crypto/tls: TLS 1.2 SupportedSignatureAlgorithms not honored in Server Hello Certificate Request

[ryarnyah]

What version of Go are you using (go version)?

$ go version
go version go1.14.5 windows/amd64
...

Does this issue reproduce with the latest release?

Yes

What operating system and processor architecture are you using (go env)?

Windows 10 & GNU/Linux x64 & OSX

go env Output

$ go env

What did you do?

Limit SupportedSignatureAlgorithms on Certificate.

Snippet:

package main

import (
	"log"
	"crypto/tls"
	"crypto/x509"
	"net"
	"bufio"
	"io/ioutil"
)

func main() {
	log.SetFlags(log.Lshortfile)

	cer, err := tls.LoadX509KeyPair("server.crt", "server.key")
	if err != nil {
		log.Println(err)
		return
	}
	cer.SupportedSignatureAlgorithms = []tls.SignatureScheme{
		tls.PKCS1WithSHA256,
		tls.PKCS1WithSHA384,
		tls.PKCS1WithSHA512,
		tls.PKCS1WithSHA1,
		tls.ECDSAWithSHA1,
	}

	ca, _ := ioutil.ReadFile("ca.crt")
	pool := x509.NewCertPool()
	pool.AppendCertsFromPEM(ca)
	config := &tls.Config{
		Certificates: []tls.Certificate{cer},
		ClientAuth: tls.VerifyClientCertIfGiven,
		ClientCAs: pool,
		RootCAs: pool,
		CipherSuites: []uint16{
			tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
			tls.TLS_RSA_WITH_AES_256_GCM_SHA384,
			tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
			tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,
			tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,
			tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
			tls.TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,
			tls.TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,
		},
		PreferServerCipherSuites: true,
		MinVersion: tls.VersionTLS12,
		MaxVersion: tls.VersionTLS12,
	}
	ln, err := tls.Listen("tcp", ":6443", config)
	if err != nil {
		log.Println(err)
		return
	}
	defer ln.Close()

	for {
		conn, err := ln.Accept()
		if err != nil {
			log.Println(err)
			continue
		}
		go handleConnection(conn)
	}
}

func handleConnection(conn net.Conn) {
	defer conn.Close()
	r := bufio.NewReader(conn)
	for {
		msg, err := r.ReadString('\n')
		if err != nil {
			log.Println(err)
			return
		}

		println(msg)

		n, err := conn.Write([]byte("world\n"))
		if err != nil {
			log.Println(n, err)
			return
		}
	}
}

What did you expect to see?

Only SupportedSignatureAlgorithms values in Server Hello Certificate Request.

What did you see instead?

All common.go/supportedSignatureAlgorithms values.

common.go:

var supportedSignatureAlgorithms = []SignatureScheme{
	PSSWithSHA256,
	ECDSAWithP256AndSHA256,
	Ed25519,
	PSSWithSHA384,
	PSSWithSHA512,
	PKCS1WithSHA256,
	PKCS1WithSHA384,
	PKCS1WithSHA512,
	ECDSAWithP384AndSHA384,
	ECDSAWithP521AndSHA512,
	PKCS1WithSHA1,
	ECDSAWithSHA1,
}

handshake_server.go/doFullHandshake:

        var certReq *certificateRequestMsg
	if c.config.ClientAuth >= RequestClientCert {
		// Request a client certificate
		certReq = new(certificateRequestMsg)
		certReq.certificateTypes = []byte{
			byte(certTypeRSASign),
			byte(certTypeECDSASign),
		}
		if c.vers >= VersionTLS12 {
			certReq.hasSignatureAlgorithm = true
			certReq.supportedSignatureAlgorithms = supportedSignatureAlgorithms
		}

		// An empty list of certificateAuthorities signals to
		// the client that it may send any certificate in response
		// to our request. When we know the CAs we trust, then
		// we can send them down, so that the client can choose
		// an appropriate certificate to give to us.
		if c.config.ClientCAs != nil {
			certReq.certificateAuthorities = c.config.ClientCAs.Subjects()
		}
		hs.finishedHash.Write(certReq.marshal())
		if _, err := c.writeRecord(recordTypeHandshake, certReq.marshal()); err != nil {
			return err
		}
	}

[ALTree]

cc @FiloSottile

[ryarnyah]

Maybe change

                if c.vers >= VersionTLS12 {
			certReq.hasSignatureAlgorithm = true
			certReq.supportedSignatureAlgorithms = supportedSignatureAlgorithms
		}

With

		if c.vers >= VersionTLS12 {
			certReq.hasSignatureAlgorithm = true
			certReq.supportedSignatureAlgorithms = hs.cert.SupportedSignatureAlgorithms
		}

Can do the tricks?

Or maybe filter Signature Algorithms like in https://github.com/golang/go/blob/master/src/crypto/tls/auth.go#L148

var rsaSignatureSchemes = []struct {
	scheme          SignatureScheme
	minModulusBytes int
	maxVersion      uint16
}{
	// RSA-PSS is used with PSSSaltLengthEqualsHash, and requires
	//    emLen >= hLen + sLen + 2
	{PSSWithSHA256, crypto.SHA256.Size()*2 + 2, VersionTLS13},
	{PSSWithSHA384, crypto.SHA384.Size()*2 + 2, VersionTLS13},
	{PSSWithSHA512, crypto.SHA512.Size()*2 + 2, VersionTLS13},
	// PKCS #1 v1.5 uses prefixes from hashPrefixes in crypto/rsa, and requires
	//    emLen >= len(prefix) + hLen + 11
	// TLS 1.3 dropped support for PKCS #1 v1.5 in favor of RSA-PSS.
	{PKCS1WithSHA256, 19 + crypto.SHA256.Size() + 11, VersionTLS12},
	{PKCS1WithSHA384, 19 + crypto.SHA384.Size() + 11, VersionTLS12},
	{PKCS1WithSHA512, 19 + crypto.SHA512.Size() + 11, VersionTLS12},
	{PKCS1WithSHA1, 15 + crypto.SHA1.Size() + 11, VersionTLS12},
}

& https://github.com/golang/go/blob/master/src/crypto/tls/auth.go#L205

		for _, candidate := range rsaSignatureSchemes {
			if size >= candidate.minModulusBytes && version <= candidate.maxVersion {
				sigAlgs = append(sigAlgs, candidate.scheme)
			}
		}

?

[FiloSottile]

This seems to be mixing up two separate sets of signature algorithms: Certificate.SupportedSignatureAlgorithms are the ones that can be used to make a signature from the certificate; certReq.supportedSignatureAlgorithms are the algorithms that the client is allowed to use. The former is limited by the private key of the certificate (if for example it's an a hardware token that can't do RSA-PSS), the latter is only limited by what out implementation can verify, which is always the same set.

Why do you need to configure certReq.supportedSignatureAlgorithms?

[ryarnyah]

I need to configure it with some hardware token (HID activekey sim) to work with Firefox which doesn't seem to support well RSA-PSS with it. To get it working fully i need to disable rsa-pss algorithm in Server Hello Certificate Request.

In Go < 1.14, everything where good but after upgrading it broke. The snippet reproduce the behaviour of Traefik which recently upgrade to to Go 1.14.

I think we need something to be able to configure certReq.supportedSignatureAlgorithms to make it backward compatible with previous behaviour.

[FiloSottile]

This sounds like it should be reported to Firefox. They should not use signature algorithms that are not supported by the token. We had the equivalent issue with Go clients using tokens that don't support RSA-PSS, and we fixed it by adding Certificate.SupportedSignatureAlgorithms.

The solution to a client using the wrong algorithm can't be to make the whole ecosystem turn off that algorithm, especially when there is already a negotiation process where the server just says "here are the algorithms I support" (and indeed supports them) and the client gets to pick which one to use.

In general, we don't add configuration options if not strictly necessary, sorry. If you have to support a niche, broken client, you'll have to fork because it does not justify adding complexity for the whole ecosystem.