add functionality to check if signature algorithm is supported in cipher suites

This commit is contained in:
Chelsea Holland Komlo 2018-08-07 14:14:40 -04:00
parent b92098fd08
commit bb6c30ee3c
2 changed files with 108 additions and 0 deletions

View file

@ -41,6 +41,61 @@ var supportedTLSCiphers = map[string]uint16{
"TLS_RSA_WITH_AES_256_CBC_SHA": tls.TLS_RSA_WITH_AES_256_CBC_SHA, "TLS_RSA_WITH_AES_256_CBC_SHA": tls.TLS_RSA_WITH_AES_256_CBC_SHA,
} }
var rsa string = "RSA"
var ecdsa string = "ECDSA"
var supportedCipherSignatures = map[string]string{
"TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305": rsa,
"TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305": ecdsa,
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256": rsa,
"TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256": ecdsa,
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384": rsa,
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384": ecdsa,
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256": rsa,
"TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA": rsa,
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256": ecdsa,
"TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA": ecdsa,
"TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA": rsa,
"TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA": ecdsa,
"TLS_RSA_WITH_AES_128_GCM_SHA256": rsa,
"TLS_RSA_WITH_AES_256_GCM_SHA384": rsa,
"TLS_RSA_WITH_AES_128_CBC_SHA256": rsa,
"TLS_RSA_WITH_AES_128_CBC_SHA": rsa,
"TLS_RSA_WITH_AES_256_CBC_SHA": rsa,
}
var signatureAlgorithmMapping = map[x509.SignatureAlgorithm]string{
x509.MD2WithRSA: rsa,
x509.MD5WithRSA: rsa,
x509.SHA1WithRSA: rsa,
x509.SHA256WithRSA: rsa,
x509.SHA384WithRSA: rsa,
x509.SHA512WithRSA: rsa,
x509.ECDSAWithSHA1: ecdsa,
x509.ECDSAWithSHA256: ecdsa,
x509.ECDSAWithSHA384: ecdsa,
x509.ECDSAWithSHA512: ecdsa,
x509.SHA256WithRSAPSS: rsa,
x509.SHA384WithRSAPSS: rsa,
x509.SHA512WithRSAPSS: rsa,
}
func cipherSuitesSupportSignatureAlgorithm(supportedSignature x509.SignatureAlgorithm, supportedCipherSuites []string) (bool, error) {
supportedSignatureAlgorithm, ok := signatureAlgorithmMapping[supportedSignature]
if !ok {
return false, fmt.Errorf("Unsupported signature scheme: %s", supportedSignature.String())
}
for _, cipher := range supportedCipherSuites {
cipherSupportedAlg := supportedCipherSignatures[cipher]
if supportedSignatureAlgorithm == cipherSupportedAlg {
return true, nil
}
}
return false, fmt.Errorf("Specified cipher suites don't support %s, consider adding more cipher suites with this signature algorithm.", supportedSignatureAlgorithm)
}
// defaultTLSCiphers are the TLS Ciphers that are supported by default // defaultTLSCiphers are the TLS Ciphers that are supported by default
var defaultTLSCiphers = []string{ var defaultTLSCiphers = []string{
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384", "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",

View file

@ -875,3 +875,56 @@ func TestConfig_ShouldReloadRPCConnections(t *testing.T) {
require.Equal(shouldReload, testCase.shouldReload, testCase.errorStr) require.Equal(shouldReload, testCase.shouldReload, testCase.errorStr)
} }
} }
func TestConfig_ShouldDetectUnsupportedSignatureAlgorithms(t *testing.T) {
require := require.New(t)
type individualTestCase struct {
supportedSignature x509.SignatureAlgorithm
supportedCiphers []string
isSupported bool
description string
}
testCases := []*individualTestCase{
{
supportedSignature: x509.SHA256WithRSA,
supportedCiphers: []string{
"TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
},
isSupported: true,
description: "Should be supported",
},
{
supportedSignature: x509.SHA256WithRSA,
supportedCiphers: []string{
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
},
isSupported: false,
description: "Should not be supported",
},
{
supportedSignature: x509.SHA256WithRSA,
supportedCiphers: []string{
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
},
isSupported: false,
description: "Multiple options without a match should not be supported",
},
{
supportedSignature: x509.MD2WithRSA,
supportedCiphers: []string{
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
"TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
},
isSupported: false,
description: "Unsupported signature should not find a match",
},
}
for _, testCase := range testCases {
isSupported, _ := cipherSuitesSupportSignatureAlgorithm(testCase.supportedSignature, testCase.supportedCiphers)
require.Equal(testCase.isSupported, isSupported, testCase.description)
}
}