tls13subcerts.c (25729B)
1 /* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */ 2 /* 3 * This Source Code Form is subject to the terms of the Mozilla Public 4 * License, v. 2.0. If a copy of the MPL was not distributed with this 5 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */ 6 7 #include "nss.h" 8 #include "pk11func.h" 9 #include "secder.h" 10 #include "sechash.h" 11 #include "ssl.h" 12 #include "sslproto.h" 13 #include "sslimpl.h" 14 #include "ssl3exthandle.h" 15 #include "tls13exthandle.h" 16 #include "tls13hkdf.h" 17 #include "tls13subcerts.h" 18 19 /* Parses the delegated credential (DC) from the raw extension |b| of length 20 * |length|. Memory for the DC is allocated and set to |*dcp|. 21 * 22 * It's the caller's responsibility to invoke |tls13_DestroyDelegatedCredential| 23 * when this data is no longer needed. 24 */ 25 SECStatus 26 tls13_ReadDelegatedCredential(PRUint8 *b, PRUint32 length, 27 sslDelegatedCredential **dcp) 28 { 29 sslDelegatedCredential *dc = NULL; 30 SECStatus rv; 31 PRUint64 n; 32 sslReadBuffer tmp; 33 sslReader rdr = SSL_READER(b, length); 34 35 PORT_Assert(!*dcp); 36 37 dc = PORT_ZNew(sslDelegatedCredential); 38 if (!dc) { 39 PORT_SetError(SEC_ERROR_NO_MEMORY); 40 goto loser; 41 } 42 43 /* Read the valid_time field of DelegatedCredential.cred. */ 44 rv = sslRead_ReadNumber(&rdr, 4, &n); 45 if (rv != SECSuccess) { 46 goto loser; 47 } 48 dc->validTime = n; 49 50 /* Read the expected_cert_verify_algorithm field of 51 * DelegatedCredential.cred. */ 52 rv = sslRead_ReadNumber(&rdr, 2, &n); 53 if (rv != SECSuccess) { 54 goto loser; 55 } 56 dc->expectedCertVerifyAlg = n; 57 58 /* Read the ASN1_subjectPublicKeyInfo field of DelegatedCredential.cred. */ 59 rv = sslRead_ReadVariable(&rdr, 3, &tmp); 60 if (rv != SECSuccess) { 61 goto loser; 62 } 63 rv = SECITEM_MakeItem(NULL, &dc->derSpki, tmp.buf, tmp.len); 64 if (rv != SECSuccess) { 65 goto loser; 66 } 67 68 /* Parse the DER-encoded SubjectPublicKeyInfo. */ 69 dc->spki = SECKEY_DecodeDERSubjectPublicKeyInfo(&dc->derSpki); 70 if (!dc->spki) { 71 goto loser; 72 } 73 74 /* Read the algorithm field of the DelegatedCredential. */ 75 rv = sslRead_ReadNumber(&rdr, 2, &n); 76 if (rv != SECSuccess) { 77 goto loser; 78 } 79 dc->alg = n; 80 81 /* Read the signature field of the DelegatedCredential. */ 82 rv = sslRead_ReadVariable(&rdr, 2, &tmp); 83 if (rv != SECSuccess) { 84 goto loser; 85 } 86 rv = SECITEM_MakeItem(NULL, &dc->signature, tmp.buf, tmp.len); 87 if (rv != SECSuccess) { 88 goto loser; 89 } 90 91 /* There should be nothing left to read. */ 92 if (SSL_READER_REMAINING(&rdr) > 0) { 93 goto loser; 94 } 95 96 *dcp = dc; 97 return SECSuccess; 98 99 loser: 100 tls13_DestroyDelegatedCredential(dc); 101 *dcp = NULL; 102 return SECFailure; 103 } 104 105 /* Frees |dc| from the heap. */ 106 void 107 tls13_DestroyDelegatedCredential(sslDelegatedCredential *dc) 108 { 109 if (!dc) { 110 return; 111 } 112 113 SECKEY_DestroySubjectPublicKeyInfo(dc->spki); 114 SECITEM_FreeItem(&dc->derSpki, PR_FALSE); 115 SECITEM_FreeItem(&dc->signature, PR_FALSE); 116 PORT_ZFree(dc, sizeof(sslDelegatedCredential)); 117 } 118 119 /* Sets |*certVerifyAlg| to the expected_cert_verify_algorithm field from the 120 * serialized DC |in|. Returns SECSuccess upon success; SECFailure indicates a 121 * decoding failure or the input wasn't long enough. 122 */ 123 static SECStatus 124 tls13_GetExpectedCertVerifyAlg(SECItem in, SSLSignatureScheme *certVerifyAlg) 125 { 126 SECStatus rv; 127 PRUint64 n; 128 sslReader rdr = SSL_READER(in.data, in.len); 129 130 if (in.len < 6) { /* Buffer too short to contain the first two params. */ 131 return SECFailure; 132 } 133 134 rv = sslRead_ReadNumber(&rdr, 4, &n); 135 if (rv != SECSuccess) { 136 return SECFailure; 137 } 138 139 rv = sslRead_ReadNumber(&rdr, 2, &n); 140 if (rv != SECSuccess) { 141 return SECFailure; 142 } 143 *certVerifyAlg = n; 144 145 return SECSuccess; 146 } 147 148 /* Returns PR_TRUE if the host is verifying the handshake with a DC. */ 149 PRBool 150 tls13_IsVerifyingWithDelegatedCredential(const sslSocket *ss) 151 { 152 /* We currently do not support client-delegated credentials. */ 153 if (ss->sec.isServer || 154 !ss->opt.enableDelegatedCredentials || 155 !ss->xtnData.peerDelegCred) { 156 return PR_FALSE; 157 } 158 159 return PR_TRUE; 160 } 161 162 /* Returns PR_TRUE if the host is signing the handshake with a DC. */ 163 PRBool 164 tls13_IsSigningWithDelegatedCredential(const sslSocket *ss) 165 { 166 if (!ss->sec.isServer || 167 !ss->xtnData.sendingDelegCredToPeer || 168 !ss->xtnData.peerRequestedDelegCred) { 169 return PR_FALSE; 170 } 171 172 return PR_TRUE; 173 } 174 175 /* Commits to authenticating with a DC if all of the following conditions hold: 176 * - the negotiated protocol is TLS 1.3 or newer; 177 * - the selected certificate has a DC configured; 178 * - the peer has indicated support for this extension; 179 * - the peer has indicated support for the DC signature scheme; and 180 * - the host supports the DC signature scheme. 181 * 182 * It's the caller's responsibility to ensure that the version has been 183 * negotiated and the certificate has been selected. 184 */ 185 SECStatus 186 tls13_MaybeSetDelegatedCredential(sslSocket *ss) 187 { 188 SECStatus rv; 189 PRBool doesRsaPss; 190 SECKEYPrivateKey *priv; 191 SSLSignatureScheme scheme; 192 193 /* Assert that the host is the server (we do not currently support 194 * client-delegated credentials), the certificate has been 195 * chosen, TLS 1.3 or higher has been negotiated, and that the set of 196 * signature schemes supported by the client is known. 197 */ 198 PORT_Assert(ss->sec.isServer); 199 PORT_Assert(ss->sec.serverCert); 200 PORT_Assert(ss->version >= SSL_LIBRARY_VERSION_TLS_1_3); 201 PORT_Assert(ss->xtnData.peerRequestedDelegCred == !!ss->xtnData.delegCredSigSchemes); 202 203 /* Check that the peer has indicated support and that a DC has been 204 * configured for the selected certificate. 205 */ 206 if (!ss->xtnData.peerRequestedDelegCred || 207 !ss->xtnData.delegCredSigSchemes || 208 !ss->sec.serverCert->delegCred.len || 209 !ss->sec.serverCert->delegCredKeyPair) { 210 return SECSuccess; 211 } 212 213 /* Check that the host and peer both support the signing algorithm used with 214 * the DC. 215 */ 216 rv = tls13_GetExpectedCertVerifyAlg(ss->sec.serverCert->delegCred, 217 &scheme); 218 if (rv != SECSuccess) { 219 return SECFailure; 220 } 221 222 priv = ss->sec.serverCert->delegCredKeyPair->privKey; 223 rv = ssl_PrivateKeySupportsRsaPss(priv, NULL, NULL, &doesRsaPss); 224 if (rv != SECSuccess) { 225 return SECFailure; 226 } 227 228 if (!ssl_SignatureSchemeEnabled(ss, scheme) || 229 !ssl_CanUseSignatureScheme(scheme, 230 ss->xtnData.delegCredSigSchemes, 231 ss->xtnData.numDelegCredSigSchemes, 232 PR_FALSE /* requireSha1 */, 233 doesRsaPss)) { 234 return SECSuccess; 235 } 236 237 /* Commit to sending a DC and set the handshake signature scheme to the 238 * indicated algorithm. 239 */ 240 ss->xtnData.sendingDelegCredToPeer = PR_TRUE; 241 ss->ssl3.hs.signatureScheme = scheme; 242 return SECSuccess; 243 } 244 245 /* Serializes the DC up to the signature. */ 246 static SECStatus 247 tls13_AppendCredentialParams(sslBuffer *buf, sslDelegatedCredential *dc) 248 { 249 SECStatus rv; 250 rv = sslBuffer_AppendNumber(buf, dc->validTime, 4); 251 if (rv != SECSuccess) { 252 return SECFailure; /* Error set by caller. */ 253 } 254 255 rv = sslBuffer_AppendNumber(buf, dc->expectedCertVerifyAlg, 2); 256 if (rv != SECSuccess) { 257 return SECFailure; 258 } 259 260 rv = sslBuffer_AppendVariable(buf, dc->derSpki.data, dc->derSpki.len, 3); 261 if (rv != SECSuccess) { 262 return SECFailure; 263 } 264 265 rv = sslBuffer_AppendNumber(buf, dc->alg, 2); 266 if (rv != SECSuccess) { 267 return SECFailure; 268 } 269 270 return SECSuccess; 271 } 272 273 /* Serializes the DC signature. */ 274 static SECStatus 275 tls13_AppendCredentialSignature(sslBuffer *buf, sslDelegatedCredential *dc) 276 { 277 SECStatus rv; 278 rv = sslBuffer_AppendVariable(buf, dc->signature.data, 279 dc->signature.len, 2); 280 if (rv != SECSuccess) { 281 return SECFailure; 282 } 283 284 return SECSuccess; 285 } 286 287 /* Hashes the message used to sign/verify the DC. */ 288 static SECStatus 289 tls13_HashCredentialAndSignOrVerifyMessage(SECKEYPrivateKey *privKey, 290 SECKEYPublicKey *pubKey, 291 SSLSignatureScheme scheme, 292 sslSignOrVerify direction, 293 const CERTCertificate *cert, 294 const sslBuffer *dcBuf, 295 SECItem *signature, void *pwArg) 296 { 297 SECStatus rv; 298 tlsSignOrVerifyContext ctx; 299 300 /* Set up sign and hash context. */ 301 ctx = tls_CreateSignOrVerifyContext(privKey, pubKey, scheme, direction, 302 signature, pwArg); 303 if (!ctx.u.ptr) { 304 PORT_SetError(SEC_ERROR_NO_MEMORY); 305 goto loser; 306 } 307 308 static const PRUint8 kCtxStrPadding[64] = { 309 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 310 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 311 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 312 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 313 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 314 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 315 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 316 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20 317 }; 318 319 static const PRUint8 kCtxStr[] = "TLS, server delegated credentials"; 320 321 /* Hash the message signed by the peer. */ 322 rv = tls_SignOrVerifyUpdate(ctx, kCtxStrPadding, sizeof kCtxStrPadding); 323 if (rv != SECSuccess) 324 goto loser; 325 rv = tls_SignOrVerifyUpdate(ctx, kCtxStr, 326 strlen((const char *)kCtxStr + 1 /* 0-byte */)); 327 if (rv != SECSuccess) 328 goto loser; 329 rv = tls_SignOrVerifyUpdate(ctx, cert->derCert.data, cert->derCert.len); 330 if (rv != SECSuccess) 331 goto loser; 332 rv = tls_SignOrVerifyUpdate(ctx, dcBuf->buf, dcBuf->len); 333 if (rv != SECSuccess) 334 goto loser; 335 rv = tls_SignOrVerifyEnd(ctx, signature); 336 if (rv != SECSuccess) 337 goto loser; 338 339 return SECSuccess; 340 341 loser: 342 tls_DestroySignOrVerifyContext(ctx); 343 return SECFailure; 344 } 345 346 /* Verifies the DC signature. */ 347 static SECStatus 348 tls13_VerifyCredentialSignature(sslSocket *ss, sslDelegatedCredential *dc) 349 { 350 SECStatus rv = SECSuccess; 351 sslBuffer dcBuf = SSL_BUFFER_EMPTY; 352 CERTCertificate *cert = ss->sec.peerCert; 353 SECKEYPublicKey *pubKey = NULL; 354 void *pwArg = ss->pkcs11PinArg; 355 356 /* Serialize the DC parameters. */ 357 rv = tls13_AppendCredentialParams(&dcBuf, dc); 358 if (rv != SECSuccess) { 359 goto loser; /* Error set by caller. */ 360 } 361 362 pubKey = SECKEY_ExtractPublicKey(&cert->subjectPublicKeyInfo); 363 if (pubKey == NULL) { 364 FATAL_ERROR(ss, SSL_ERROR_EXTRACT_PUBLIC_KEY_FAILURE, internal_error); 365 goto loser; 366 } 367 368 /* Verify the signature of the delegatormessage. */ 369 rv = tls13_HashCredentialAndSignOrVerifyMessage(NULL, pubKey, dc->alg, 370 sig_verify, cert, &dcBuf, 371 &dc->signature, pwArg); 372 if (rv != SECSuccess) { 373 FATAL_ERROR(ss, SSL_ERROR_DC_BAD_SIGNATURE, illegal_parameter); 374 goto loser; 375 } 376 377 SECOidTag spkiAlg = SECOID_GetAlgorithmTag(&(dc->spki->algorithm)); 378 if (spkiAlg == SEC_OID_PKCS1_RSA_ENCRYPTION) { 379 FATAL_ERROR(ss, SSL_ERROR_INCORRECT_SIGNATURE_ALGORITHM, illegal_parameter); 380 goto loser; 381 } 382 383 SECKEY_DestroyPublicKey(pubKey); 384 sslBuffer_Clear(&dcBuf); 385 return SECSuccess; 386 387 loser: 388 SECKEY_DestroyPublicKey(pubKey); 389 sslBuffer_Clear(&dcBuf); 390 return SECFailure; 391 } 392 393 /* Checks that the peer's end-entity certificate has the correct key usage. */ 394 static SECStatus 395 tls13_CheckCertDelegationUsage(sslSocket *ss) 396 { 397 int i; 398 PRBool found; 399 CERTCertExtension *ext; 400 SECItem delegUsageOid = { siBuffer, NULL, 0 }; 401 const CERTCertificate *cert = ss->sec.peerCert; 402 403 /* 1.3.6.1.4.1.44363.44, as defined in draft-ietf-tls-subcerts. */ 404 static unsigned char kDelegationUsageOid[] = { 405 0x2b, 406 0x06, 407 0x01, 408 0x04, 409 0x01, 410 0x82, 411 0xda, 412 0x4b, 413 0x2c 414 }; 415 416 delegUsageOid.data = kDelegationUsageOid; 417 delegUsageOid.len = sizeof kDelegationUsageOid; 418 419 /* The certificate must have the delegationUsage extension that authorizes 420 * it to negotiate delegated credentials. 421 */ 422 found = PR_FALSE; 423 for (i = 0; cert->extensions[i] != NULL; i++) { 424 ext = cert->extensions[i]; 425 if (SECITEM_CompareItem(&ext->id, &delegUsageOid) == SECEqual) { 426 found = PR_TRUE; 427 break; 428 } 429 } 430 431 /* The certificate must also have the digitalSignature keyUsage set. */ 432 if (!found || 433 !cert->keyUsagePresent || 434 !(cert->keyUsage & KU_DIGITAL_SIGNATURE)) { 435 FATAL_ERROR(ss, SSL_ERROR_DC_INVALID_KEY_USAGE, illegal_parameter); 436 return SECFailure; 437 } 438 439 return SECSuccess; 440 } 441 442 static SECStatus 443 tls13_CheckCredentialExpiration(sslSocket *ss, sslDelegatedCredential *dc) 444 { 445 SECStatus rv; 446 CERTCertificate *cert = ss->sec.peerCert; 447 /* 7 days in microseconds */ 448 static const PRTime kMaxDcValidity = ((PRTime)7 * 24 * 60 * 60 * PR_USEC_PER_SEC); 449 PRTime start, now, end; /* microseconds */ 450 451 rv = DER_DecodeTimeChoice(&start, &cert->validity.notBefore); 452 if (rv != SECSuccess) { 453 FATAL_ERROR(ss, PORT_GetError(), internal_error); 454 return SECFailure; 455 } 456 457 end = start + ((PRTime)dc->validTime * PR_USEC_PER_SEC); 458 now = ssl_Time(ss); 459 if (now > end || end < 0) { 460 FATAL_ERROR(ss, SSL_ERROR_DC_EXPIRED, illegal_parameter); 461 return SECFailure; 462 } 463 464 /* Not more than 7 days remaining in the validity period. */ 465 if (end - now > kMaxDcValidity) { 466 FATAL_ERROR(ss, SSL_ERROR_DC_INAPPROPRIATE_VALIDITY_PERIOD, illegal_parameter); 467 return SECFailure; 468 } 469 470 return SECSuccess; 471 } 472 473 /* Returns SECSucces if |dc| is a DC for the current handshake; otherwise it 474 * returns SECFailure. A valid DC meets three requirements: (1) the signature 475 * was produced by the peer's end-entity certificate, (2) the end-entity 476 * certificate must have the correct key usage, and (3) the DC must not be 477 * expired and its remaining TTL must be <= the maximum validity period (fixed 478 * as 7 days). 479 * 480 * This function calls FATAL_ERROR() when an error occurs. 481 */ 482 SECStatus 483 tls13_VerifyDelegatedCredential(sslSocket *ss, 484 sslDelegatedCredential *dc) 485 { 486 SECStatus rv; 487 PRTime start; 488 PRExplodedTime end; 489 CERTCertificate *cert = ss->sec.peerCert; 490 char endStr[256]; 491 492 rv = DER_DecodeTimeChoice(&start, &cert->validity.notBefore); 493 if (rv != SECSuccess) { 494 FATAL_ERROR(ss, PORT_GetError(), internal_error); 495 return SECFailure; 496 } 497 498 PR_ExplodeTime(start + (dc->validTime * PR_USEC_PER_SEC), 499 PR_GMTParameters, &end); 500 if (PR_FormatTime(endStr, sizeof(endStr), "%a %b %d %H:%M:%S %Y", &end)) { 501 SSL_TRC(20, ("%d: TLS13[%d]: Received delegated credential (expires %s)", 502 SSL_GETPID(), ss->fd, endStr)); 503 } else { 504 SSL_TRC(20, ("%d: TLS13[%d]: Received delegated credential", 505 SSL_GETPID(), ss->fd)); 506 } 507 508 rv = SECSuccess; 509 rv |= tls13_VerifyCredentialSignature(ss, dc); 510 rv |= tls13_CheckCertDelegationUsage(ss); 511 rv |= tls13_CheckCredentialExpiration(ss, dc); 512 return rv; 513 } 514 515 static CERTSubjectPublicKeyInfo * 516 tls13_MakePssSpki(const SECKEYPublicKey *pub, SECOidTag hashOid) 517 { 518 SECStatus rv; 519 PLArenaPool *arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE); 520 if (!arena) { 521 goto loser; /* Code already set. */ 522 } 523 CERTSubjectPublicKeyInfo *spki = PORT_ArenaZNew(arena, CERTSubjectPublicKeyInfo); 524 if (!spki) { 525 goto loser; /* Code already set. */ 526 } 527 spki->arena = arena; 528 529 SECKEYRSAPSSParams params = { 0 }; 530 params.hashAlg = PORT_ArenaZNew(arena, SECAlgorithmID); 531 rv = SECOID_SetAlgorithmID(arena, params.hashAlg, hashOid, NULL); 532 if (rv != SECSuccess) { 533 goto loser; /* Code already set. */ 534 } 535 536 /* Set the mask hash algorithm too, which is an argument to 537 * a SEC_OID_PKCS1_MGF1 value. */ 538 SECAlgorithmID maskHashAlg; 539 memset(&maskHashAlg, 0, sizeof(maskHashAlg)); 540 rv = SECOID_SetAlgorithmID(arena, &maskHashAlg, hashOid, NULL); 541 if (rv != SECSuccess) { 542 goto loser; /* Code already set. */ 543 } 544 SECItem *maskHashAlgItem = 545 SEC_ASN1EncodeItem(arena, NULL, &maskHashAlg, 546 SEC_ASN1_GET(SECOID_AlgorithmIDTemplate)); 547 if (!maskHashAlgItem) { 548 /* Probably OOM, but not certain. */ 549 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); 550 goto loser; 551 } 552 553 params.maskAlg = PORT_ArenaZNew(arena, SECAlgorithmID); 554 rv = SECOID_SetAlgorithmID(arena, params.maskAlg, SEC_OID_PKCS1_MGF1, 555 maskHashAlgItem); 556 if (rv != SECSuccess) { 557 goto loser; /* Code already set. */ 558 } 559 560 /* Always include saltLength: all hashes are larger than 20. */ 561 unsigned int saltLength = HASH_ResultLenByOidTag(hashOid); 562 PORT_Assert(saltLength > 20); 563 if (!SEC_ASN1EncodeInteger(arena, ¶ms.saltLength, saltLength)) { 564 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); 565 goto loser; 566 } 567 /* Omit the trailerField always. */ 568 569 SECItem *algorithmItem = 570 SEC_ASN1EncodeItem(arena, NULL, ¶ms, 571 SEC_ASN1_GET(SECKEY_RSAPSSParamsTemplate)); 572 if (!algorithmItem) { 573 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); 574 goto loser; /* Code already set. */ 575 } 576 rv = SECOID_SetAlgorithmID(arena, &spki->algorithm, 577 SEC_OID_PKCS1_RSA_PSS_SIGNATURE, algorithmItem); 578 if (rv != SECSuccess) { 579 goto loser; /* Code already set. */ 580 } 581 582 SECItem *pubItem = SEC_ASN1EncodeItem(arena, &spki->subjectPublicKey, pub, 583 SEC_ASN1_GET(SECKEY_RSAPublicKeyTemplate)); 584 if (!pubItem) { 585 PORT_SetError(SEC_ERROR_LIBRARY_FAILURE); 586 goto loser; 587 } 588 spki->subjectPublicKey.len *= 8; /* Key length is in bits. */ 589 return spki; 590 591 loser: 592 PORT_FreeArena(arena, PR_FALSE); 593 return NULL; 594 } 595 596 static CERTSubjectPublicKeyInfo * 597 tls13_MakeDcSpki(const SECKEYPublicKey *dcPub, SSLSignatureScheme dcCertVerifyAlg) 598 { 599 switch (SECKEY_GetPublicKeyType(dcPub)) { 600 case rsaKey: { 601 SECOidTag hashOid; 602 switch (dcCertVerifyAlg) { 603 /* Note: RSAE schemes are NOT permitted within DC SPKIs. However, 604 * support for their issuance remains so as to enable negative 605 * testing of client behavior. */ 606 case ssl_sig_rsa_pss_rsae_sha256: 607 case ssl_sig_rsa_pss_rsae_sha384: 608 case ssl_sig_rsa_pss_rsae_sha512: 609 return SECKEY_CreateSubjectPublicKeyInfo(dcPub); 610 case ssl_sig_rsa_pss_pss_sha256: 611 hashOid = SEC_OID_SHA256; 612 break; 613 case ssl_sig_rsa_pss_pss_sha384: 614 hashOid = SEC_OID_SHA384; 615 break; 616 case ssl_sig_rsa_pss_pss_sha512: 617 hashOid = SEC_OID_SHA512; 618 break; 619 620 default: 621 PORT_SetError(SSL_ERROR_INCORRECT_SIGNATURE_ALGORITHM); 622 return NULL; 623 } 624 return tls13_MakePssSpki(dcPub, hashOid); 625 } 626 627 case ecKey: { 628 const sslNamedGroupDef *group = ssl_ECPubKey2NamedGroup(dcPub); 629 if (!group) { 630 PORT_SetError(SSL_ERROR_INCORRECT_SIGNATURE_ALGORITHM); 631 return NULL; 632 } 633 SSLSignatureScheme keyScheme; 634 switch (group->name) { 635 case ssl_grp_ec_secp256r1: 636 keyScheme = ssl_sig_ecdsa_secp256r1_sha256; 637 break; 638 case ssl_grp_ec_secp384r1: 639 keyScheme = ssl_sig_ecdsa_secp384r1_sha384; 640 break; 641 case ssl_grp_ec_secp521r1: 642 keyScheme = ssl_sig_ecdsa_secp521r1_sha512; 643 break; 644 default: 645 PORT_SetError(SEC_ERROR_INVALID_KEY); 646 return NULL; 647 } 648 if (keyScheme != dcCertVerifyAlg) { 649 PORT_SetError(SSL_ERROR_INCORRECT_SIGNATURE_ALGORITHM); 650 return NULL; 651 } 652 return SECKEY_CreateSubjectPublicKeyInfo(dcPub); 653 } 654 655 default: 656 break; 657 } 658 659 PORT_SetError(SEC_ERROR_INVALID_KEY); 660 return NULL; 661 } 662 663 /* Returns a serialized DC with the given parameters. 664 * 665 * Note that this function is meant primarily for testing. In particular, it 666 * DOES NOT verify any of the following: 667 * - |certPriv| is the private key corresponding to |cert|; 668 * - that |checkCertKeyUsage(cert) == SECSuccess|; 669 * - |dcValidFor| is less than 7 days (the maximum permitted by the spec); or 670 * - validTime doesn't overflow a PRUint32. 671 * 672 * These conditions are things we want to test for, which is why we allow them 673 * here. A real API for creating DCs would want to explicitly check ALL of these 674 * conditions are met. 675 */ 676 SECStatus 677 SSLExp_DelegateCredential(const CERTCertificate *cert, 678 const SECKEYPrivateKey *certPriv, 679 const SECKEYPublicKey *dcPub, 680 SSLSignatureScheme dcCertVerifyAlg, 681 PRUint32 dcValidFor, 682 PRTime now, 683 SECItem *out) 684 { 685 SECStatus rv; 686 CERTSubjectPublicKeyInfo *spki = NULL; 687 SECKEYPrivateKey *tmpPriv = NULL; 688 void *pwArg = certPriv->wincx; 689 sslDelegatedCredential *dc = NULL; 690 sslBuffer dcBuf = SSL_BUFFER_EMPTY; 691 692 if (!cert || !certPriv || !dcPub || !out) { 693 PORT_SetError(SEC_ERROR_INVALID_ARGS); 694 return SECFailure; 695 } 696 697 dc = PORT_ZNew(sslDelegatedCredential); 698 if (!dc) { 699 PORT_SetError(SEC_ERROR_NO_MEMORY); 700 goto loser; 701 } 702 703 /* Serialize the DC parameters. */ 704 PRTime start; 705 rv = DER_DecodeTimeChoice(&start, &cert->validity.notBefore); 706 if (rv != SECSuccess) { 707 goto loser; 708 } 709 dc->validTime = ((now - start) / PR_USEC_PER_SEC) + dcValidFor; 710 711 /* Building the SPKI also validates |dcCertVerifyAlg|. */ 712 spki = tls13_MakeDcSpki(dcPub, dcCertVerifyAlg); 713 if (!spki) { 714 goto loser; 715 } 716 dc->expectedCertVerifyAlg = dcCertVerifyAlg; 717 718 SECItem *spkiDer = 719 SEC_ASN1EncodeItem(NULL /*arena*/, &dc->derSpki, spki, 720 SEC_ASN1_GET(CERT_SubjectPublicKeyInfoTemplate)); 721 if (!spkiDer) { 722 goto loser; 723 } 724 725 rv = ssl_SignatureSchemeFromSpki(&cert->subjectPublicKeyInfo, 726 PR_TRUE /* isTls13 */, &dc->alg); 727 if (rv != SECSuccess) { 728 goto loser; 729 } 730 731 if (dc->alg == ssl_sig_none) { 732 SECOidTag spkiOid = SECOID_GetAlgorithmTag(&cert->subjectPublicKeyInfo.algorithm); 733 /* If the Cert SPKI contained an AlgorithmIdentifier of "rsaEncryption", set a 734 * default rsa_pss_rsae_sha256 scheme. NOTE: RSAE SPKIs are not permitted within 735 * "real" Delegated Credentials. However, since this function is primarily used for 736 * testing, we retain this support in order to verify that these DCs are rejected 737 * by tls13_VerifyDelegatedCredential. */ 738 if (spkiOid == SEC_OID_PKCS1_RSA_ENCRYPTION) { 739 SSLSignatureScheme scheme = ssl_sig_rsa_pss_rsae_sha256; 740 if (ssl_SignatureSchemeValid(scheme, spkiOid, PR_TRUE /* isTls13 */)) { 741 dc->alg = scheme; 742 } 743 } 744 } 745 PORT_Assert(dc->alg != ssl_sig_none); 746 747 rv = tls13_AppendCredentialParams(&dcBuf, dc); 748 if (rv != SECSuccess) { 749 goto loser; 750 } 751 752 /* Sign the hash with the delegation key. 753 * 754 * The PK11 API discards const qualifiers, so we have to make a copy of 755 * |certPriv| and pass the copy to 756 * |tls13_HashCredentialAndSignOrVerifyMessage|. 757 */ 758 tmpPriv = SECKEY_CopyPrivateKey(certPriv); 759 rv = tls13_HashCredentialAndSignOrVerifyMessage(tmpPriv, NULL, dc->alg, 760 sig_sign, cert, &dcBuf, 761 &dc->signature, pwArg); 762 if (rv != SECSuccess) { 763 goto loser; 764 } 765 766 /* Serialize the DC signature. */ 767 rv = tls13_AppendCredentialSignature(&dcBuf, dc); 768 if (rv != SECSuccess) { 769 goto loser; 770 } 771 772 /* Copy the serialized DC to |out|. */ 773 rv = SECITEM_MakeItem(NULL, out, dcBuf.buf, dcBuf.len); 774 if (rv != SECSuccess) { 775 goto loser; 776 } 777 778 PRINT_BUF(20, (NULL, "delegated credential", dcBuf.buf, dcBuf.len)); 779 780 SECKEY_DestroySubjectPublicKeyInfo(spki); 781 SECKEY_DestroyPrivateKey(tmpPriv); 782 tls13_DestroyDelegatedCredential(dc); 783 sslBuffer_Clear(&dcBuf); 784 return SECSuccess; 785 786 loser: 787 SECKEY_DestroySubjectPublicKeyInfo(spki); 788 SECKEY_DestroyPrivateKey(tmpPriv); 789 tls13_DestroyDelegatedCredential(dc); 790 sslBuffer_Clear(&dcBuf); 791 return SECFailure; 792 }