Improve TLS handshake hash tracking

author: Peter Dettman <peter.dettman@bouncycastle.org> 2022-05-10 12:54:22 +0700
committer: Peter Dettman <peter.dettman@bouncycastle.org> 2022-05-10 12:54:22 +0700
commit: 217c08cdb0359f95c40f1a09e4e545a4552509fe (patch)
tree: bb6418fed2a682e42ea77a82cd2da6f3e923d929 /crypto/test/src/tls
parent: Avoid duplicate call (diff)
download: BouncyCastle.NET-ed25519-217c08cdb0359f95c40f1a09e4e545a4552509fe.tar.xz
5 files changed, 77 insertions, 63 deletions
diff --git a/crypto/test/src/tls/test/DtlsTestSuite.cs b/crypto/test/src/tls/test/DtlsTestSuite.cs
index 0af2be32c..27c1ca648 100644
--- a/crypto/test/src/tls/test/DtlsTestSuite.cs
+++ b/crypto/test/src/tls/test/DtlsTestSuite.cs
@@ -68,63 +68,59 @@ namespace Org.BouncyCastle.Tls.Tests
                 + "_";
 
             /*
-             * NOTE: Temporarily disabled automatic test runs because of problems getting a clean exit
-             * of the DTLS server after a fatal alert. As of writing, manual runs show the correct
-             * alerts being raised
-             */
-
-#if false
-            /*
-             * Server only declares support for SHA1/RSA, client selects MD5/RSA. Since the client is
-             * NOT actually tracking MD5 over the handshake, we expect fatal alert from the client.
+             * Server only declares support for SHA256/ECDSA, client selects SHA256/RSA, so we expect fatal alert
+             * from the client validation of the CertificateVerify algorithm.
              */
             if (TlsUtilities.IsTlsV12(version))
             {
                 TlsTestConfig c = CreateDtlsTestConfig(version);
                 c.clientAuth = C.CLIENT_AUTH_VALID;
-                c.clientAuthSigAlg = new SignatureAndHashAlgorithm(HashAlgorithm.md5, SignatureAlgorithm.rsa);
-                c.serverCertReqSigAlgs = TlsUtilities.GetDefaultRsaSignatureAlgorithms();
+                c.clientAuthSigAlg = new SignatureAndHashAlgorithm(HashAlgorithm.sha256, SignatureAlgorithm.rsa);
+                c.serverCertReqSigAlgs = TlsUtilities.VectorOfOne(
+                    new SignatureAndHashAlgorithm(HashAlgorithm.sha256, SignatureAlgorithm.ecdsa));
                 c.ExpectClientFatalAlert(AlertDescription.internal_error);
 
-                AddTestCase(testSuite, c, prefix + "BadCertificateVerifyHashAlg");
+                AddTestCase(testSuite, c, prefix + "BadCertVerifySigAlgClient");
             }
 
             /*
-             * Server only declares support for SHA1/ECDSA, client selects SHA1/RSA. Since the client is
-             * actually tracking SHA1 over the handshake, we expect fatal alert to come from the server
-             * when it verifies the selected algorithm against the CertificateRequest supported
-             * algorithms.
+             * Server only declares support for rsa_pss_rsae_sha256, client selects rsa_pss_rsae_sha256 but claims
+             * ecdsa_secp256r1_sha256, so we expect fatal alert from the server validation of the
+             * CertificateVerify algorithm.
              */
             if (TlsUtilities.IsTlsV12(version))
             {
                 TlsTestConfig c = CreateDtlsTestConfig(version);
                 c.clientAuth = C.CLIENT_AUTH_VALID;
-                c.clientAuthSigAlg = new SignatureAndHashAlgorithm(HashAlgorithm.sha1, SignatureAlgorithm.rsa);
-                c.serverCertReqSigAlgs = TlsUtilities.GetDefaultECDsaSignatureAlgorithms();
+                c.clientAuthSigAlg = SignatureScheme.GetSignatureAndHashAlgorithm(SignatureScheme.rsa_pss_rsae_sha256);
+                c.clientAuthSigAlgClaimed = SignatureScheme.GetSignatureAndHashAlgorithm(SignatureScheme.ecdsa_secp256r1_sha256);
+                c.serverCertReqSigAlgs = TlsUtilities.VectorOfOne(
+                    SignatureScheme.GetSignatureAndHashAlgorithm(SignatureScheme.rsa_pss_rsae_sha256));
                 c.serverCheckSigAlgOfClientCerts = false;
                 c.ExpectServerFatalAlert(AlertDescription.illegal_parameter);
 
-                AddTestCase(testSuite, c, prefix + "BadCertificateVerifySigAlg");
+                AddTestCase(testSuite, c, prefix + "BadCertVerifySigAlgServer1");
             }
 
             /*
-             * Server only declares support for SHA1/ECDSA, client signs with SHA1/RSA, but sends
-             * SHA1/ECDSA in the CertificateVerify. Since the client is actually tracking SHA1 over the
-             * handshake, and the claimed algorithm is in the CertificateRequest supported algorithms,
-             * we expect fatal alert to come from the server when it finds the claimed algorithm
-             * doesn't match the client certificate.
+             * Server declares support for rsa_pss_rsae_sha256 and ecdsa_secp256r1_sha256, client selects
+             * rsa_pss_rsae_sha256 but claims ecdsa_secp256r1_sha256, so we expect fatal alert from the server
+             * validation of the client certificate.
              */
             if (TlsUtilities.IsTlsV12(version))
             {
                 TlsTestConfig c = CreateDtlsTestConfig(version);
                 c.clientAuth = C.CLIENT_AUTH_VALID;
-                c.clientAuthSigAlg = new SignatureAndHashAlgorithm(HashAlgorithm.sha1, SignatureAlgorithm.rsa);
-                c.clientAuthSigAlgClaimed = new SignatureAndHashAlgorithm(HashAlgorithm.sha1,
-                    SignatureAlgorithm.ecdsa);
-                c.serverCertReqSigAlgs = TlsUtilities.GetDefaultECDsaSignatureAlgorithms();
-                c.ExpectServerFatalAlert(AlertDescription.decrypt_error);
+                c.clientAuthSigAlg = SignatureScheme.GetSignatureAndHashAlgorithm(SignatureScheme.rsa_pss_rsae_sha256);
+                c.clientAuthSigAlgClaimed = SignatureScheme.GetSignatureAndHashAlgorithm(SignatureScheme.ecdsa_secp256r1_sha256);
+                c.serverCertReqSigAlgs = new ArrayList(2);
+                c.serverCertReqSigAlgs.Add(
+                    SignatureScheme.GetSignatureAndHashAlgorithm(SignatureScheme.rsa_pss_rsae_sha256));
+                c.serverCertReqSigAlgs.Add(
+                    SignatureScheme.GetSignatureAndHashAlgorithm(SignatureScheme.ecdsa_secp256r1_sha256));
+                c.ExpectServerFatalAlert(AlertDescription.bad_certificate);
 
-                AddTestCase(testSuite, c, prefix + "BadCertificateVerifySigAlgMismatch");
+                AddTestCase(testSuite, c, prefix + "BadCertVerifySigAlgServer2");
             }
 
             {
@@ -132,7 +128,7 @@ namespace Org.BouncyCastle.Tls.Tests
                 c.clientAuth = C.CLIENT_AUTH_INVALID_VERIFY;
                 c.ExpectServerFatalAlert(AlertDescription.decrypt_error);
 
-                AddTestCase(testSuite, c, prefix + "BadCertificateVerifySignature");
+                AddTestCase(testSuite, c, prefix + "BadCertVerifySignature");
             }
 
             {
@@ -161,8 +157,9 @@ namespace Org.BouncyCastle.Tls.Tests
             {
                 TlsTestConfig c = CreateDtlsTestConfig(version);
                 c.clientSendSignatureAlgorithms = false;
+                c.clientSendSignatureAlgorithmsCert = false;
                 c.serverAuthSigAlg = new SignatureAndHashAlgorithm(HashAlgorithm.sha256, SignatureAlgorithm.rsa);
-                c.ExpectClientFatalAlert(AlertDescription.certificate_unknown);
+                c.ExpectClientFatalAlert(AlertDescription.bad_certificate);
 
                 AddTestCase(testSuite, c, prefix + "BadServerCertSigAlg");
             }
@@ -196,7 +193,6 @@ namespace Org.BouncyCastle.Tls.Tests
 
                 AddTestCase(testSuite, c, prefix + "BadServerKeyExchangeSigAlg2");
             }
-#endif
 
             {
                 TlsTestConfig c = CreateDtlsTestConfig(version);
@@ -218,7 +214,6 @@ namespace Org.BouncyCastle.Tls.Tests
                 AddTestCase(testSuite, c, prefix + "GoodOptionalCertReqDeclined");
             }
 
-#if false
             /*
              * Server generates downgraded (RFC 8446) ServerHello. We expect fatal alert
              * (illegal_parameter) from the client.
@@ -232,7 +227,6 @@ namespace Org.BouncyCastle.Tls.Tests
 
                 AddTestCase(testSuite, c, prefix + "BadDowngrade");
             }
-#endif
         }
 
         private static void AddTestCase(IList testSuite, TlsTestConfig config, string name)
diff --git a/crypto/test/src/tls/test/TlsTestClientImpl.cs b/crypto/test/src/tls/test/TlsTestClientImpl.cs
index 04c8ad0af..cb70dbc80 100644
--- a/crypto/test/src/tls/test/TlsTestClientImpl.cs
+++ b/crypto/test/src/tls/test/TlsTestClientImpl.cs
@@ -310,14 +310,23 @@ namespace Org.BouncyCastle.Tls.Tests
                 IList supportedSigAlgs = certificateRequest.SupportedSignatureAlgorithms;
                 if (supportedSigAlgs != null && config.clientAuthSigAlg != null)
                 {
-                    supportedSigAlgs = new ArrayList(1);
-                    supportedSigAlgs.Add(config.clientAuthSigAlg);
+                    supportedSigAlgs = TlsUtilities.VectorOfOne(config.clientAuthSigAlg);
                 }
 
                 // TODO[tls13] Check also supportedSigAlgsCert against the chain signature(s)
 
                 TlsCredentialedSigner signerCredentials = TlsTestUtilities.LoadSignerCredentials(m_context,
                     supportedSigAlgs, SignatureAlgorithm.rsa, "x509-client-rsa.pem", "x509-client-key-rsa.pem");
+                if (signerCredentials == null && supportedSigAlgs != null)
+                {
+                    SignatureAndHashAlgorithm pss = SignatureScheme.GetSignatureAndHashAlgorithm(
+                        SignatureScheme.rsa_pss_rsae_sha256);
+                    if (TlsUtilities.ContainsSignatureAlgorithm(supportedSigAlgs, pss))
+                    {
+                        signerCredentials = TlsTestUtilities.LoadSignerCredentials(m_context,
+                            new string[]{ "x509-client-rsa.pem" }, "x509-client-key-rsa.pem", pss);
+                    }
+                }
 
                 if (config.clientAuth == TlsTestConfig.CLIENT_AUTH_VALID)
                     return signerCredentials;
diff --git a/crypto/test/src/tls/test/TlsTestClientProtocol.cs b/crypto/test/src/tls/test/TlsTestClientProtocol.cs
index f7e94680a..879996040 100644
--- a/crypto/test/src/tls/test/TlsTestClientProtocol.cs
+++ b/crypto/test/src/tls/test/TlsTestClientProtocol.cs
@@ -19,6 +19,16 @@ namespace Org.BouncyCastle.Tls.Tests
             this.m_config = config;
         }
 
+        protected override void Send13CertificateVerifyMessage(DigitallySigned certificateVerify)
+        {
+            if (m_config.clientAuthSigAlgClaimed != null)
+            {
+                certificateVerify = new DigitallySigned(m_config.clientAuthSigAlgClaimed, certificateVerify.Signature);
+            }
+
+            base.Send13CertificateVerifyMessage(certificateVerify);
+        }
+
         protected override void SendCertificateVerifyMessage(DigitallySigned certificateVerify)
         {
             if (certificateVerify.Algorithm != null && m_config.clientAuthSigAlgClaimed != null)
diff --git a/crypto/test/src/tls/test/TlsTestServerImpl.cs b/crypto/test/src/tls/test/TlsTestServerImpl.cs
index 77df632fe..273de3d31 100644
--- a/crypto/test/src/tls/test/TlsTestServerImpl.cs
+++ b/crypto/test/src/tls/test/TlsTestServerImpl.cs
@@ -258,9 +258,7 @@ namespace Org.BouncyCastle.Tls.Tests
         {
             if (TlsUtilities.IsTlsV12(m_context) && m_config.serverAuthSigAlg != null)
             {
-                IList signatureAlgorithms = new ArrayList(1);
-                signatureAlgorithms.Add(m_config.serverAuthSigAlg);
-                return signatureAlgorithms;
+                return TlsUtilities.VectorOfOne(m_config.serverAuthSigAlg);
             }
 
             return m_context.SecurityParameters.ClientSigAlgs;
diff --git a/crypto/test/src/tls/test/TlsTestSuite.cs b/crypto/test/src/tls/test/TlsTestSuite.cs
index adedd8249..86a543ef0 100644
--- a/crypto/test/src/tls/test/TlsTestSuite.cs
+++ b/crypto/test/src/tls/test/TlsTestSuite.cs
@@ -104,56 +104,59 @@ namespace Org.BouncyCastle.Tls.Tests
             }
 
             /*
-             * Server only declares support for SHA1/RSA, client selects MD5/RSA. Since the client is
-             * NOT actually tracking MD5 over the handshake, we expect fatal alert from the client.
+             * Server only declares support for SHA256/ECDSA, client selects SHA256/RSA, so we expect fatal alert
+             * from the client validation of the CertificateVerify algorithm.
              */
             if (isTlsV12Exactly)
             {
                 TlsTestConfig c = CreateTlsTestConfig(version, clientCrypto, serverCrypto);
                 c.clientAuth = C.CLIENT_AUTH_VALID;
-                c.clientAuthSigAlg = new SignatureAndHashAlgorithm(HashAlgorithm.md5, SignatureAlgorithm.rsa);
-                c.serverCertReqSigAlgs = TlsUtilities.GetDefaultRsaSignatureAlgorithms();
-                c.serverCheckSigAlgOfClientCerts = false;
+                c.clientAuthSigAlg = new SignatureAndHashAlgorithm(HashAlgorithm.sha256, SignatureAlgorithm.rsa);
+                c.serverCertReqSigAlgs = TlsUtilities.VectorOfOne(
+                    new SignatureAndHashAlgorithm(HashAlgorithm.sha256, SignatureAlgorithm.ecdsa));
                 c.ExpectClientFatalAlert(AlertDescription.internal_error);
 
-                AddTestCase(testSuite, c, prefix + "BadCertificateVerifyHashAlg");
+                AddTestCase(testSuite, c, prefix + "BadCertVerifySigAlgClient");
             }
 
             /*
-             * Server only declares support for SHA1/ECDSA, client selects SHA1/RSA. Since the client is
-             * actually tracking SHA1 over the handshake, we expect fatal alert to come from the server
-             * when it verifies the selected algorithm against the CertificateRequest supported
-             * algorithms.
+             * Server only declares support for rsa_pss_rsae_sha256, client selects rsa_pss_rsae_sha256 but claims
+             * ecdsa_secp256r1_sha256, so we expect fatal alert from the server validation of the
+             * CertificateVerify algorithm.
              */
             if (isTlsV12)
             {
                 TlsTestConfig c = CreateTlsTestConfig(version, clientCrypto, serverCrypto);
                 c.clientAuth = C.CLIENT_AUTH_VALID;
-                c.clientAuthSigAlg = new SignatureAndHashAlgorithm(HashAlgorithm.sha1, SignatureAlgorithm.rsa);
-                c.serverCertReqSigAlgs = TlsUtilities.GetDefaultECDsaSignatureAlgorithms();
+                c.clientAuthSigAlg = SignatureScheme.GetSignatureAndHashAlgorithm(SignatureScheme.rsa_pss_rsae_sha256);
+                c.clientAuthSigAlgClaimed = SignatureScheme.GetSignatureAndHashAlgorithm(SignatureScheme.ecdsa_secp256r1_sha256);
+                c.serverCertReqSigAlgs = TlsUtilities.VectorOfOne(
+                    SignatureScheme.GetSignatureAndHashAlgorithm(SignatureScheme.rsa_pss_rsae_sha256));
                 c.serverCheckSigAlgOfClientCerts = false;
                 c.ExpectServerFatalAlert(AlertDescription.illegal_parameter);
 
-                AddTestCase(testSuite, c, prefix + "BadCertificateVerifySigAlg");
+                AddTestCase(testSuite, c, prefix + "BadCertVerifySigAlgServer1");
             }
 
             /*
-             * Server only declares support for SHA1/ECDSA, client signs with SHA1/RSA, but sends
-             * SHA1/ECDSA in the CertificateVerify. Since the client is actually tracking SHA1 over the
-             * handshake, and the claimed algorithm is in the CertificateRequest supported algorithms,
-             * we expect fatal alert to come from the server when it finds the claimed algorithm
-             * doesn't match the client certificate.
+             * Server declares support for rsa_pss_rsae_sha256 and ecdsa_secp256r1_sha256, client selects
+             * rsa_pss_rsae_sha256 but claims ecdsa_secp256r1_sha256, so we expect fatal alert from the server
+             * validation of the client certificate.
              */
             if (isTlsV12)
             {
                 TlsTestConfig c = CreateTlsTestConfig(version, clientCrypto, serverCrypto);
                 c.clientAuth = C.CLIENT_AUTH_VALID;
-                c.clientAuthSigAlg = new SignatureAndHashAlgorithm(HashAlgorithm.sha1, SignatureAlgorithm.rsa);
-                c.clientAuthSigAlgClaimed = new SignatureAndHashAlgorithm(HashAlgorithm.sha1, SignatureAlgorithm.ecdsa);
-                c.serverCertReqSigAlgs = TlsUtilities.GetDefaultECDsaSignatureAlgorithms();
+                c.clientAuthSigAlg = SignatureScheme.GetSignatureAndHashAlgorithm(SignatureScheme.rsa_pss_rsae_sha256);
+                c.clientAuthSigAlgClaimed = SignatureScheme.GetSignatureAndHashAlgorithm(SignatureScheme.ecdsa_secp256r1_sha256);
+                c.serverCertReqSigAlgs = new ArrayList(2);
+                c.serverCertReqSigAlgs.Add(
+                    SignatureScheme.GetSignatureAndHashAlgorithm(SignatureScheme.rsa_pss_rsae_sha256));
+                c.serverCertReqSigAlgs.Add(
+                    SignatureScheme.GetSignatureAndHashAlgorithm(SignatureScheme.ecdsa_secp256r1_sha256));
                 c.ExpectServerFatalAlert(AlertDescription.bad_certificate);
 
-                AddTestCase(testSuite, c, prefix + "BadCertificateVerifySigAlgMismatch");
+                AddTestCase(testSuite, c, prefix + "BadCertVerifySigAlgServer2");
             }
 
             {
@@ -161,7 +164,7 @@ namespace Org.BouncyCastle.Tls.Tests
                 c.clientAuth = C.CLIENT_AUTH_INVALID_VERIFY;
                 c.ExpectServerFatalAlert(AlertDescription.decrypt_error);
 
-                AddTestCase(testSuite, c, prefix + "BadCertificateVerifySignature");
+                AddTestCase(testSuite, c, prefix + "BadCertVerifySignature");
             }
 
             {
author	Peter Dettman <peter.dettman@bouncycastle.org>	2022-05-10 12:54:22 +0700
committer	Peter Dettman <peter.dettman@bouncycastle.org>	2022-05-10 12:54:22 +0700
commit	217c08cdb0359f95c40f1a09e4e545a4552509fe (patch)
tree	bb6418fed2a682e42ea77a82cd2da6f3e923d929 /crypto/test/src/tls
parent	Avoid duplicate call (diff)
download	BouncyCastle.NET-ed25519-217c08cdb0359f95c40f1a09e4e545a4552509fe.tar.xz