[TLS 1.3] Support signature_algorithm_cert Extension

[reneme]

Pull Request Dependencies

• [TLS 1.3] Basic Server Implementation #3053
• [TLS 1.3] Server-Side Client Authentication #3081
• Only allow "SHA-1" as a valid name for SHA-1 #3186

Description

This introduces support for the signature_algorithm_cert extension introduced with TLS 1.3. With that, one can create a finer-grained signature algorithm policy; independently specifying acceptable algorithms for signatures in X.509 certificates and in the TLS protocol itself (i.e. in the CertificateVerify message).

To communicate the peer's restrictions to the application, CredentialsManager::find_cert_chain() (and friends) will now additionally get a vector of AlgorithmIdentifiers specifying which algorithms are acceptable.

Note that also the TLS 1.2 implementation can process this new extension (as suggested by RFC 8446).

New policy: tls_acceptable_certificate_signature_schemes()

By default, this returns std::nullopt meaning that the restrictions from the existing ::tls_acceptable_signature_schemes() should also apply for signatures in certificates. If anything other than std::nullopt is returned, clients will add an explicit signature_algorithm_cert extension to the Client Hello; servers likewise in the CertificateRequest message.

[reneme]

This is somewhat a duplicate of the implementations of EMSA::config_for_x509() scattered around the different EMSAs. I'm not quite happy with that, to be honest. Simply instantiating the respective EMSA and then actually using ::config_for_x509() doesn't work out-of-the-box, as it would currently require to pass a respective private key. I think it would be helpful to abstract both use cases and centralize this somehow.

Anyway: As is, this is fairly inefficient, as the AlgorithmIdentifiers are re-generated for each invocation. It would be an interesting exercise to constexpr the heck out of this. 🤡

I'm open for better ideas. :)

[randombit]

Yeah pretty ugly. Also we recompute the PSS params each time when in practice it will always be SHA-{256,512} 😭

Looking at config_for_x509 ... why the heck does this interface take a Private_Key? It could easily get away with a Public_Key? (Not that this change would address the issue here, but still kind of odd).

Anyway this falls in the category of definitely not great and pointing to a place where some refactoring time is needed but doesn't IMO need to block the PR merging.

[reneme]

After merging #3142, this now became: #3125 (comment)
Thanks for the help in adapting config_for_x509() to make it suitable for this use case!

[reneme]

Whoops, that almost broke the code examples. @lieser thanks for the CI job checking their successful compilation. 😅

[codecov-commenter]

Codecov Report

Base: 88.09% // Head: 88.08% // Decreases project coverage by -0.01% ⚠️

Coverage data is based on head (0f993a9) compared to base (f1ec760).
Patch coverage: 68.08% of modified lines in pull request are covered.

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #3125      +/-   ##
==========================================
- Coverage   88.09%   88.08%   -0.01%     
==========================================
  Files         604      604              
  Lines       67399    67422      +23     
  Branches     6748     6755       +7     
==========================================
+ Hits        59374    59389      +15     
- Misses       5211     5216       +5     
- Partials     2814     2817       +3     

Impacted Files	Coverage Δ
src/bogo_shim/bogo_shim.cpp	72.99% <ø> (ø)
src/fuzzer/tls_server.cpp	38.88% <ø> (ø)
src/lib/tls/msg_cert_verify.cpp	90.36% <0.00%> (ø)
src/lib/tls/tls12/tls_client_impl_12.cpp	83.38% <ø> (ø)
src/lib/tls/tls_extensions.cpp	81.99% <0.00%> (ø)
src/tests/unit_tls.cpp	90.10% <ø> (ø)
src/lib/tls/msg_client_hello.cpp	77.42% <20.00%> (-1.11%)	⬇️
src/lib/tls/tls13/msg_certificate_req_13.cpp	67.39% <55.55%> (-5.78%)	⬇️
src/cli/tls_helpers.h	69.76% <100.00%> (+0.71%)	⬆️
src/lib/tls/credentials_manager.cpp	87.50% <100.00%> (-1.39%)	⬇️
... and 23 more

Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here.

☔ View full report at Codecov.
📢 Do you have feedback about the report comment? Let us know in this issue.

[randombit]

Needs a rebase in order to (hopefully) make use of #3142, but otherwise lgtm.

[reneme]

This is now using EMSA::config_for_x509() instead of copy-pasting most of its scattered implementations.

[reneme]

The config_for_x509() implementations check that the passed hash function name is equal to the hash function used in the EMSA. This is done by string comparison (e.g. from emsa1.cpp):

if(cert_hash_name != m_hash->name())
   throw Invalid_Argument(...);

The library can deal with different string-identifiers for hash functions (e.g "SHA-1", "SHA1" and "SHA-160"). But m_hash->name() usually returns a hard-coded identifier. I tried dealing with that using the "SHA-1" to "SHA-160" mapping above. However, this PR's macOS builds fail, because the software-implementation (sha1.cpp) returns "SHA-160" when invoking Hash_Function::name() and the CommonCrypto provider (CommonCrypto_HashFunction) that might or might not be enabled on macOS returns "SHA-1". 😨

In my opinion, these string comparisons are a generic footgun that will cause recurring issues. 😞 Especially when they force us to scatter such mappings around the code base. Lets try to centralize the string-identifier mappings in the algorithm implementations? @randombit

This could be done by requiring a static method ::implements(std::string_view algo_name) in each concrete implementation. Now, that implementations "know" all their string-identifiers, a virtual bool Hash_Function::is(std::string_view algo_name) could allow convenient polymorphic checks as in config_for_x509(). Even the Hash_Function::create() factory could benefit from ::implements() and stop duplicating the string-identifiers. See this godbolt for a sketch.

One might even consider to auto-generate the Hash_Function::create() code based on self-registering sub-classes. But that might take it too far.

Obviously, getting rid of the ambiguous string-identifiers would be even better, but I doubt the massive public API change would be worth it.

[randombit]

However, this PR's macOS builds fail, because the software-implementation (sha1.cpp) returns "SHA-160" when invoking Hash_Function::name() and the CommonCrypto provider (CommonCrypto_HashFunction) that might or might not be enabled on macOS returns "SHA-1"

Can you take a look at #3184?

In my opinion, these string comparisons are a generic footgun that will cause recurring issues. disappointed Especially when they force us to scatter such mappings around the code base. Lets try to centralize the string-identifier mappings in the algorithm implementations?

They are. It was one of the big design mistakes.

One might even consider to auto-generate the Hash_Function::create() code based on self-registering sub-classes.

This used to be how it worked, actually. But that approach ran into weird problems with static libraries, and ended up having to be removed (in #279)

This could be done by requiring a static method ::implements(std::string_view algo_name) in each concrete implementation. Now, that implementations "know" all their string-identifiers, a virtual bool Hash_Function::is(std::string_view algo_name) could allow convenient polymorphic checks as in config_for_x509().

This might work but I wonder how this handles parameterizations such as output length or personalization flags. Quick example

auto hash = HashFunction::create("BLAKE2b(384)");
assert!(hash->is("BLAKE2b")); // true?
assert!(hash->is("BLAKE2b(384)")); // true?

As far as I can recall the main problematic case for this is SHA-1, largely because we use the idiosyncratic/non-standard "SHA-160" name. Maybe the real fix here is to just remove that entirely as a known name, and relnote it? It's not even a big compatibility issue since "SHA-1" always worked.

Obviously, getting rid of the ambiguous string-identifiers would be even better, but I doubt the massive public API change would be worth it.

We could consider having an enum approach and then implementing the string method on top of that, but I agree that we cannot really remove the string-based interface at this point since it's very widely baked into how the CLI, the tests, the FFI layer, etc all work.

[reneme]

This might work but I wonder how this handles parameterizations such as output length or personalization flags.

Fair point. A static BLAKE2b::implements("BLAKE2b(384)") should return true. But a specific instance of it probably shouldn't.

Maybe the real fix here is to just remove that entirely as a known name, and relnote it?

I tend to agree. Given that the string-identifiers are such a footgun its probably a good idea to make them as dumb as possible. As in: Don't allow for ambiguities during construction.

We could consider having an enum approach [...]

Though, I don't see how parameterization would work well with enums either. Hash_Types::BLAKE2b_384? That feels rigid to me.

Would it make sense to use class AlgorithmIdentifier for those use cases -- as its name suggests? De facto this is already implemented in the specific algorithm implementations. As a library user I always found it inconvenient/confusing to construct AlgorithmIdentifier out of thin air, but that might be fixable by some user-friendly API.

[reneme]

Rebased and cleaned up after #3186 was merged. This should be ready for prime time.