Botan 3.0.0-alpha0
Crypto and TLS for C&
tls_signature_scheme.cpp
Go to the documentation of this file.
1/*
2* (C) 2022 Jack Lloyd
3* (C) 2022 René Meusel, Hannes Rantzsch - neXenio GmbH
4*
5* Botan is released under the Simplified BSD License (see license.txt)
6*/
7
8#include <botan/tls_signature_scheme.h>
9
10#include <botan/ec_group.h>
11#include <botan/tls_exceptn.h>
12#include <botan/tls_version.h>
13#include <botan/internal/stl_util.h>
14
15namespace Botan::TLS {
16
17const std::vector<Signature_Scheme>& Signature_Scheme::all_available_schemes()
18 {
19 /*
20 * This is ordered in some approximate order of preference
21 */
22 static const std::vector<Signature_Scheme> all_schemes = {
23
24// EdDSA 25519 is currently not supported as a signature scheme for certificates
25// certificate authentication.
26// See: https://github.com/randombit/botan/pull/2958#discussion_r851294715
27//
28// #if defined(BOTAN_HAS_ED25519)
29// EDDSA_25519,
30// #endif
31
35
39
43 };
44
45 return all_schemes;
46 }
47
48
50 : m_code(NONE)
51 {}
52
55 {}
56
58 : m_code(wire_code)
59 {}
60
61bool Signature_Scheme::is_available() const noexcept
62 {
64 }
65
66bool Signature_Scheme::is_set() const noexcept
67 {
68 return m_code != NONE;
69 }
70
71std::string Signature_Scheme::to_string() const noexcept
72 {
73 switch(m_code)
74 {
75 case RSA_PKCS1_SHA1:
76 return "RSA_PKCS1_SHA1";
78 return "RSA_PKCS1_SHA256";
80 return "RSA_PKCS1_SHA384";
82 return "RSA_PKCS1_SHA512";
83
84 case ECDSA_SHA1:
85 return "ECDSA_SHA1";
86 case ECDSA_SHA256:
87 return "ECDSA_SHA256";
88 case ECDSA_SHA384:
89 return "ECDSA_SHA384";
90 case ECDSA_SHA512:
91 return "ECDSA_SHA512";
92
93 case RSA_PSS_SHA256:
94 return "RSA_PSS_SHA256";
95 case RSA_PSS_SHA384:
96 return "RSA_PSS_SHA384";
97 case RSA_PSS_SHA512:
98 return "RSA_PSS_SHA512";
99
100 case EDDSA_25519:
101 return "EDDSA_25519";
102 case EDDSA_448:
103 return "EDDSA_448";
104
105 case DSA_SHA1:
106 return "DSA_SHA1";
107 case DSA_SHA256:
108 return "DSA_SHA256";
109 case DSA_SHA384:
110 return "DSA_SHA384";
111 case DSA_SHA512:
112 return "DSA_SHA512";
113
114 default:
115 return "Unknown signature scheme: " + std::to_string(m_code);
116 }
117 }
118
119std::string Signature_Scheme::hash_function_name() const noexcept
120 {
121 switch(m_code)
122 {
123 case RSA_PKCS1_SHA1:
124 case ECDSA_SHA1:
125 case DSA_SHA1:
126 return "SHA-1";
127
128 case ECDSA_SHA256:
129 case RSA_PKCS1_SHA256:
130 case RSA_PSS_SHA256:
131 case DSA_SHA256:
132 return "SHA-256";
133
134 case ECDSA_SHA384:
135 case RSA_PKCS1_SHA384:
136 case RSA_PSS_SHA384:
137 case DSA_SHA384:
138 return "SHA-384";
139
140 case ECDSA_SHA512:
141 case RSA_PKCS1_SHA512:
142 case RSA_PSS_SHA512:
143 case DSA_SHA512:
144 return "SHA-512";
145
146 case EDDSA_25519:
147 case EDDSA_448:
148 return "Pure";
149
150 default:
151 return "Unknown hash function";
152 }
153 }
154
155std::string Signature_Scheme::padding_string() const noexcept
156 {
157 switch(m_code)
158 {
159 case RSA_PKCS1_SHA1:
160 return "EMSA_PKCS1(SHA-1)";
161 case RSA_PKCS1_SHA256:
162 return "EMSA_PKCS1(SHA-256)";
163 case RSA_PKCS1_SHA384:
164 return "EMSA_PKCS1(SHA-384)";
165 case RSA_PKCS1_SHA512:
166 return "EMSA_PKCS1(SHA-512)";
167
168 case ECDSA_SHA1:
169 return "EMSA1(SHA-1)";
170 case ECDSA_SHA256:
171 return "EMSA1(SHA-256)";
172 case ECDSA_SHA384:
173 return "EMSA1(SHA-384)";
174 case ECDSA_SHA512:
175 return "EMSA1(SHA-512)";
176
177 case RSA_PSS_SHA256:
178 return "PSSR(SHA-256,MGF1,32)";
179 case RSA_PSS_SHA384:
180 return "PSSR(SHA-384,MGF1,48)";
181 case RSA_PSS_SHA512:
182 return "PSSR(SHA-512,MGF1,64)";
183
184 case EDDSA_25519:
185 return "Pure";
186 case EDDSA_448:
187 return "Pure";
188
189 default:
190 return "Unknown padding";
191 }
192 }
193
194std::string Signature_Scheme::algorithm_name() const noexcept
195 {
196 switch(m_code)
197 {
198 case RSA_PKCS1_SHA1:
199 case RSA_PKCS1_SHA256:
200 case RSA_PKCS1_SHA384:
201 case RSA_PKCS1_SHA512:
202 case RSA_PSS_SHA256:
203 case RSA_PSS_SHA384:
204 case RSA_PSS_SHA512:
205 return "RSA";
206
207 case ECDSA_SHA1:
208 case ECDSA_SHA256:
209 case ECDSA_SHA384:
210 case ECDSA_SHA512:
211 return "ECDSA";
212
213 case EDDSA_25519:
214 return "Ed25519";
215
216 case EDDSA_448:
217 return "Ed448";
218
219 case DSA_SHA1:
220 case DSA_SHA256:
221 case DSA_SHA384:
222 case DSA_SHA512:
223 return "DSA";
224
225 default:
226 return "Unknown algorithm";
227 }
228 }
229
231 {
232 switch(m_code)
233 {
234 // case ECDSA_SHA1: not defined
235 case ECDSA_SHA256:
236 return { "ECDSA", Botan::EC_Group("secp256r1").DER_encode(Botan::EC_Group_Encoding::NamedCurve) };
237 case ECDSA_SHA384:
238 return { "ECDSA", Botan::EC_Group("secp384r1").DER_encode(Botan::EC_Group_Encoding::NamedCurve) };
239 case ECDSA_SHA512:
240 return { "ECDSA", Botan::EC_Group("secp521r1").DER_encode(Botan::EC_Group_Encoding::NamedCurve) };
241
242 case EDDSA_25519:
243 return { "Ed25519", AlgorithmIdentifier::USE_EMPTY_PARAM };
244
245 case RSA_PKCS1_SHA1:
246 case RSA_PKCS1_SHA256:
247 case RSA_PKCS1_SHA384:
248 case RSA_PKCS1_SHA512:
249 case RSA_PSS_SHA256:
250 case RSA_PSS_SHA384:
251 case RSA_PSS_SHA512:
252 return { "RSA", AlgorithmIdentifier::USE_NULL_PARAM };
253
254 default:
255 return AlgorithmIdentifier();
256 }
257 }
258
259std::optional<Signature_Format> Signature_Scheme::format() const noexcept
260 {
261 switch(m_code)
262 {
263 case RSA_PKCS1_SHA1:
264 case RSA_PKCS1_SHA256:
265 case RSA_PKCS1_SHA384:
266 case RSA_PKCS1_SHA512:
267 case RSA_PSS_SHA256:
268 case RSA_PSS_SHA384:
269 case RSA_PSS_SHA512:
270 return IEEE_1363;
271
272 case ECDSA_SHA1:
273 case ECDSA_SHA256:
274 case ECDSA_SHA384:
275 case ECDSA_SHA512:
276 case EDDSA_25519:
277 case EDDSA_448:
278 case DSA_SHA1:
279 case DSA_SHA256:
280 case DSA_SHA384:
281 case DSA_SHA512:
282 return DER_SEQUENCE;
283
284 default:
285 return std::nullopt;
286 }
287 }
288
289bool Signature_Scheme::is_compatible_with(const Protocol_Version& protocol_version) const noexcept
290 {
291 // RFC 8446 4.4.3:
292 // The SHA-1 algorithm MUST NOT be used in any signatures of
293 // CertificateVerify messages.
294 //
295 // Note that Botan enforces that for TLS 1.2 as well.
296 if(hash_function_name() == "SHA-1")
297 return false;
298
299 // RFC 8446 4.4.3:
300 // RSA signatures MUST use an RSASSA-PSS algorithm, regardless of whether
301 // RSASSA-PKCS1-v1_5 algorithms appear in "signature_algorithms".
302 //
303 // Note that this is enforced for TLS 1.3 and above only.
304 if(!protocol_version.is_pre_tls_13() &&
305 (m_code == RSA_PKCS1_SHA1 ||
306 m_code == RSA_PKCS1_SHA256 ||
307 m_code == RSA_PKCS1_SHA384 ||
308 m_code == RSA_PKCS1_SHA512))
309 return false;
310
311 return true;
312 }
313
314bool Signature_Scheme::is_suitable_for(const Private_Key &private_key) const noexcept
315 {
316 if(algorithm_name() != private_key.algo_name())
317 return false;
318
319 // The ECDSA private key length must match the utilized hash output length.
320 const auto keylen = private_key.key_length();
321 if(keylen <= 250)
322 return false;
323
324 if(m_code == ECDSA_SHA256 && !(keylen >= 250 && keylen <= 350)) // lgtm [cpp/constant-comparison]
325 return false; // `keylen >= 250` will always be true, because keylen <= 250
326 // was checked before. Leaving it in for readability.
327 if(m_code == ECDSA_SHA384 && !(keylen >= 350 && keylen <= 450))
328 return false;
329
330 if(m_code == ECDSA_SHA512 && !(keylen >= 450 && keylen <= 550))
331 return false;
332
333 return true;
334 }
335
336} // Botan::TLS
std::vector< uint8_t > DER_encode(EC_Group_Encoding form) const
Definition: ec_group.cpp:717
std::string hash_function_name() const noexcept
bool is_compatible_with(const Protocol_Version &protocol_version) const noexcept
AlgorithmIdentifier algorithm_identifier() const noexcept
std::optional< Signature_Format > format() const noexcept
bool is_suitable_for(const Private_Key &private_key) const noexcept
std::string to_string() const noexcept
static const std::vector< Signature_Scheme > & all_available_schemes()
std::string padding_string() const noexcept
bool is_available() const noexcept
std::string algorithm_name() const noexcept
std::string to_string(const BER_Object &obj)
Definition: asn1_obj.cpp:209
@ NONE
Definition: filter.h:166
@ DER_SEQUENCE
Definition: pk_keys.h:23
@ IEEE_1363
Definition: pk_keys.h:23
bool value_exists(const std::vector< T > &vec, const T &val)
Definition: stl_util.h:89