_sha1.
 
 
 %% RFC 5246: 6.2.3.2.  CBC Block Cipher
diff --git a/lib/ssl/src/tls_handshake_1_3.erl b/lib/ssl/src/tls_handshake_1_3.erl
index 4de51c9a35..fd00c6e12d 100644
--- a/lib/ssl/src/tls_handshake_1_3.erl
+++ b/lib/ssl/src/tls_handshake_1_3.erl
@@ -433,6 +433,15 @@ certificate_entry(DER) ->
 %%    79
 %%    00
 %%    0101010101010101010101010101010101010101010101010101010101010101
+sign(THash, Context, HashAlgo, #'ECPrivateKey'{} = PrivateKey) ->
+    Content = build_content(Context, THash),
+    try public_key:sign(Content, HashAlgo, PrivateKey) of
+        Signature ->
+            {ok, Signature}
+    catch
+        error:badarg ->
+            {error, badarg}
+    end;
 sign(THash, Context, HashAlgo, PrivateKey) ->
     Content = build_content(Context, THash),
 
@@ -450,7 +459,16 @@ sign(THash, Context, HashAlgo, PrivateKey) ->
     end.
 
 
-verify(THash, Context, HashAlgo, Signature, PublicKey) ->
+verify(THash, Context, HashAlgo, Signature, {?'id-ecPublicKey', PublicKey, PublicKeyParams}) ->
+    Content = build_content(Context, THash),
+    try public_key:verify(Content, HashAlgo, Signature, {PublicKey, PublicKeyParams}) of
+        Result ->
+            {ok, Result}
+    catch
+        error:badarg ->
+            {error, badarg}
+    end;
+verify(THash, Context, HashAlgo, Signature, {?rsaEncryption, PublicKey, _PubKeyParams}) ->
     Content = build_content(Context, THash),
 
     %% The length of the Salt MUST be equal to the length of the output
@@ -1323,11 +1341,6 @@ get_private_key(#key_share_entry{
                           {_, PrivateKey}}) ->
     PrivateKey.
 
-%% TODO: implement EC keys
-get_public_key({?'rsaEncryption', PublicKey, _}) ->
-    PublicKey.
-
-
 %% X25519, X448
 calculate_shared_secret(OthersKey, MyKey, Group)
   when is_binary(OthersKey) andalso is_binary(MyKey) andalso
@@ -1556,13 +1569,11 @@ verify_certificate_verify(#state{
     %% Transcript-Hash uses the HKDF hash function defined by the cipher suite.
     THash = tls_v1:transcript_hash(Context, HKDFAlgo),
 
-    PublicKey = get_public_key(PublicKeyInfo),
-
     ContextString = peer_context_string(Role),
 
     %% Digital signatures use the hash function defined by the selected signature
     %% scheme.
-    case verify(THash, ContextString, HashAlgo, Signature, PublicKey) of
+    case verify(THash, ContextString, HashAlgo, Signature, PublicKeyInfo) of
         {ok, true} ->
             {ok, {State0, wait_finished}};
         {ok, false} ->
@@ -1761,15 +1772,20 @@ check_cert_sign_algo(SignAlgo, SignHash, _, ClientSignAlgsCert) ->
 %% DSA keys are not supported by TLS 1.3
 select_sign_algo(dsa, _ClientSignAlgs, _ServerSignAlgs) ->
     {error, {insufficient_security, no_suitable_public_key}};
-%% TODO: Implement support for ECDSA keys!
 select_sign_algo(_, [], _) ->
     {error, {insufficient_security, no_suitable_signature_algorithm}};
 select_sign_algo(PublicKeyAlgo, [C|ClientSignAlgs], ServerSignAlgs) ->
     {_, S, _} = ssl_cipher:scheme_to_components(C),
     %% RSASSA-PKCS1-v1_5 and Legacy algorithms are not defined for use in signed
     %% TLS handshake messages: filter sha-1 and rsa_pkcs1.
+    %%
+    %% RSASSA-PSS RSAE algorithms: If the public key is carried in an X.509
+    %% certificate, it MUST use the rsaEncryption OID.
+    %% RSASSA-PSS PSS algorithms: If the public key is carried in an X.509 certificate,
+    %% it MUST use the RSASSA-PSS OID.
     case ((PublicKeyAlgo =:= rsa andalso S =:= rsa_pss_rsae)
-          orelse (PublicKeyAlgo =:= rsa_pss andalso S =:= rsa_pss_rsae))
+          orelse (PublicKeyAlgo =:= rsa_pss andalso S =:= rsa_pss_pss)
+          orelse (PublicKeyAlgo =:= ecdsa andalso S =:= ecdsa))
         andalso
         lists:member(C, ServerSignAlgs) of
         true ->
-- 
cgit v1.2.3


From a249d001ee8544a3a89fb788b0721edf5655e22b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?P=C3=A9ter=20Dimitrov?= <peterdmv@erlang.org>
Date: Thu, 13 Jun 2019 11:00:14 +0200
Subject: ssl: Test ECDSA certificates in TLS 1.3

---
 lib/ssl/test/ssl_basic_SUITE.erl | 136 ++++++++++++++++++++++++++++++++++++++-
 1 file changed, 135 insertions(+), 1 deletion(-)

(limited to 'lib/ssl')

diff --git a/lib/ssl/test/ssl_basic_SUITE.erl b/lib/ssl/test/ssl_basic_SUITE.erl
index ce4479020e..80af44b032 100644
--- a/lib/ssl/test/ssl_basic_SUITE.erl
+++ b/lib/ssl/test/ssl_basic_SUITE.erl
@@ -276,7 +276,12 @@ tls13_test_group() ->
      tls13_ssl_server_with_alpn_ssl_client,
      tls13_ssl_server_with_alpn_ssl_client_empty_alpn,
      tls13_ssl_server_with_alpn_ssl_client_bad_alpn,
-     tls13_ssl_server_with_alpn_ssl_client_alpn].
+     tls13_ssl_server_with_alpn_ssl_client_alpn,
+     tls13_ecdsa_ssl_server_openssl_client,
+     tls13_ecdsa_ssl_server_ssl_client,
+     tls13_ecdsa_openssl_server_ssl_client,
+     tls13_ecdsa_client_auth_ssl_server_ssl_client
+    ].
 
 %%--------------------------------------------------------------------
 init_per_suite(Config0) ->
@@ -6239,6 +6244,135 @@ tls13_ssl_server_with_alpn_ssl_client_alpn(Config) ->
     ssl_test_lib:close_port(Client).
 
 
+tls13_ecdsa_ssl_server_openssl_client() ->
+     [{doc,"Test TLS 1.3 basic connection between ssl server and openssl s_client using ECDSA certificates"}].
+
+tls13_ecdsa_ssl_server_openssl_client(Config) ->
+    ClientOpts = ssl_test_lib:ssl_options(client_ecdsa_opts, Config),
+    ServerOpts0 = ssl_test_lib:ssl_options(server_ecdsa_opts, Config),
+    %% Set versions
+    ServerOpts = [{versions, ['tlsv1.2','tlsv1.3']}|ServerOpts0],
+    {_ClientNode, ServerNode, _Hostname} = ssl_test_lib:run_where(Config),
+
+    Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0},
+					{from, self()},
+					{mfa, {ssl_test_lib, send_recv_result_active, []}},
+					{options, ServerOpts}]),
+    Port = ssl_test_lib:inet_port(Server),
+
+    Client = ssl_test_lib:start_basic_client(openssl, 'tlsv1.3', Port, ClientOpts),
+
+    ssl_test_lib:check_result(Server, ok),
+    ssl_test_lib:close(Server),
+    ssl_test_lib:close_port(Client).
+
+tls13_ecdsa_ssl_server_ssl_client() ->
+     [{doc,"Test TLS 1.3 basic connection between ssl server and ssl client using ECDSA certificates"}].
+
+tls13_ecdsa_ssl_server_ssl_client(Config) ->
+    ClientOpts0 = ssl_test_lib:ssl_options(client_ecdsa_opts, Config),
+    ServerOpts0 = ssl_test_lib:ssl_options(server_ecdsa_opts, Config),
+    {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config),
+
+    %% Set versions
+    ServerOpts = [{versions, ['tlsv1.2','tlsv1.3']}|ServerOpts0],
+    ClientOpts = [{versions, ['tlsv1.2','tlsv1.3']}|ClientOpts0],
+
+    Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0},
+					{from, self()},
+					{mfa, {ssl_test_lib, send_recv_result_active, []}},
+					{options, ServerOpts}]),
+    Port = ssl_test_lib:inet_port(Server),
+
+    Client = ssl_test_lib:start_client([{node, ClientNode}, {port, Port},
+					{host, Hostname},
+					{from, self()},
+					{mfa, {ssl_test_lib, send_recv_result_active, []}},
+					{options, ClientOpts}]),
+
+    ssl_test_lib:check_result(Server, ok, Client, ok),
+
+    ssl_test_lib:close(Server),
+    ssl_test_lib:close_port(Client).
+
+
+tls13_ecdsa_openssl_server_ssl_client() ->
+     [{doc,"Test TLS 1.3 basic connection between openssl server and ssl client using ECDSA certificates"}].
+
+tls13_ecdsa_openssl_server_ssl_client(Config) ->
+    process_flag(trap_exit, true),
+    ServerOpts = ssl_test_lib:ssl_options(server_ecdsa_verify_opts, Config),
+    ClientOpts0 = ssl_test_lib:ssl_options(client_ecdsa_opts, Config),
+
+    ClientOpts = [{versions, ['tlsv1.2','tlsv1.3']}|ClientOpts0],
+
+    {ClientNode, _, Hostname} = ssl_test_lib:run_where(Config),
+
+    Data = "From openssl to erlang",
+
+    Port = ssl_test_lib:inet_port(node()),
+    CertFile = proplists:get_value(certfile, ServerOpts),
+    CaCertFile = proplists:get_value(cacertfile, ServerOpts),
+    KeyFile = proplists:get_value(keyfile, ServerOpts),
+    Exe = "openssl",
+    Args = ["s_server", "-accept", integer_to_list(Port),
+            "-tls1_3",
+            "-cert", CertFile, "-CAfile", CaCertFile,
+            "-key", KeyFile, "-Verify", "2"],
+
+    OpensslPort = ssl_test_lib:portable_open_port(Exe, Args),
+
+    ssl_test_lib:wait_for_openssl_server(Port, tls),
+
+    Client = ssl_test_lib:start_client([{node, ClientNode}, {port, Port},
+                                        {host, Hostname},
+                                        {from, self()},
+                                        {mfa, {?MODULE,
+                                               erlang_ssl_receive, [Data]}},
+                                        {options, ClientOpts}]),
+    true = port_command(OpensslPort, Data),
+
+    ssl_test_lib:check_result(Client, ok),
+
+    %% Clean close down!   Server needs to be closed first !!
+    ssl_test_lib:close_port(OpensslPort),
+    ssl_test_lib:close(Client),
+    process_flag(trap_exit, false).
+
+
+tls13_ecdsa_client_auth_ssl_server_ssl_client() ->
+     [{doc,"TLS 1.3: Test client authentication with ECDSA certificates."}].
+
+tls13_ecdsa_client_auth_ssl_server_ssl_client(Config) ->
+    ClientOpts0 = ssl_test_lib:ssl_options(client_ecdsa_opts, Config),
+    ServerOpts0 = ssl_test_lib:ssl_options(server_ecdsa_opts, Config),
+
+    %% Set versions
+    ServerOpts = [{versions, ['tlsv1.2','tlsv1.3']},
+                  {verify, verify_peer},
+                  {fail_if_no_peer_cert, true}|ServerOpts0],
+    ClientOpts = [{versions, ['tlsv1.2','tlsv1.3']}|ClientOpts0],
+    {ClientNode, ServerNode, Hostname} = ssl_test_lib:run_where(Config),
+
+    Server = ssl_test_lib:start_server([{node, ServerNode}, {port, 0},
+					{from, self()},
+					{mfa, {ssl_test_lib, send_recv_result_active, []}},
+					{options, ServerOpts}]),
+    Port = ssl_test_lib:inet_port(Server),
+
+    %%Client = ssl_test_lib:start_basic_client(openssl, 'tlsv1.3', Port, ClientOpts),
+    Client = ssl_test_lib:start_client([{node, ClientNode}, {port, Port},
+					{host, Hostname},
+					{from, self()},
+					{mfa, {ssl_test_lib, send_recv_result_active, []}},
+					{options, ClientOpts}]),
+
+    ssl_test_lib:check_result(Server, ok, Client, ok),
+    ssl_test_lib:close(Server),
+    ssl_test_lib:close_port(Client).
+
+
+
 %%--------------------------------------------------------------------
 %% Internal functions ------------------------------------------------
 %%--------------------------------------------------------------------
-- 
cgit v1.2.3


From a47d331ac92728e741f87acca1de8faff4aa9a28 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?P=C3=A9ter=20Dimitrov?= <peterdmv@erlang.org>
Date: Fri, 28 Jun 2019 13:17:53 +0200
Subject: ssl: Update standards compliance

---
 lib/ssl/doc/src/standards_compliance.xml | 42 +++++++++++++++++---------------
 1 file changed, 22 insertions(+), 20 deletions(-)

(limited to 'lib/ssl')

diff --git a/lib/ssl/doc/src/standards_compliance.xml b/lib/ssl/doc/src/standards_compliance.xml
index 3a472d4776..9df48b99d3 100644
--- a/lib/ssl/doc/src/standards_compliance.xml
+++ b/lib/ssl/doc/src/standards_compliance.xml
@@ -135,8 +135,10 @@
       <item>Groups: all standard groups supported for the Diffie-Hellman key exchange</item>
       <item>Ciphers: TLS_AES_128_GCM_SHA256, TLS_AES_256_GCM_SHA384,
       TLS_CHACHA20_POLY1305_SHA256 and TLS_AES_128_CCM_SHA256</item>
-      <item>Signature Algorithms: RSA and RSA PSS</item>
-      <item>Certificates: currently only certificates with RSA keys are supported</item>
+      <item>Signature Algorithms: rsa_pkcs1_sha256, rsa_pkcs1_sha384, rsa_pkcs1_sha512,
+      ecdsa_secp256r1_sha256, ecdsa_secp384r1_sha384, ecdsa_secp521r1_sha512, rsa_pss_rsae_sha256,
+      rsa_pss_rsae_sha384, rsa_pss_rsae_sha512, rsa_pkcs1_sha1 and ecdsa_sha1</item>
+      <item>Certificates: RSA (it MUST use the rsaEncryption OID) and ECDSA keys</item>
     </list>
     <p>Other notable features:</p>
     <list type="bulleted">
@@ -727,20 +729,20 @@
       <row>
         <cell align="left" valign="middle"></cell>
         <cell align="left" valign="middle">ecdsa_secp256r1_sha256</cell>
-	<cell align="left" valign="middle"><em>NC</em></cell>
-	<cell align="left" valign="middle"></cell>
+	<cell align="left" valign="middle"><em>C</em></cell>
+	<cell align="left" valign="middle"><em>22.1</em></cell>
       </row>
       <row>
         <cell align="left" valign="middle"></cell>
         <cell align="left" valign="middle">ecdsa_secp384r1_sha384</cell>
-	<cell align="left" valign="middle"><em>NC</em></cell>
-	<cell align="left" valign="middle"></cell>
+	<cell align="left" valign="middle"><em>C</em></cell>
+	<cell align="left" valign="middle"><em>22.1</em></cell>
       </row>
       <row>
         <cell align="left" valign="middle"></cell>
         <cell align="left" valign="middle">ecdsa_secp521r1_sha512</cell>
-	<cell align="left" valign="middle"><em>NC</em></cell>
-	<cell align="left" valign="middle"></cell>
+	<cell align="left" valign="middle"><em>C</em></cell>
+	<cell align="left" valign="middle"><em>22.1</em></cell>
       </row>
       <row>
         <cell align="left" valign="middle"></cell>
@@ -830,20 +832,20 @@
       <row>
         <cell align="left" valign="middle"></cell>
         <cell align="left" valign="middle">ecdsa_secp256r1_sha256</cell>
-	<cell align="left" valign="middle"><em>NC</em></cell>
-	<cell align="left" valign="middle"></cell>
+	<cell align="left" valign="middle"><em>C</em></cell>
+	<cell align="left" valign="middle"><em>22.1</em></cell>
       </row>
       <row>
         <cell align="left" valign="middle"></cell>
         <cell align="left" valign="middle">ecdsa_secp384r1_sha384</cell>
-	<cell align="left" valign="middle"><em>NC</em></cell>
-	<cell align="left" valign="middle"></cell>
+	<cell align="left" valign="middle"><em>C</em></cell>
+	<cell align="left" valign="middle"><em>22.1</em></cell>
       </row>
       <row>
         <cell align="left" valign="middle"></cell>
         <cell align="left" valign="middle">ecdsa_secp521r1_sha512</cell>
-	<cell align="left" valign="middle"><em>NC</em></cell>
-	<cell align="left" valign="middle"></cell>
+	<cell align="left" valign="middle"><em>C</em></cell>
+	<cell align="left" valign="middle"><em>22.1</em></cell>
       </row>
       <row>
         <cell align="left" valign="middle"></cell>
@@ -1956,8 +1958,8 @@
 	  </url>
 	</cell>
         <cell align="left" valign="middle"><em></em></cell>
-	<cell align="left" valign="middle"><em>PC</em></cell>
-	<cell align="left" valign="middle"><em>22</em></cell>
+	<cell align="left" valign="middle"><em>C</em></cell>
+	<cell align="left" valign="middle"><em>22.1</em></cell>
       </row>
       <row>
         <cell align="left" valign="middle"></cell>
@@ -1981,8 +1983,8 @@
       <row>
         <cell align="left" valign="middle"></cell>
         <cell align="left" valign="middle"><em>Digital signatures</em></cell>
-	<cell align="left" valign="middle"><em>PC</em></cell>
-	<cell align="left" valign="middle"><em>22</em></cell>
+	<cell align="left" valign="middle"><em>C</em></cell>
+	<cell align="left" valign="middle"><em>22.1</em></cell>
       </row>
       <row>
         <cell align="left" valign="middle"></cell>
@@ -1999,8 +2001,8 @@
       <row>
         <cell align="left" valign="middle"></cell>
         <cell align="left" valign="middle">MUST support ecdsa_secp256r1_sha256</cell>
-	<cell align="left" valign="middle"><em>NC</em></cell>
-	<cell align="left" valign="middle"></cell>
+	<cell align="left" valign="middle"><em>C</em></cell>
+	<cell align="left" valign="middle"><em>22.1</em></cell>
       </row>
 
       <row>
-- 
cgit v1.2.3