public virtual void Init(TlsContext context)
{
mContext = context;
ProtocolVersion clientVersion = context.ClientVersion;
if (TlsUtilities.IsSignatureAlgorithmsExtensionAllowed(clientVersion))
{
if (mSupportedSignatureAlgorithms == null)
{
switch (mKeyExchange)
{
case 13:
case 14:
case 21:
case 24:
break;
case 3:
case 7:
case 22:
mSupportedSignatureAlgorithms = TlsUtilities.GetDefaultDssSignatureAlgorithms();
break;
case 16:
case 17:
mSupportedSignatureAlgorithms = TlsUtilities.GetDefaultECDsaSignatureAlgorithms();
break;
case 1:
case 5:
case 9:
case 15:
case 18:
case 19:
case 23:
mSupportedSignatureAlgorithms = TlsUtilities.GetDefaultRsaSignatureAlgorithms();
break;
default:
throw new InvalidOperationException("unsupported key exchange algorithm");
}
}
}
else if (mSupportedSignatureAlgorithms != null)
{
throw new InvalidOperationException("supported_signature_algorithms not allowed for " + clientVersion);
}
}
public virtual void Init(TlsContext context)
{
this.mContext = context;
ProtocolVersion clientVersion = context.ClientVersion;
if (TlsUtilities.IsSignatureAlgorithmsExtensionAllowed(clientVersion))
{
/*
* RFC 5246 7.4.1.4.1. If the client does not send the signature_algorithms extension,
* the server MUST do the following:
*
* - If the negotiated key exchange algorithm is one of (RSA, DHE_RSA, DH_RSA, RSA_PSK,
* ECDH_RSA, ECDHE_RSA), behave as if client had sent the value {sha1,rsa}.
*
* - If the negotiated key exchange algorithm is one of (DHE_DSS, DH_DSS), behave as if
* the client had sent the value {sha1,dsa}.
*
* - If the negotiated key exchange algorithm is one of (ECDH_ECDSA, ECDHE_ECDSA),
* behave as if the client had sent value {sha1,ecdsa}.
*/
if (this.mSupportedSignatureAlgorithms == null)
{
switch (mKeyExchange)
{
case KeyExchangeAlgorithm.DH_DSS:
case KeyExchangeAlgorithm.DHE_DSS:
case KeyExchangeAlgorithm.SRP_DSS:
{
this.mSupportedSignatureAlgorithms = TlsUtilities.GetDefaultDssSignatureAlgorithms();
break;
}
case KeyExchangeAlgorithm.ECDH_ECDSA:
case KeyExchangeAlgorithm.ECDHE_ECDSA:
{
this.mSupportedSignatureAlgorithms = TlsUtilities.GetDefaultECDsaSignatureAlgorithms();
break;
}
case KeyExchangeAlgorithm.DH_RSA:
case KeyExchangeAlgorithm.DHE_RSA:
case KeyExchangeAlgorithm.ECDH_RSA:
case KeyExchangeAlgorithm.ECDHE_RSA:
case KeyExchangeAlgorithm.RSA:
case KeyExchangeAlgorithm.RSA_PSK:
case KeyExchangeAlgorithm.SRP_RSA:
{
this.mSupportedSignatureAlgorithms = TlsUtilities.GetDefaultRsaSignatureAlgorithms();
break;
}
case KeyExchangeAlgorithm.DHE_PSK:
case KeyExchangeAlgorithm.ECDHE_PSK:
case KeyExchangeAlgorithm.PSK:
case KeyExchangeAlgorithm.SRP:
break;
default:
throw new InvalidOperationException("unsupported key exchange algorithm");
}
}
}
else if (this.mSupportedSignatureAlgorithms != null)
{
throw new InvalidOperationException("supported_signature_algorithms not allowed for " + clientVersion);
}
}
private static void AddVersionTests(IList testSuite, ProtocolVersion version)
{
string prefix = version.ToString()
.Replace(" ", "")
.Replace("\\", "")
.Replace(".", "")
+ "_";
/*
* NOTE: Temporarily disabled automatic test runs because of problems getting a clean exit
* of the DTLS server after a fatal alert. As of writing, manual runs show the correct
* alerts being raised
*/
#if false
/*
* Server only declares support for SHA1/RSA, client selects MD5/RSA. Since the client is
* NOT actually tracking MD5 over the handshake, we expect fatal alert from the client.
*/
if (TlsUtilities.IsTlsV12(version))
{
TlsTestConfig c = CreateDtlsTestConfig(version);
c.clientAuth = C.CLIENT_AUTH_VALID;
c.clientAuthSigAlg = new SignatureAndHashAlgorithm(HashAlgorithm.md5, SignatureAlgorithm.rsa);
c.serverCertReqSigAlgs = TlsUtilities.GetDefaultRsaSignatureAlgorithms();
c.ExpectClientFatalAlert(AlertDescription.internal_error);
AddTestCase(testSuite, c, prefix + "BadCertificateVerifyHashAlg");
}
/*
* Server only declares support for SHA1/ECDSA, client selects SHA1/RSA. Since the client is
* actually tracking SHA1 over the handshake, we expect fatal alert to come from the server
* when it verifies the selected algorithm against the CertificateRequest supported
* algorithms.
*/
if (TlsUtilities.IsTlsV12(version))
{
TlsTestConfig c = CreateDtlsTestConfig(version);
c.clientAuth = C.CLIENT_AUTH_VALID;
c.clientAuthSigAlg = new SignatureAndHashAlgorithm(HashAlgorithm.sha1, SignatureAlgorithm.rsa);
c.serverCertReqSigAlgs = TlsUtilities.GetDefaultECDsaSignatureAlgorithms();
c.ExpectServerFatalAlert(AlertDescription.illegal_parameter);
AddTestCase(testSuite, c, prefix + "BadCertificateVerifySigAlg");
}
/*
* Server only declares support for SHA1/ECDSA, client signs with SHA1/RSA, but sends
* SHA1/ECDSA in the CertificateVerify. Since the client is actually tracking SHA1 over the
* handshake, and the claimed algorithm is in the CertificateRequest supported algorithms,
* we expect fatal alert to come from the server when it finds the claimed algorithm
* doesn't match the client certificate.
*/
if (TlsUtilities.IsTlsV12(version))
{
TlsTestConfig c = CreateDtlsTestConfig(version);
c.clientAuth = C.CLIENT_AUTH_VALID;
c.clientAuthSigAlg = new SignatureAndHashAlgorithm(HashAlgorithm.sha1, SignatureAlgorithm.rsa);
c.clientAuthSigAlgClaimed = new SignatureAndHashAlgorithm(HashAlgorithm.sha1, SignatureAlgorithm.ecdsa);
c.serverCertReqSigAlgs = TlsUtilities.GetDefaultECDsaSignatureAlgorithms();
c.ExpectServerFatalAlert(AlertDescription.decrypt_error);
AddTestCase(testSuite, c, prefix + "BadCertificateVerifySigAlgMismatch");
}
{
TlsTestConfig c = CreateDtlsTestConfig(version);
c.clientAuth = C.CLIENT_AUTH_INVALID_VERIFY;
c.ExpectServerFatalAlert(AlertDescription.decrypt_error);
AddTestCase(testSuite, c, prefix + "BadCertificateVerifySignature");
}
{
TlsTestConfig c = CreateDtlsTestConfig(version);
c.clientAuth = C.CLIENT_AUTH_INVALID_CERT;
c.ExpectServerFatalAlert(AlertDescription.bad_certificate);
AddTestCase(testSuite, c, prefix + "BadClientCertificate");
}
{
TlsTestConfig c = CreateDtlsTestConfig(version);
c.clientAuth = C.CLIENT_AUTH_NONE;
c.serverCertReq = C.SERVER_CERT_REQ_MANDATORY;
c.ExpectServerFatalAlert(AlertDescription.handshake_failure);
AddTestCase(testSuite, c, prefix + "BadMandatoryCertReqDeclined");
}
/*
* Server selects MD5/RSA for ServerKeyExchange signature, which is not in the default
* supported signature algorithms that the client sent. We expect fatal alert from the
* client when it verifies the selected algorithm against the supported algorithms.
*/
if (TlsUtilities.IsTlsV12(version))
{
TlsTestConfig c = CreateDtlsTestConfig(version);
c.serverAuthSigAlg = new SignatureAndHashAlgorithm(HashAlgorithm.md5, SignatureAlgorithm.rsa);
c.ExpectClientFatalAlert(AlertDescription.illegal_parameter);
AddTestCase(testSuite, c, prefix + "BadServerKeyExchangeSigAlg");
}
/*
* Server selects MD5/RSA for ServerKeyExchange signature, which is not the default {sha1,rsa}
* implied by the absent signature_algorithms extension. We expect fatal alert from the
* client when it verifies the selected algorithm against the implicit default.
*/
if (TlsUtilities.IsTlsV12(version))
{
TlsTestConfig c = CreateDtlsTestConfig(version);
c.clientSendSignatureAlgorithms = false;
c.serverAuthSigAlg = new SignatureAndHashAlgorithm(HashAlgorithm.md5, SignatureAlgorithm.rsa);
c.ExpectClientFatalAlert(AlertDescription.illegal_parameter);
AddTestCaseDebug(testSuite, c, prefix + "BadServerKeyExchangeSigAlg2");
}
#endif
{
TlsTestConfig c = CreateDtlsTestConfig(version);
AddTestCase(testSuite, c, prefix + "GoodDefault");
}
{
TlsTestConfig c = CreateDtlsTestConfig(version);
c.serverCertReq = C.SERVER_CERT_REQ_NONE;
AddTestCase(testSuite, c, prefix + "GoodNoCertReq");
}
{
TlsTestConfig c = CreateDtlsTestConfig(version);
c.clientAuth = C.CLIENT_AUTH_NONE;
AddTestCase(testSuite, c, prefix + "GoodOptionalCertReqDeclined");
}
}