Merge pull request #139 from MathiasKoch/fix/additional-signature-algos

Add three additional signature algorithms, offered by atleast AWS

Author: lulf

src/config.rs

@@ -124,7 +124,7 @@ where
 pub struct TlsConfig<'a> {
     pub(crate) server_name: Option<&'a str>,
     pub(crate) psk: Option<(&'a [u8], Vec<&'a [u8], 4>)>,
-    pub(crate) signature_schemes: Vec<SignatureScheme, 16>,
+    pub(crate) signature_schemes: Vec<SignatureScheme, 19>,
     pub(crate) named_groups: Vec<NamedGroup, 16>,
     pub(crate) max_fragment_length: Option<MaxFragmentLength>,
     pub(crate) ca: Option<Certificate<'a>>,

src/extensions/extension_data/signature_algorithms.rs

@@ -33,6 +33,10 @@ pub enum SignatureScheme {
     RsaPssPssSha384 = 0x080a,
     RsaPssPssSha512 = 0x080b,
 
+    Sha224Ecdsa = 0x0303,
+    Sha224Rsa = 0x0301,
+    Sha224Dsa = 0x0302,
+
     /* Legacy algorithms */
     RsaPkcs1Sha1 = 0x0201,
     EcdsaSha1 = 0x0203,
@@ -63,6 +67,10 @@ impl SignatureScheme {
             0x080a => Ok(Self::RsaPssPssSha384),
             0x080b => Ok(Self::RsaPssPssSha512),
 
+            0x0303 => Ok(Self::Sha224Ecdsa),
+            0x0301 => Ok(Self::Sha224Rsa),
+            0x0302 => Ok(Self::Sha224Dsa),
+
             0x0201 => Ok(Self::RsaPkcs1Sha1),
             0x0203 => Ok(Self::EcdsaSha1),
             _ => Err(ParseError::InvalidData),

src/extensions/messages.rs

@@ -19,12 +19,12 @@ extension_group! {
     pub enum ClientHelloExtension<'a> {
         ServerName(ServerNameList<'a, 1>),
         SupportedVersions(SupportedVersionsClientHello<16>),
-        SignatureAlgorithms(SignatureAlgorithms<16>),
+        SignatureAlgorithms(SignatureAlgorithms<19>),
         SupportedGroups(SupportedGroups<16>),
         KeyShare(KeyShareClientHello<'a, 1>),
         PreSharedKey(PreSharedKeyClientHello<'a, 4>),
         PskKeyExchangeModes(PskKeyExchangeModes<4>),
-        SignatureAlgorithmsCert(SignatureAlgorithmsCert<16>),
+        SignatureAlgorithmsCert(SignatureAlgorithmsCert<19>),
         MaxFragmentLength(MaxFragmentLength),
         StatusRequest(Unimplemented<'a>),
         UseSrtp(Unimplemented<'a>),
@@ -71,7 +71,7 @@ extension_group! {
 extension_group! {
     pub enum CertificateRequestExtension<'a> {
         StatusRequest(Unimplemented<'a>),
-        SignatureAlgorithms(SignatureAlgorithms<16>),
+        SignatureAlgorithms(SignatureAlgorithms<19>),
         SignedCertificateTimestamp(Unimplemented<'a>),
         CertificateAuthorities(Unimplemented<'a>),
         OidFilters(Unimplemented<'a>),

src/handshake/certificate_request.rs

@@ -34,7 +34,7 @@ impl<'a> CertificateRequestRef<'a> {
 #[cfg_attr(feature = "defmt", derive(defmt::Format))]
 pub struct CertificateRequest {
     pub(crate) request_context: Vec<u8, 256>,
-    pub(crate) signature_algorithms: Option<SignatureAlgorithms<16>>,
+    pub(crate) signature_algorithms: Option<SignatureAlgorithms<19>>,
 }
 
 impl<'a> TryFrom<CertificateRequestRef<'a>> for CertificateRequest {

src/webpki.rs

@@ -34,6 +34,10 @@ impl TryInto<&'static webpki::SignatureAlgorithm> for SignatureScheme {
             SignatureScheme::Ed25519 => Ok(&webpki::ED25519),
             SignatureScheme::Ed448 => Err(TlsError::InvalidSignatureScheme),
 
+            SignatureScheme::Sha224Ecdsa => Err(TlsError::InvalidSignatureScheme),
+            SignatureScheme::Sha224Rsa => Err(TlsError::InvalidSignatureScheme),
+            SignatureScheme::Sha224Dsa => Err(TlsError::InvalidSignatureScheme),
+
             /* RSASSA-PSS algorithms with public key OID RSASSA-PSS */
             SignatureScheme::RsaPssPssSha256 => Err(TlsError::InvalidSignatureScheme),
             SignatureScheme::RsaPssPssSha384 => Err(TlsError::InvalidSignatureScheme),
@@ -69,6 +73,10 @@ impl TryInto<&'static webpki::SignatureAlgorithm> for SignatureScheme {
             SignatureScheme::Ed25519 => Ok(&webpki::ED25519),
             SignatureScheme::Ed448 => Err(TlsError::InvalidSignatureScheme),
 
+            SignatureScheme::Sha224Ecdsa => Err(TlsError::InvalidSignatureScheme),
+            SignatureScheme::Sha224Rsa => Err(TlsError::InvalidSignatureScheme),
+            SignatureScheme::Sha224Dsa => Err(TlsError::InvalidSignatureScheme),
+
             /* RSASSA-PSS algorithms with public key OID RSASSA-PSS */
             SignatureScheme::RsaPssPssSha256 => Err(TlsError::InvalidSignatureScheme),
             SignatureScheme::RsaPssPssSha384 => Err(TlsError::InvalidSignatureScheme),

tests/data/ca-cert.pem

@@ -1,12 +1,13 @@
 -----BEGIN CERTIFICATE-----
-MIIB2TCCAX+gAwIBAgIUZ+9dtzTSadaW+FC4m8dOGL40eBMwCgYIKoZIzj0EAwIw
-QjELMAkGA1UEBhMCWFgxFTATBgNVBAcMDERlZmF1bHQgQ2l0eTEcMBoGA1UECgwT
-RGVmYXVsdCBDb21wYW55IEx0ZDAeFw0yMTEwMTMwODIwNDJaFw0zMTEwMTEwODIw
-NDJaMEIxCzAJBgNVBAYTAlhYMRUwEwYDVQQHDAxEZWZhdWx0IENpdHkxHDAaBgNV
-BAoME0RlZmF1bHQgQ29tcGFueSBMdGQwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNC
-AARwQ/jWAMuCH4qbcYVntGyq4RCYKiWiN9cVXKOnnDbSfIXS8IGnF7PFrCOck9yx
-4A7Pfo/00rTf0x1/NKNOV5nio1MwUTAdBgNVHQ4EFgQU7HQ64pisg1MasN9wSLE/
-LC6PcjowHwYDVR0jBBgwFoAU7HQ64pisg1MasN9wSLE/LC6PcjowDwYDVR0TAQH/
-BAUwAwEB/zAKBggqhkjOPQQDAgNIADBFAiBMip1366r3oWgJFzkkmh3Sf2te54G5
-KWs0PcVLaoNiuAIhAIx5dhXti2FEQ4mkZUKaqxfH5GdboZa6JEv2yYTd6ZvK
+MIIB4TCCAYegAwIBAgIUQg+MEmSRVTK2bmxap0ML1hrSlWYwCgYIKoZIzj0EAwIw
+RTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGElu
+dGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAgFw0yNDAzMTUxMDA0MTRaGA8yMDUxMDgw
+MTEwMDQxNFowRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAf
+BgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDBZMBMGByqGSM49AgEGCCqG
+SM49AwEHA0IABB2pswE2gtPH89n4Wt0G4s8DomZAB7nkUgUOt5cs6vEJLoPTiPo8
+3KXH3neFwooXK1OX+pCtwyun+EMDxbzZAyujUzBRMB0GA1UdDgQWBBTCzl8UW2Kl
+0hJcSAmVz0/TKyCdXDAfBgNVHSMEGDAWgBTCzl8UW2Kl0hJcSAmVz0/TKyCdXDAP
+BgNVHRMBAf8EBTADAQH/MAoGCCqGSM49BAMCA0gAMEUCIECp2SXHt3BkjkxCovuE
+5v8TmyuZqgyte95t9B28kDExAiEAqSM8ngckj9JqgKUijOMRYIE+frU9RtlawtUi
+7n2KQV0=
 -----END CERTIFICATE-----

tests/data/ca-key.pem

@@ -1,5 +1,5 @@
------BEGIN PRIVATE KEY-----
-MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgb2Ff7kE1XJA3FKLl
-sNqHvI6ALhbh3pZjzeWTa+BrfvKhRANCAARwQ/jWAMuCH4qbcYVntGyq4RCYKiWi
-N9cVXKOnnDbSfIXS8IGnF7PFrCOck9yx4A7Pfo/00rTf0x1/NKNOV5ni
------END PRIVATE KEY-----
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEINFi5sVVW/2beOSKPlg8ef4Daez9wW2md3vBQ/XGzxKmoAoGCCqGSM49
+AwEHoUQDQgAEHamzATaC08fz2fha3QbizwOiZkAHueRSBQ63lyzq8Qkug9OI+jzc
+pcfed4XCihcrU5f6kK3DK6f4QwPFvNkDKw==
+-----END EC PRIVATE KEY-----

tests/data/client-cert.pem

@@ -1,12 +1,12 @@
 -----BEGIN CERTIFICATE-----
-MIIBzDCCAXGgAwIBAgIUVB+wKMT9vfrrgAOVt5qON8J8onMwCgYIKoZIzj0EAwIw
-QjELMAkGA1UEBhMCWFgxFTATBgNVBAcMDERlZmF1bHQgQ2l0eTEcMBoGA1UECgwT
-RGVmYXVsdCBDb21wYW55IEx0ZDAeFw0yNDAyMDkwOTI3NDlaFw0yNDAzMTAwOTI3
-NDlaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQK
-DBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwWTATBgcqhkjOPQIBBggqhkjOPQMB
-BwNCAAQzXKrX05qlw3NP1k6+kSiTnmI6Mo3ffT6VY71oPQIcqYiD1+hY7tIkk9kV
-ke11ZNdGZR0r/o+4TzYJcxcgkNhLo0IwQDAdBgNVHQ4EFgQUBH7ViSdnDzmkYtsO
-/f+BpHjeJHcwHwYDVR0jBBgwFoAU7HQ64pisg1MasN9wSLE/LC6PcjowCgYIKoZI
-zj0EAwIDSQAwRgIhAONbHGkd+/wpgELOk/az5ELfrB7YO2o4a6Uix5KQOnARAiEA
-tDGyTnCEmHjB/GGsLwLa8DRplNXFESDH2erfhutw8ME=
+MIIBzTCCAXSgAwIBAgIUGQYrxI6lMa1yflVNpTO7VPPEwSgwCgYIKoZIzj0EAwIw
+RTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGElu
+dGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0yNDAzMTUxMDA0MTVaFw0yNjEyMTAx
+MDA0MTVaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYD
+VQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwWTATBgcqhkjOPQIBBggqhkjO
+PQMBBwNCAATBRnKMD+6BTcFuurE4Qt4pMgjUaWLOP/kTdGzyaZkVlPfp0fIKTRKv
+EgHJlmTjsZfHkIm7nVD078BrfRoP6DqIo0IwQDAdBgNVHQ4EFgQUghgnu06bRUBN
+bZHPn38zSTpb70UwHwYDVR0jBBgwFoAUws5fFFtipdISXEgJlc9P0ysgnVwwCgYI
+KoZIzj0EAwIDRwAwRAIgOu6eFOYVbuWpIyDs2WrLXqHybAYlv4y4qqD6LZtITawC
+IHNgKyB1PNV0CN7VOexBVJQv4edB8etbVxAF+WqztDT+
 -----END CERTIFICATE-----

tests/data/client-key.pem

@@ -1,5 +1,5 @@
 -----BEGIN EC PRIVATE KEY-----
-MHcCAQEEIIMoxSnX9BbbgLSGk2rVi0o+NLwzisbbfce/pLGkHwvooAoGCCqGSM49
-AwEHoUQDQgAEM1yq19OapcNzT9ZOvpEok55iOjKN330+lWO9aD0CHKmIg9foWO7S
-JJPZFZHtdWTXRmUdK/6PuE82CXMXIJDYSw==
+MHcCAQEEIFllWPnIPExTk23tY4nSbss9UJ3EgDG91qZqajC/FBrkoAoGCCqGSM49
+AwEHoUQDQgAEwUZyjA/ugU3BbrqxOELeKTII1Glizj/5E3Rs8mmZFZT36dHyCk0S
+rxIByZZk47GXx5CJu51Q9O/Aa30aD+g6iA==
 -----END EC PRIVATE KEY-----

tests/data/client.csr

@@ -0,0 +1,8 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIH/MIGnAgEAMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw
+HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwWTATBgcqhkjOPQIBBggq
+hkjOPQMBBwNCAATBRnKMD+6BTcFuurE4Qt4pMgjUaWLOP/kTdGzyaZkVlPfp0fIK
+TRKvEgHJlmTjsZfHkIm7nVD078BrfRoP6DqIoAAwCgYIKoZIzj0EAwIDRwAwRAIg
+Lz4amy52zltB01+MsIbEs0prvo3IscABIjJ5fmDbfKwCIBIHDrmrMLpSQmC6IhtD
+dbx7onV8yn6akJxA8tYjW6em
+-----END CERTIFICATE REQUEST-----

tests/data/gen_certs_and_keys.sh

@@ -0,0 +1,14 @@
+# Create CA private key and certificate
+openssl ecparam -name prime256v1 -genkey -noout -out ca-key.pem
+openssl req -new -x509 -sha256 -key ca-key.pem -days 10000 -out ca-cert.pem
+
+
+# Create private key, certificate signing request (CSR) and certificate for client
+openssl ecparam -name prime256v1 -genkey -noout -out client-key.pem
+openssl req -new -sha256 -key client-key.pem -out client.csr
+openssl x509 -req -in client.csr -CA ca-cert.pem -CAkey ca-key.pem -CAcreateserial -out client-cert.pem -days 1000 -sha256
+
+# Create private key, certificate signing request (CSR) and certificate for server
+openssl ecparam -name prime256v1 -genkey -noout -out server-key.pem
+openssl req -new -sha256 -key server-key.pem -out server.csr
+openssl x509 -req -in server.csr -CA ca-cert.pem -CAkey ca-key.pem -CAcreateserial -out server-cert.pem -days 10000 -sha256

tests/data/server-cert.pem

@@ -1,13 +1,12 @@
 -----BEGIN CERTIFICATE-----
-MIICBjCCAa2gAwIBAgIULDyCYYteka2S6hEC2890o7k+0Z0wCgYIKoZIzj0EAwIw
-QjELMAkGA1UEBhMCWFgxFTATBgNVBAcMDERlZmF1bHQgQ2l0eTEcMBoGA1UECgwT
-RGVmYXVsdCBDb21wYW55IEx0ZDAeFw0yMTEwMTMwODIwNDJaFw0zMTEwMTEwODIw
-NDJaMHIxCzAJBgNVBAYTAk5PMQ4wDAYDVQQIDAVIYW1hcjEOMAwGA1UEBwwFSGFt
-YXIxGDAWBgNVBAoMD0dsb2JhbCBTZWN1cml0eTEVMBMGA1UECwwMSG9sc2V0YmFr
-a2VuMRIwEAYDVQQDDAlsb2NhbGhvc3QwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNC
-AATEmfbzqqHiZwCKXgEfjAWjk6zPlK9Fs3bXfjo2gt1NuqA4yCdOULKa6aIFHyAv
-fM3zHNiL5vk5pbBtzja6vaIjo1EwTzAfBgNVHSMEGDAWgBTsdDrimKyDUxqw33BI
-sT8sLo9yOjAJBgNVHRMEAjAAMAsGA1UdDwQEAwIE8DAUBgNVHREEDTALgglsb2Nh
-bGhvc3QwCgYIKoZIzj0EAwIDRwAwRAIgbzQX/FohpbrME+QE6bo0UrYdXI1hSaSs
-8yjdM7dr4HoCIEM+dbqDGm+QG+tkhH7jB35czbBWmC/Y5ObMM29i/u2h
+MIIBzzCCAXagAwIBAgIUGQYrxI6lMa1yflVNpTO7VPPEwSkwCgYIKoZIzj0EAwIw
+RTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGElu
+dGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAgFw0yNDAzMTUxMDA0MTdaGA8yMDUxMDgw
+MTEwMDQxN1owRTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAf
+BgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDBZMBMGByqGSM49AgEGCCqG
+SM49AwEHA0IABETSCUisGGdCnccDgjSkSnk7W9AwUJVV4fLeP7c0G1QH1KBjQFib
+fOiWiVi28vSFmqjsTDIMx9kdWLeUnBi9zwGjQjBAMB0GA1UdDgQWBBQDKzwiywv5
+9mVBb18zMizxhf9YgzAfBgNVHSMEGDAWgBTCzl8UW2Kl0hJcSAmVz0/TKyCdXDAK
+BggqhkjOPQQDAgNHADBEAiBRY8JvchuVF8+3ZKKHK5479LHIKGrLunjAiUct6x9J
+nQIgXzQlpSfpbSiZJc1vyfePkiyiDq02t3TQg7vhpmZeonU=
 -----END CERTIFICATE-----

tests/data/server-key.pem

@@ -1,5 +1,5 @@
------BEGIN PRIVATE KEY-----
-MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgKoaBrAdXxdzKFph6
-tXe2+WYYMV0HUz9KWdnz81f38YKhRANCAATEmfbzqqHiZwCKXgEfjAWjk6zPlK9F
-s3bXfjo2gt1NuqA4yCdOULKa6aIFHyAvfM3zHNiL5vk5pbBtzja6vaIj
------END PRIVATE KEY-----
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEINr4rPfkzpj7lJtJSoAwhLlTw5EQbHq+prwpWL5NlUlHoAoGCCqGSM49
+AwEHoUQDQgAERNIJSKwYZ0KdxwOCNKRKeTtb0DBQlVXh8t4/tzQbVAfUoGNAWJt8
+6JaJWLby9IWaqOxMMgzH2R1Yt5ScGL3PAQ==
+-----END EC PRIVATE KEY-----

tests/data/server.csr

@@ -0,0 +1,8 @@
+-----BEGIN CERTIFICATE REQUEST-----
+MIH/MIGnAgEAMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw
+HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwWTATBgcqhkjOPQIBBggq
+hkjOPQMBBwNCAARE0glIrBhnQp3HA4I0pEp5O1vQMFCVVeHy3j+3NBtUB9SgY0BY
+m3zololYtvL0hZqo7EwyDMfZHVi3lJwYvc8BoAAwCgYIKoZIzj0EAwIDRwAwRAIg
+PrWAWWiMXPKHsx6zzEkzzonesjnUJc3YsbGfmGn8xXACIHLTD3XYL/X1Naoi1CMq
+nNcthxjBCwiHfVB2cqaf8N19
+-----END CERTIFICATE REQUEST-----