public virtual void Init(TlsContext context) { mContext = context; ProtocolVersion clientVersion = context.ClientVersion; if (TlsUtilities.IsSignatureAlgorithmsExtensionAllowed(clientVersion)) { if (mSupportedSignatureAlgorithms == null) { switch (mKeyExchange) { case 13: case 14: case 21: case 24: break; case 3: case 7: case 22: mSupportedSignatureAlgorithms = TlsUtilities.GetDefaultDssSignatureAlgorithms(); break; case 16: case 17: mSupportedSignatureAlgorithms = TlsUtilities.GetDefaultECDsaSignatureAlgorithms(); break; case 1: case 5: case 9: case 15: case 18: case 19: case 23: mSupportedSignatureAlgorithms = TlsUtilities.GetDefaultRsaSignatureAlgorithms(); break; default: throw new InvalidOperationException("unsupported key exchange algorithm"); } } } else if (mSupportedSignatureAlgorithms != null) { throw new InvalidOperationException("supported_signature_algorithms not allowed for " + clientVersion); } }
public virtual void Init(TlsContext context) { this.mContext = context; ProtocolVersion clientVersion = context.ClientVersion; if (TlsUtilities.IsSignatureAlgorithmsExtensionAllowed(clientVersion)) { /* * RFC 5246 7.4.1.4.1. If the client does not send the signature_algorithms extension, * the server MUST do the following: * * - If the negotiated key exchange algorithm is one of (RSA, DHE_RSA, DH_RSA, RSA_PSK, * ECDH_RSA, ECDHE_RSA), behave as if client had sent the value {sha1,rsa}. * * - If the negotiated key exchange algorithm is one of (DHE_DSS, DH_DSS), behave as if * the client had sent the value {sha1,dsa}. * * - If the negotiated key exchange algorithm is one of (ECDH_ECDSA, ECDHE_ECDSA), * behave as if the client had sent value {sha1,ecdsa}. */ if (this.mSupportedSignatureAlgorithms == null) { switch (mKeyExchange) { case KeyExchangeAlgorithm.DH_DSS: case KeyExchangeAlgorithm.DHE_DSS: case KeyExchangeAlgorithm.SRP_DSS: { this.mSupportedSignatureAlgorithms = TlsUtilities.GetDefaultDssSignatureAlgorithms(); break; } case KeyExchangeAlgorithm.ECDH_ECDSA: case KeyExchangeAlgorithm.ECDHE_ECDSA: { this.mSupportedSignatureAlgorithms = TlsUtilities.GetDefaultECDsaSignatureAlgorithms(); break; } case KeyExchangeAlgorithm.DH_RSA: case KeyExchangeAlgorithm.DHE_RSA: case KeyExchangeAlgorithm.ECDH_RSA: case KeyExchangeAlgorithm.ECDHE_RSA: case KeyExchangeAlgorithm.RSA: case KeyExchangeAlgorithm.RSA_PSK: case KeyExchangeAlgorithm.SRP_RSA: { this.mSupportedSignatureAlgorithms = TlsUtilities.GetDefaultRsaSignatureAlgorithms(); break; } case KeyExchangeAlgorithm.DHE_PSK: case KeyExchangeAlgorithm.ECDHE_PSK: case KeyExchangeAlgorithm.PSK: case KeyExchangeAlgorithm.SRP: break; default: throw new InvalidOperationException("unsupported key exchange algorithm"); } } } else if (this.mSupportedSignatureAlgorithms != null) { throw new InvalidOperationException("supported_signature_algorithms not allowed for " + clientVersion); } }
private static void AddVersionTests(IList testSuite, ProtocolVersion version) { string prefix = version.ToString() .Replace(" ", "") .Replace("\\", "") .Replace(".", "") + "_"; /* * NOTE: Temporarily disabled automatic test runs because of problems getting a clean exit * of the DTLS server after a fatal alert. As of writing, manual runs show the correct * alerts being raised */ #if false /* * Server only declares support for SHA1/RSA, client selects MD5/RSA. Since the client is * NOT actually tracking MD5 over the handshake, we expect fatal alert from the client. */ if (TlsUtilities.IsTlsV12(version)) { TlsTestConfig c = CreateDtlsTestConfig(version); c.clientAuth = C.CLIENT_AUTH_VALID; c.clientAuthSigAlg = new SignatureAndHashAlgorithm(HashAlgorithm.md5, SignatureAlgorithm.rsa); c.serverCertReqSigAlgs = TlsUtilities.GetDefaultRsaSignatureAlgorithms(); c.ExpectClientFatalAlert(AlertDescription.internal_error); AddTestCase(testSuite, c, prefix + "BadCertificateVerifyHashAlg"); } /* * Server only declares support for SHA1/ECDSA, client selects SHA1/RSA. Since the client is * actually tracking SHA1 over the handshake, we expect fatal alert to come from the server * when it verifies the selected algorithm against the CertificateRequest supported * algorithms. */ if (TlsUtilities.IsTlsV12(version)) { TlsTestConfig c = CreateDtlsTestConfig(version); c.clientAuth = C.CLIENT_AUTH_VALID; c.clientAuthSigAlg = new SignatureAndHashAlgorithm(HashAlgorithm.sha1, SignatureAlgorithm.rsa); c.serverCertReqSigAlgs = TlsUtilities.GetDefaultECDsaSignatureAlgorithms(); c.ExpectServerFatalAlert(AlertDescription.illegal_parameter); AddTestCase(testSuite, c, prefix + "BadCertificateVerifySigAlg"); } /* * Server only declares support for SHA1/ECDSA, client signs with SHA1/RSA, but sends * SHA1/ECDSA in the CertificateVerify. Since the client is actually tracking SHA1 over the * handshake, and the claimed algorithm is in the CertificateRequest supported algorithms, * we expect fatal alert to come from the server when it finds the claimed algorithm * doesn't match the client certificate. */ if (TlsUtilities.IsTlsV12(version)) { TlsTestConfig c = CreateDtlsTestConfig(version); c.clientAuth = C.CLIENT_AUTH_VALID; c.clientAuthSigAlg = new SignatureAndHashAlgorithm(HashAlgorithm.sha1, SignatureAlgorithm.rsa); c.clientAuthSigAlgClaimed = new SignatureAndHashAlgorithm(HashAlgorithm.sha1, SignatureAlgorithm.ecdsa); c.serverCertReqSigAlgs = TlsUtilities.GetDefaultECDsaSignatureAlgorithms(); c.ExpectServerFatalAlert(AlertDescription.decrypt_error); AddTestCase(testSuite, c, prefix + "BadCertificateVerifySigAlgMismatch"); } { TlsTestConfig c = CreateDtlsTestConfig(version); c.clientAuth = C.CLIENT_AUTH_INVALID_VERIFY; c.ExpectServerFatalAlert(AlertDescription.decrypt_error); AddTestCase(testSuite, c, prefix + "BadCertificateVerifySignature"); } { TlsTestConfig c = CreateDtlsTestConfig(version); c.clientAuth = C.CLIENT_AUTH_INVALID_CERT; c.ExpectServerFatalAlert(AlertDescription.bad_certificate); AddTestCase(testSuite, c, prefix + "BadClientCertificate"); } { TlsTestConfig c = CreateDtlsTestConfig(version); c.clientAuth = C.CLIENT_AUTH_NONE; c.serverCertReq = C.SERVER_CERT_REQ_MANDATORY; c.ExpectServerFatalAlert(AlertDescription.handshake_failure); AddTestCase(testSuite, c, prefix + "BadMandatoryCertReqDeclined"); } /* * Server selects MD5/RSA for ServerKeyExchange signature, which is not in the default * supported signature algorithms that the client sent. We expect fatal alert from the * client when it verifies the selected algorithm against the supported algorithms. */ if (TlsUtilities.IsTlsV12(version)) { TlsTestConfig c = CreateDtlsTestConfig(version); c.serverAuthSigAlg = new SignatureAndHashAlgorithm(HashAlgorithm.md5, SignatureAlgorithm.rsa); c.ExpectClientFatalAlert(AlertDescription.illegal_parameter); AddTestCase(testSuite, c, prefix + "BadServerKeyExchangeSigAlg"); } /* * Server selects MD5/RSA for ServerKeyExchange signature, which is not the default {sha1,rsa} * implied by the absent signature_algorithms extension. We expect fatal alert from the * client when it verifies the selected algorithm against the implicit default. */ if (TlsUtilities.IsTlsV12(version)) { TlsTestConfig c = CreateDtlsTestConfig(version); c.clientSendSignatureAlgorithms = false; c.serverAuthSigAlg = new SignatureAndHashAlgorithm(HashAlgorithm.md5, SignatureAlgorithm.rsa); c.ExpectClientFatalAlert(AlertDescription.illegal_parameter); AddTestCaseDebug(testSuite, c, prefix + "BadServerKeyExchangeSigAlg2"); } #endif { TlsTestConfig c = CreateDtlsTestConfig(version); AddTestCase(testSuite, c, prefix + "GoodDefault"); } { TlsTestConfig c = CreateDtlsTestConfig(version); c.serverCertReq = C.SERVER_CERT_REQ_NONE; AddTestCase(testSuite, c, prefix + "GoodNoCertReq"); } { TlsTestConfig c = CreateDtlsTestConfig(version); c.clientAuth = C.CLIENT_AUTH_NONE; AddTestCase(testSuite, c, prefix + "GoodOptionalCertReqDeclined"); } }