New BoringSSL context option - SSL_CTX_set1_sigalgs (#765)

My use case of this library had the requirement to use a different
signing algorithm and certificate type (ed25519 to be specific).

Changes:

- New BoringSSL context option - SSL_CTX_set1_sigalgs (this expands on
#755 )
- Allowing certificate types in certificate callback to be modified
(allows the implementer to override the defaults and use any certificate
type they want now)

Result:

This increases the overall flexibility of the quic implementation.

---------

Co-authored-by: Norman Maurer <norman_maurer@apple.com>

Author: jaymansfield

codec-classes-quic/src/main/java/io/netty/incubator/codec/quic/BoringSSL.java

@@ -102,6 +102,22 @@ static int SSLContext_set1_groups_list(long ctx, String... groups) {
         return SSLContext_set1_groups_list(ctx, sb.toString());
     }
 
+    static int SSLContext_set1_sigalgs_list(long ctx, String... sigalgs) {
+        if (sigalgs.length == 0) {
+            throw new IllegalArgumentException();
+        }
+        StringBuilder sb = new StringBuilder();
+        for (String sigalg: sigalgs) {
+            sb.append(sigalg);
+            // Groups are separated by : as explained in the manpage.
+            sb.append(':');
+        }
+        sb.setLength(sb.length() - 1);
+        return SSLContext_set1_sigalgs_list(ctx, sb.toString());
+    }
+ 
+    private static native int SSLContext_set1_sigalgs_list(long context, String sigalgs);
+
     private static native int SSLContext_set1_groups_list(long context, String groups);
     static native void SSLContext_free(long context);
     static long SSL_new(long context, boolean server, String hostname) {

codec-classes-quic/src/main/java/io/netty/incubator/codec/quic/BoringSSLCertificateCallback.java

@@ -66,18 +66,18 @@ final class BoringSSLCertificateCallback {
     static final String KEY_TYPE_EC_RSA = "EC_RSA";
 
     // key type mappings for types.
-    private static final Map<String, String> KEY_TYPES = new HashMap<String, String>();
+    private static final Map<String, String> DEFAULT_SERVER_KEY_TYPES = new HashMap<String, String>();
     static {
-        KEY_TYPES.put("RSA", KEY_TYPE_RSA);
-        KEY_TYPES.put("DHE_RSA", KEY_TYPE_RSA);
-        KEY_TYPES.put("ECDHE_RSA", KEY_TYPE_RSA);
-        KEY_TYPES.put("ECDHE_ECDSA", KEY_TYPE_EC);
-        KEY_TYPES.put("ECDH_RSA", KEY_TYPE_EC_RSA);
-        KEY_TYPES.put("ECDH_ECDSA", KEY_TYPE_EC_EC);
-        KEY_TYPES.put("DH_RSA", KEY_TYPE_DH_RSA);
+        DEFAULT_SERVER_KEY_TYPES.put("RSA", KEY_TYPE_RSA);
+        DEFAULT_SERVER_KEY_TYPES.put("DHE_RSA", KEY_TYPE_RSA);
+        DEFAULT_SERVER_KEY_TYPES.put("ECDHE_RSA", KEY_TYPE_RSA);
+        DEFAULT_SERVER_KEY_TYPES.put("ECDHE_ECDSA", KEY_TYPE_EC);
+        DEFAULT_SERVER_KEY_TYPES.put("ECDH_RSA", KEY_TYPE_EC_RSA);
+        DEFAULT_SERVER_KEY_TYPES.put("ECDH_ECDSA", KEY_TYPE_EC_EC);
+        DEFAULT_SERVER_KEY_TYPES.put("DH_RSA", KEY_TYPE_DH_RSA);
     }
 
-    private static final Set<String> SUPPORTED_KEY_TYPES = Collections.unmodifiableSet(new LinkedHashSet<>(
+    private static final Set<String> DEFAULT_CLIENT_KEY_TYPES = Collections.unmodifiableSet(new LinkedHashSet<>(
             Arrays.asList(KEY_TYPE_RSA,
                     KEY_TYPE_DH_RSA,
                     KEY_TYPE_EC,
@@ -90,11 +90,16 @@ final class BoringSSLCertificateCallback {
     private final QuicheQuicSslEngineMap engineMap;
     private final X509ExtendedKeyManager keyManager;
     private final String password;
+    private final Map<String, String> serverKeyTypes;
+    private final Set<String> clientKeyTypes;
 
-    BoringSSLCertificateCallback(QuicheQuicSslEngineMap engineMap, @Nullable X509ExtendedKeyManager keyManager, String password) {
+    BoringSSLCertificateCallback(QuicheQuicSslEngineMap engineMap, @Nullable X509ExtendedKeyManager keyManager, String password, Map<String, String> serverKeyTypes, Set<String> clientKeyTypes) {
         this.engineMap = engineMap;
         this.keyManager = keyManager;
         this.password = password;
+
+        this.serverKeyTypes = serverKeyTypes != null ? serverKeyTypes : DEFAULT_SERVER_KEY_TYPES;
+        this.clientKeyTypes = clientKeyTypes != null ? clientKeyTypes : DEFAULT_CLIENT_KEY_TYPES;
     }
 
     @SuppressWarnings("unused")
@@ -154,9 +159,9 @@ final class BoringSSLCertificateCallback {
         // authMethods may contain duplicates or may result in the same type
         // but call chooseServerAlias(...) may be expensive. So let's ensure
         // we filter out duplicates.
-        Set<String> typeSet = new HashSet<String>(KEY_TYPES.size());
+        Set<String> typeSet = new HashSet<String>(serverKeyTypes.size());
         for (String authMethod : authMethods) {
-            String type = KEY_TYPES.get(authMethod);
+            String type = serverKeyTypes.get(authMethod);
             if (type != null && typeSet.add(type)) {
                 String alias = chooseServerAlias(engine, type);
                 if (alias != null) {
@@ -243,10 +248,10 @@ private String chooseServerAlias(QuicheQuicSslEngine engine, String type) {
      * @return supported key types that can be used in {@code X509KeyManager.chooseClientAlias} and
      *         {@code X509ExtendedKeyManager.chooseEngineClientAlias}.
      */
-    private static Set<String> supportedClientKeyTypes(byte @Nullable[] clientCertificateTypes) {
+    private Set<String> supportedClientKeyTypes(byte @Nullable[] clientCertificateTypes) {
         if (clientCertificateTypes == null) {
             // Try all of the supported key types.
-            return SUPPORTED_KEY_TYPES;
+            return clientKeyTypes;
         }
         Set<String> result = new HashSet<>(clientCertificateTypes.length);
         for (byte keyTypeCode : clientCertificateTypes) {

codec-classes-quic/src/main/java/io/netty/incubator/codec/quic/BoringSSLContextOption.java

@@ -17,6 +17,9 @@
 
 import io.netty.handler.ssl.SslContextOption;
 
+import java.util.Map;
+import java.util.Set;
+
 /**
  * {@link SslContextOption}s that are specific to BoringSSL.
  *
@@ -34,4 +37,22 @@ private BoringSSLContextOption(String name) {
      *     SSL_CTX_set1_groups_list</a>.
      */
     public static final BoringSSLContextOption<String[]> GROUPS = new BoringSSLContextOption<>("GROUPS");
+
+    /**
+     * Set the signature algorithms that should be used.
+     * <p>
+     * See <a href="https://github.com/google/boringssl/blob/master/include/openssl/ssl.h#L5166">
+     *     SSL_CTX_set1_sigalgs</a>.
+     */
+    public static final BoringSSLContextOption<String[]> SIGNATURE_ALGORITHMS = new BoringSSLContextOption<>("SIGNATURE_ALGORITHMS");
+
+    /**
+     * Set the supported client key/certificate types used in BoringSSLCertificateCallback
+     */
+    public static final BoringSSLContextOption<Set<String>> CLIENT_KEY_TYPES = new BoringSSLContextOption<>("CLIENT_KEY_TYPES");
+
+    /**
+     * Set the supported server key/certificate types used in BoringSSLCertificateCallback
+     */
+    public static final BoringSSLContextOption<Map<String, String>> SERVER_KEY_TYPES = new BoringSSLContextOption<>("SERVER_KEY_TYPES");
 }

codec-classes-quic/src/main/java/io/netty/incubator/codec/quic/QuicheQuicSslContext.java

@@ -186,6 +186,10 @@ final class QuicheQuicSslContext extends QuicSslContext {
             keyManager = chooseKeyManager(keyManagerFactory);
         }
         String[] groups = NAMED_GROUPS;
+        String[] sigalgs = EmptyArrays.EMPTY_STRINGS;
+        Map<String, String> serverKeyTypes = null;
+        Set<String> clientKeyTypes = null;
+
         if (ctxOptions != null) {
             for (Map.Entry<SslContextOption<?>, Object> ctxOpt : ctxOptions) {
                 SslContextOption<?> option = ctxOpt.getKey();
@@ -197,6 +201,17 @@ final class QuicheQuicSslContext extends QuicSslContext {
                         groupsSet.add(GroupsConverter.toBoringSSL(group));
                     }
                     groups = groupsSet.toArray(EmptyArrays.EMPTY_STRINGS);
+                } else if (option == BoringSSLContextOption.SIGNATURE_ALGORITHMS) {
+                    String[] sigalgsArray = (String[]) ctxOpt.getValue();
+                    Set<String> sigalgsSet = new LinkedHashSet<String>(sigalgsArray.length);
+                    for (String sigalg : sigalgsArray) {
+                        sigalgsSet.add(sigalg);
+                    }
+                    sigalgs = sigalgsSet.toArray(EmptyArrays.EMPTY_STRINGS);
+                } else if (option == BoringSSLContextOption.CLIENT_KEY_TYPES) {
+                    clientKeyTypes = (Set<String>) ctxOpt.getValue();
+                } else if (option == BoringSSLContextOption.SERVER_KEY_TYPES) {
+                    serverKeyTypes = (Map<String, String>) ctxOpt.getValue();
                 } else {
                     LOGGER.debug("Skipping unsupported " + SslContextOption.class.getSimpleName()
                             + ": " + ctxOpt.getKey());
@@ -214,7 +229,7 @@ final class QuicheQuicSslContext extends QuicSslContext {
         int verifyMode = server ? boringSSLVerifyModeForServer(this.clientAuth) : BoringSSL.SSL_VERIFY_PEER;
         nativeSslContext = new NativeSslContext(BoringSSL.SSLContext_new(server, applicationProtocols,
                 new BoringSSLHandshakeCompleteCallback(engineMap),
-                new BoringSSLCertificateCallback(engineMap, keyManager, password),
+                new BoringSSLCertificateCallback(engineMap, keyManager, password, serverKeyTypes, clientKeyTypes),
                 new BoringSSLCertificateVerifyCallback(engineMap, trustManager),
                 mapping == null ? null : new BoringSSLTlsextServernameCallback(engineMap, mapping),
                 keylog == null ? null : new BoringSSLKeylogCallback(engineMap, keylog),
@@ -233,6 +248,16 @@ final class QuicheQuicSslContext extends QuicSslContext {
                 throw new IllegalStateException(msg);
             }
 
+            if (sigalgs.length > 0 && BoringSSL.SSLContext_set1_sigalgs_list(nativeSslContext.ctx, sigalgs) == 0) {
+                String msg = "failed to set signature algorithm list: " + Arrays.toString(sigalgs);
+                String lastError = BoringSSL.ERR_last_error();
+                if (lastError != null) {
+                    // We have some more details about why the operations failed, include these into the message.
+                    msg += ". " + lastError;
+                }
+                throw new IllegalStateException(msg);
+            }
+
             apn = new QuicheQuicApplicationProtocolNegotiator(applicationProtocols);
             if (this.sessionCache != null) {
                 // Cache is handled via our own implementation.

codec-native-quic/src/main/c/netty_quic_boringssl.c

@@ -1427,6 +1427,13 @@ jint netty_boringssl_SSLContext_set1_groups_list(JNIEnv* env, jclass clazz, jlon
     return (jint) ret;
 }
 
+jint netty_boringssl_SSLContext_set1_sigalgs_list(JNIEnv* env, jclass clazz, jlong ctx, jstring sigalgs) {
+    const char *nativeString = (*env)->GetStringUTFChars(env, sigalgs, 0);
+    int ret = SSL_CTX_set1_sigalgs_list((SSL_CTX *) ctx, nativeString);
+    (*env)->ReleaseStringUTFChars(env, sigalgs, nativeString);
+    return (jint) ret;
+}
+
 // JNI Registered Methods End
 
 // JNI Method Registration Table Begin
@@ -1464,6 +1471,7 @@ static const JNINativeMethod fixed_method_table[] = {
   { "SSLContext_set_early_data_enabled", "(JZ)V", (void *) netty_boringssl_SSLContext_set_early_data_enabled },
   { "SSLContext_setSessionTicketKeys", "(JZ)V", (void *) netty_boringssl_SSLContext_setSessionTicketKeys },
   { "SSLContext_set1_groups_list", "(JLjava/lang/String;)I", (void *) netty_boringssl_SSLContext_set1_groups_list },
+  { "SSLContext_set1_sigalgs_list", "(JLjava/lang/String;)I", (void *) netty_boringssl_SSLContext_set1_sigalgs_list },
   { "SSL_new0", "(JZLjava/lang/String;)J", (void *) netty_boringssl_SSL_new0 },
   { "SSL_free", "(J)V", (void *) netty_boringssl_SSL_free },
   { "SSL_getTask", "(J)Ljava/lang/Runnable;", (void *) netty_boringssl_SSL_getTask },

codec-native-quic/src/test/java/io/netty/incubator/codec/quic/QuicChannelConnectTest.java

@@ -27,6 +27,7 @@
 import io.netty.channel.ChannelPromise;
 import io.netty.channel.ConnectTimeoutException;
 import io.netty.channel.socket.ChannelInputShutdownEvent;
+import io.netty.handler.codec.ByteToMessageDecoder;
 import io.netty.handler.ssl.ClientAuth;
 import io.netty.handler.ssl.SniCompletionEvent;
 import io.netty.handler.ssl.SslHandshakeCompletionEvent;
@@ -70,9 +71,14 @@
 import java.security.spec.MGF1ParameterSpec;
 import java.security.spec.PSSParameterSpec;
 import java.util.ArrayList;
+import java.util.HashMap;
+import java.util.HashSet;
 import java.util.List;
+import java.util.Map;
+import java.util.Set;
 import java.util.concurrent.BlockingQueue;
 import java.util.concurrent.CountDownLatch;
+import java.util.concurrent.ExecutionException;
 import java.util.concurrent.Executor;
 import java.util.concurrent.LinkedBlockingQueue;
 import java.util.concurrent.TimeUnit;
@@ -81,13 +87,14 @@
 import java.util.function.Consumer;
 
 import static org.hamcrest.MatcherAssert.assertThat;
+import static org.junit.jupiter.api.Assertions.assertSame;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+import static org.junit.jupiter.api.Assertions.assertThrows;
+import static org.junit.jupiter.api.Assertions.fail;
 import static org.junit.jupiter.api.Assertions.assertEquals;
 import static org.junit.jupiter.api.Assertions.assertNotEquals;
 import static org.junit.jupiter.api.Assertions.assertNotNull;
 import static org.junit.jupiter.api.Assertions.assertNull;
-import static org.junit.jupiter.api.Assertions.assertSame;
-import static org.junit.jupiter.api.Assertions.assertTrue;
-import static org.junit.jupiter.api.Assertions.fail;
 
 public class QuicChannelConnectTest extends AbstractQuicTest {
 
@@ -729,6 +736,121 @@ public void testConnectWithoutTokenValidation(Executor executor) throws Throwabl
         }
     }
 
+    @ParameterizedTest
+    @MethodSource("newSslTaskExecutors")
+    public void testKeyTypeChange(Executor executor) throws Throwable {
+        final CountDownLatch readLatch = new CountDownLatch(1);
+        Map<String, String> serverKeyTypes = new HashMap<>();
+        serverKeyTypes.put("RSA", "RSA");
+
+        Set<String> clientKeyTypes = new HashSet<>();
+        clientKeyTypes.add("RSA");
+
+        Channel server = QuicTestUtils.newServer(QuicTestUtils.newQuicServerBuilder(executor,
+                        QuicSslContextBuilder.forServer(
+                                        QuicTestUtils.SELF_SIGNED_CERTIFICATE.privateKey(), null,
+                                        QuicTestUtils.SELF_SIGNED_CERTIFICATE.certificate())
+                                .applicationProtocols(QuicTestUtils.PROTOS)
+                                .option(BoringSSLContextOption.SERVER_KEY_TYPES, serverKeyTypes)
+                                .earlyData(true)
+                                .build()),
+                TestQuicTokenHandler.INSTANCE, new ChannelInboundHandlerAdapter() {
+                    @Override
+                    public boolean isSharable() {
+                        return true;
+                    }
+                }, new ByteToMessageDecoder() {
+                    protected void decode(ChannelHandlerContext ctx, ByteBuf msg, List<Object> out) throws Exception {
+                        if (msg.readableBytes() < 4) {
+                            return;
+                        }
+                        assertEquals(5, msg.readInt());
+                        readLatch.countDown();
+                        ctx.close();
+                    }
+                });
+
+        InetSocketAddress address = (InetSocketAddress) server.localAddress();
+
+        QuicSslContext sslContext = QuicSslContextBuilder.forClient()
+                .trustManager(InsecureTrustManagerFactory.INSTANCE)
+                .applicationProtocols(QuicTestUtils.PROTOS)
+                .option(BoringSSLContextOption.CLIENT_KEY_TYPES, clientKeyTypes)
+                .earlyData(true)
+                .build();
+
+        Channel channel = QuicTestUtils.newClient(QuicTestUtils.newQuicClientBuilder(executor, sslContext)
+                .sslEngineProvider(q -> sslContext.newEngine(q.alloc(), "localhost", 9999)));
+
+        try {
+            QuicChannel quicChannel = QuicTestUtils.newQuicChannelBootstrap(channel)
+                    .streamHandler(new ChannelInboundHandlerAdapter())
+                    .remoteAddress(address)
+                    .connect()
+                    .get();
+            quicChannel.createStream(QuicStreamType.BIDIRECTIONAL,
+                    new ChannelInboundHandlerAdapter()).addListener(f -> {
+                        Channel stream = (Channel) f.getNow();
+                        stream.writeAndFlush(stream.alloc().buffer().writeInt(5));
+            }).await().addListener(f -> {
+                assertTrue(f.isSuccess());
+            });
+
+            readLatch.await();
+        } finally {
+            server.close().sync();
+            channel.close().sync();
+            shutdown(executor);
+        }
+    }
+
+    @ParameterizedTest
+    @MethodSource("newSslTaskExecutors")
+    public void testKeyTypeChangeFail(Executor executor) throws Throwable {
+        Map<String, String> serverKeyTypes = new HashMap<>();
+        serverKeyTypes.put("ECDHE_ECDSA", "EdDSA");
+
+        Set<String> clientKeyTypes = new HashSet<>();
+        clientKeyTypes.add("EdDSA");
+
+        Channel server = QuicTestUtils.newServer(QuicTestUtils.newQuicServerBuilder(executor,
+                        QuicSslContextBuilder.forServer(
+                                        QuicTestUtils.SELF_SIGNED_CERTIFICATE.privateKey(), null,
+                                        QuicTestUtils.SELF_SIGNED_CERTIFICATE.certificate())
+                                .applicationProtocols(QuicTestUtils.PROTOS)
+                                .option(BoringSSLContextOption.SERVER_KEY_TYPES, serverKeyTypes)
+                                .earlyData(true)
+                                .build()),
+                TestQuicTokenHandler.INSTANCE, new ChannelInboundHandlerAdapter(),
+                new ChannelInboundHandlerAdapter());
+
+        InetSocketAddress address = (InetSocketAddress) server.localAddress();
+
+        QuicSslContext sslContext = QuicSslContextBuilder.forClient()
+                .trustManager(InsecureTrustManagerFactory.INSTANCE)
+                .applicationProtocols(QuicTestUtils.PROTOS)
+                .option(BoringSSLContextOption.CLIENT_KEY_TYPES, clientKeyTypes)
+                .earlyData(true)
+                .build();
+
+        Channel channel = QuicTestUtils.newClient(QuicTestUtils.newQuicClientBuilder(executor, sslContext)
+                .sslEngineProvider(q -> sslContext.newEngine(q.alloc(), "localhost", 9999)));
+
+        try {
+            assertThrows(ExecutionException.class, ()->{
+                QuicTestUtils.newQuicChannelBootstrap(channel)
+                                .streamHandler(new ChannelInboundHandlerAdapter())
+                                .remoteAddress(address)
+                                .connect()
+                                .get();
+            });
+        } finally {
+            server.close().sync();
+            channel.close().sync();
+            shutdown(executor);
+        }
+    }
+
     @ParameterizedTest
     @MethodSource("newSslTaskExecutors")
     public void testConnectWith0RTT(Executor executor) throws Throwable {