From bb6c30ee3c0f0e4e836442d0ccd224656247e1c7 Mon Sep 17 00:00:00 2001
From: Chelsea Holland Komlo <me@chelseakomlo.com>
Date: Tue, 7 Aug 2018 14:14:40 -0400
Subject: [PATCH] add functionality to check if signature algorithm is
 supported in cipher suites

---
 helper/tlsutil/config.go      | 55 +++++++++++++++++++++++++++++++++++
 helper/tlsutil/config_test.go | 53 +++++++++++++++++++++++++++++++++
 2 files changed, 108 insertions(+)

diff --git a/helper/tlsutil/config.go b/helper/tlsutil/config.go
index 1d5813546..913738e9e 100644
--- a/helper/tlsutil/config.go
+++ b/helper/tlsutil/config.go
@@ -41,6 +41,61 @@ var supportedTLSCiphers = map[string]uint16{
 	"TLS_RSA_WITH_AES_256_CBC_SHA":            tls.TLS_RSA_WITH_AES_256_CBC_SHA,
 }
 
+var rsa string = "RSA"
+var ecdsa string = "ECDSA"
+
+var supportedCipherSignatures = map[string]string{
+	"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305":    rsa,
+	"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305":  ecdsa,
+	"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256":   rsa,
+	"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256": ecdsa,
+	"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384":   rsa,
+	"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384": ecdsa,
+	"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256":   rsa,
+	"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA":      rsa,
+	"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256": ecdsa,
+	"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA":    ecdsa,
+	"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA":      rsa,
+	"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA":    ecdsa,
+	"TLS_RSA_WITH_AES_128_GCM_SHA256":         rsa,
+	"TLS_RSA_WITH_AES_256_GCM_SHA384":         rsa,
+	"TLS_RSA_WITH_AES_128_CBC_SHA256":         rsa,
+	"TLS_RSA_WITH_AES_128_CBC_SHA":            rsa,
+	"TLS_RSA_WITH_AES_256_CBC_SHA":            rsa,
+}
+
+var signatureAlgorithmMapping = map[x509.SignatureAlgorithm]string{
+	x509.MD2WithRSA:       rsa,
+	x509.MD5WithRSA:       rsa,
+	x509.SHA1WithRSA:      rsa,
+	x509.SHA256WithRSA:    rsa,
+	x509.SHA384WithRSA:    rsa,
+	x509.SHA512WithRSA:    rsa,
+	x509.ECDSAWithSHA1:    ecdsa,
+	x509.ECDSAWithSHA256:  ecdsa,
+	x509.ECDSAWithSHA384:  ecdsa,
+	x509.ECDSAWithSHA512:  ecdsa,
+	x509.SHA256WithRSAPSS: rsa,
+	x509.SHA384WithRSAPSS: rsa,
+	x509.SHA512WithRSAPSS: rsa,
+}
+
+func cipherSuitesSupportSignatureAlgorithm(supportedSignature x509.SignatureAlgorithm, supportedCipherSuites []string) (bool, error) {
+	supportedSignatureAlgorithm, ok := signatureAlgorithmMapping[supportedSignature]
+	if !ok {
+		return false, fmt.Errorf("Unsupported signature scheme: %s", supportedSignature.String())
+	}
+
+	for _, cipher := range supportedCipherSuites {
+		cipherSupportedAlg := supportedCipherSignatures[cipher]
+		if supportedSignatureAlgorithm == cipherSupportedAlg {
+			return true, nil
+		}
+	}
+
+	return false, fmt.Errorf("Specified cipher suites don't support %s, consider adding more cipher suites with this signature algorithm.", supportedSignatureAlgorithm)
+}
+
 // defaultTLSCiphers are the TLS Ciphers that are supported by default
 var defaultTLSCiphers = []string{
 	"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
diff --git a/helper/tlsutil/config_test.go b/helper/tlsutil/config_test.go
index 61585acdf..5f5dde16b 100644
--- a/helper/tlsutil/config_test.go
+++ b/helper/tlsutil/config_test.go
@@ -875,3 +875,56 @@ func TestConfig_ShouldReloadRPCConnections(t *testing.T) {
 		require.Equal(shouldReload, testCase.shouldReload, testCase.errorStr)
 	}
 }
+
+func TestConfig_ShouldDetectUnsupportedSignatureAlgorithms(t *testing.T) {
+	require := require.New(t)
+
+	type individualTestCase struct {
+		supportedSignature x509.SignatureAlgorithm
+		supportedCiphers   []string
+		isSupported        bool
+		description        string
+	}
+
+	testCases := []*individualTestCase{
+		{
+			supportedSignature: x509.SHA256WithRSA,
+			supportedCiphers: []string{
+				"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
+			},
+			isSupported: true,
+			description: "Should be supported",
+		},
+		{
+			supportedSignature: x509.SHA256WithRSA,
+			supportedCiphers: []string{
+				"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
+			},
+			isSupported: false,
+			description: "Should not be supported",
+		},
+		{
+			supportedSignature: x509.SHA256WithRSA,
+			supportedCiphers: []string{
+				"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
+				"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
+			},
+			isSupported: false,
+			description: "Multiple options without a match should not be supported",
+		},
+		{
+			supportedSignature: x509.MD2WithRSA,
+			supportedCiphers: []string{
+				"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
+				"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
+			},
+			isSupported: false,
+			description: "Unsupported signature should not find a match",
+		},
+	}
+
+	for _, testCase := range testCases {
+		isSupported, _ := cipherSuitesSupportSignatureAlgorithm(testCase.supportedSignature, testCase.supportedCiphers)
+		require.Equal(testCase.isSupported, isSupported, testCase.description)
+	}
+}