add functionality to check if signature algorithm is supported in cipher suites

2018-08-07 14:14:40 -04:00 · 2018-08-07 14:14:40 -04:00 · bb6c30ee3c
parent b92098fd08
commit bb6c30ee3c
2 changed files with 108 additions and 0 deletions
--- a/helper/tlsutil/config.go
+++ b/helper/tlsutil/config.go
@ -41,6 +41,61 @@ var supportedTLSCiphers = map[string]uint16{
 	"TLS_RSA_WITH_AES_256_CBC_SHA":            tls.TLS_RSA_WITH_AES_256_CBC_SHA,
 }

+var rsa string = "RSA"
+var ecdsa string = "ECDSA"
+
+var supportedCipherSignatures = map[string]string{
+	"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305":    rsa,
+	"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305":  ecdsa,
+	"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256":   rsa,
+	"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256": ecdsa,
+	"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384":   rsa,
+	"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384": ecdsa,
+	"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256":   rsa,
+	"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA":      rsa,
+	"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256": ecdsa,
+	"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA":    ecdsa,
+	"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA":      rsa,
+	"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA":    ecdsa,
+	"TLS_RSA_WITH_AES_128_GCM_SHA256":         rsa,
+	"TLS_RSA_WITH_AES_256_GCM_SHA384":         rsa,
+	"TLS_RSA_WITH_AES_128_CBC_SHA256":         rsa,
+	"TLS_RSA_WITH_AES_128_CBC_SHA":            rsa,
+	"TLS_RSA_WITH_AES_256_CBC_SHA":            rsa,
+}
+
+var signatureAlgorithmMapping = map[x509.SignatureAlgorithm]string{
+	x509.MD2WithRSA:       rsa,
+	x509.MD5WithRSA:       rsa,
+	x509.SHA1WithRSA:      rsa,
+	x509.SHA256WithRSA:    rsa,
+	x509.SHA384WithRSA:    rsa,
+	x509.SHA512WithRSA:    rsa,
+	x509.ECDSAWithSHA1:    ecdsa,
+	x509.ECDSAWithSHA256:  ecdsa,
+	x509.ECDSAWithSHA384:  ecdsa,
+	x509.ECDSAWithSHA512:  ecdsa,
+	x509.SHA256WithRSAPSS: rsa,
+	x509.SHA384WithRSAPSS: rsa,
+	x509.SHA512WithRSAPSS: rsa,
+}
+
+func cipherSuitesSupportSignatureAlgorithm(supportedSignature x509.SignatureAlgorithm, supportedCipherSuites []string) (bool, error) {
+	supportedSignatureAlgorithm, ok := signatureAlgorithmMapping[supportedSignature]
+	if !ok {
+		return false, fmt.Errorf("Unsupported signature scheme: %s", supportedSignature.String())
+	}
+
+	for _, cipher := range supportedCipherSuites {
+		cipherSupportedAlg := supportedCipherSignatures[cipher]
+		if supportedSignatureAlgorithm == cipherSupportedAlg {
+			return true, nil
+		}
+	}
+
+	return false, fmt.Errorf("Specified cipher suites don't support %s, consider adding more cipher suites with this signature algorithm.", supportedSignatureAlgorithm)
+}
+
 // defaultTLSCiphers are the TLS Ciphers that are supported by default
 var defaultTLSCiphers = []string{
 	"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
--- a/helper/tlsutil/config_test.go
+++ b/helper/tlsutil/config_test.go
@ -875,3 +875,56 @@ func TestConfig_ShouldReloadRPCConnections(t *testing.T) {
 		require.Equal(shouldReload, testCase.shouldReload, testCase.errorStr)
 	}
 }
+
+func TestConfig_ShouldDetectUnsupportedSignatureAlgorithms(t *testing.T) {
+	require := require.New(t)
+
+	type individualTestCase struct {
+		supportedSignature x509.SignatureAlgorithm
+		supportedCiphers   []string
+		isSupported        bool
+		description        string
+	}
+
+	testCases := []*individualTestCase{
+		{
+			supportedSignature: x509.SHA256WithRSA,
+			supportedCiphers: []string{
+				"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
+			},
+			isSupported: true,
+			description: "Should be supported",
+		},
+		{
+			supportedSignature: x509.SHA256WithRSA,
+			supportedCiphers: []string{
+				"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
+			},
+			isSupported: false,
+			description: "Should not be supported",
+		},
+		{
+			supportedSignature: x509.SHA256WithRSA,
+			supportedCiphers: []string{
+				"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
+				"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
+			},
+			isSupported: false,
+			description: "Multiple options without a match should not be supported",
+		},
+		{
+			supportedSignature: x509.MD2WithRSA,
+			supportedCiphers: []string{
+				"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
+				"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
+			},
+			isSupported: false,
+			description: "Unsupported signature should not find a match",
+		},
+	}
+
+	for _, testCase := range testCases {
+		isSupported, _ := cipherSuitesSupportSignatureAlgorithm(testCase.supportedSignature, testCase.supportedCiphers)
+		require.Equal(testCase.isSupported, isSupported, testCase.description)
+	}
+}