Class: TTTLS13::Endpoint

Inherits:

Object

• Object
• TTTLS13::Endpoint

Defined in:

lib/tttls1.3/endpoint.rb

Overview

rubocop: disable Metrics/ClassLength

Class Method Summary

• .do_exporter(secret, digest, label, context, key_length) ⇒ String
• .exporter(label, context, key_length, exporter_secret, cipher_suite) ⇒ String^?
• .gen_cipher(cipher_suite, write_key, write_iv) ⇒ TTTLS13::Cryptograph::Aead
• .matching_san?(cert, name) ⇒ Boolean
• .select_signature_algorithms(signature_algorithms, crt) ⇒ Array of TTTLS13::Message::Extension::SignatureAlgorithms
• .sign_certificate_verify(key:, signature_scheme:, context:, hash:) ⇒ String
• .sign_finished(digest:, finished_key:, hash:) ⇒ String
• .sign_psk_binder(ch1:, hrr:, ch:, binder_key:, digest:) ⇒ String
• .trusted_certificate?(certificate_list, ca_file = nil, hostname = nil) ⇒ Boolean
• .verified_certificate_verify?(public_key:, signature_scheme:, signature:, context:, hash:) ⇒ Boolean
• .verified_finished?(finished:, digest:, finished_key:, hash:) ⇒ Boolean

Class Method Details

.do_exporter(secret, digest, label, context, key_length) ⇒ String

Parameters:

• secret (String) —

  (early_)exporter_secret

• digest (String) —

  name of digest algorithm

• label (String)
• context (String)
• key_length (Integer)

Returns:

• (String)

# File 'lib/tttls1.3/endpoint.rb', line 235

def do_exporter(secret, digest, label, context, key_length)
  derived_secret = KeySchedule.hkdf_expand_label(
    secret,
    label,
    OpenSSL::Digest.digest(digest, ''),
    OpenSSL::Digest.new(digest).digest_length,
    digest
  )

  KeySchedule.hkdf_expand_label(
    derived_secret,
    'exporter',
    OpenSSL::Digest.digest(digest, context),
    key_length,
    digest
  )
end

.exporter(label, context, key_length, exporter_secret, cipher_suite) ⇒ String^?

Parameters:

• label (String)
• context (String)
• key_length (Integer)
• exporter_secret (String)
• cipher_suite (TTTLS13::CipherSuite)

Returns:

• (String, nil)

# File 'lib/tttls1.3/endpoint.rb', line 14

def self.exporter(label, context, key_length, exporter_secret, cipher_suite)
  return nil if exporter_secret.nil? || cipher_suite.nil?

  digest = CipherSuite.digest(cipher_suite)
  do_exporter(exporter_secret, digest, label, context, key_length)
end

.gen_cipher(cipher_suite, write_key, write_iv) ⇒ TTTLS13::Cryptograph::Aead

Parameters:

• cipher_suite (TTTLS13::CipherSuite)
• write_key (String)
• write_iv (String)

Returns:

• (TTTLS13::Cryptograph::Aead)

# File 'lib/tttls1.3/endpoint.rb', line 26

def self.gen_cipher(cipher_suite, write_key, write_iv)
  seq_num = SequenceNumber.new
  Cryptograph::Aead.new(
    cipher_suite:,
    write_key:,
    write_iv:,
    sequence_number: seq_num
  )
end

.matching_san?(cert, name) ⇒ Boolean

Parameters:

• cert (OpenSSL::X509::Certificate)
• name (String)

Returns:

• (Boolean)

# File 'lib/tttls1.3/endpoint.rb', line 216

def self.matching_san?(cert, name)
  san = cert.extensions.find { |ex| ex.oid == 'subjectAltName' }
  return false if san.nil?

  ostr = OpenSSL::ASN1.decode(san.to_der).value.last
  OpenSSL::ASN1.decode(ostr.value)
               .map(&:value)
               .map { |s| s.gsub('.', '\.').gsub('*', '.*') }
               .any? { |s| name.match(/#{s}/) }
end

.select_signature_algorithms(signature_algorithms, crt) ⇒ Array of TTTLS13::Message::Extension::SignatureAlgorithms

Parameters:

• signature_algorithms (Array of SignatureAlgorithms)
• crt (OpenSSL::X509::Certificate)

Returns:

• (Array of TTTLS13::Message::Extension::SignatureAlgorithms)

# File 'lib/tttls1.3/endpoint.rb', line 186

def self.select_signature_algorithms(signature_algorithms, crt)
  pka = OpenSSL::ASN1.decode(crt.public_key.to_der)
                     .value.first.value.first.value
  signature_algorithms.select do |sa|
    case sa
    when SignatureScheme::ECDSA_SECP256R1_SHA256,
         SignatureScheme::ECDSA_SECP384R1_SHA384,
         SignatureScheme::ECDSA_SECP521R1_SHA512
      pka == 'id-ecPublicKey'
    when SignatureScheme::RSA_PSS_PSS_SHA256,
         SignatureScheme::RSA_PSS_PSS_SHA384,
         SignatureScheme::RSA_PSS_PSS_SHA512
      pka == 'rsassaPss'
    when SignatureScheme::RSA_PSS_RSAE_SHA256,
         SignatureScheme::RSA_PSS_RSAE_SHA384,
         SignatureScheme::RSA_PSS_RSAE_SHA512
      pka == 'rsaEncryption'
    else
      # RSASSA-PKCS1-v1_5 algorithms refer solely to signatures which appear
      # in certificates and are not defined for use in signed TLS handshake
      # messages
      false
    end
  end
end

.sign_certificate_verify(key:, signature_scheme:, context:, hash:) ⇒ String

Parameters:

• key (OpenSSL::PKey::PKey)
• signature_scheme (TTTLS13::SignatureScheme)
• context (String)
• hash (String)

Returns:

• (String)

Raises:

• (TTTLS13::Error::ErrorAlerts)

# File 'lib/tttls1.3/endpoint.rb', line 63

def self.sign_certificate_verify(key:, signature_scheme:, context:, hash:)
  content = "\x20" * 64 + context + "\x00" + hash

  # RSA signatures MUST use an RSASSA-PSS algorithm, regardless of whether
  # RSASSA-PKCS1-v1_5 algorithms appear in "signature_algorithms".
  case signature_scheme
  when SignatureScheme::RSA_PKCS1_SHA256,
       SignatureScheme::RSA_PSS_RSAE_SHA256,
       SignatureScheme::RSA_PSS_PSS_SHA256
    key.sign_pss('SHA256', content, salt_length: :digest,
                                    mgf1_hash: 'SHA256')
  when SignatureScheme::RSA_PKCS1_SHA384,
       SignatureScheme::RSA_PSS_RSAE_SHA384,
       SignatureScheme::RSA_PSS_PSS_SHA384
    key.sign_pss('SHA384', content, salt_length: :digest,
                                    mgf1_hash: 'SHA384')
  when SignatureScheme::RSA_PKCS1_SHA512,
       SignatureScheme::RSA_PSS_RSAE_SHA512,
       SignatureScheme::RSA_PSS_PSS_SHA512
    key.sign_pss('SHA512', content, salt_length: :digest,
                                    mgf1_hash: 'SHA512')
  when SignatureScheme::ECDSA_SECP256R1_SHA256
    key.sign('SHA256', content)
  when SignatureScheme::ECDSA_SECP384R1_SHA384
    key.sign('SHA384', content)
  when SignatureScheme::ECDSA_SECP521R1_SHA512
    key.sign('SHA512', content)
  else # TODO: ED25519, ED448
    terminate(:internal_error)
  end
end

.sign_finished(digest:, finished_key:, hash:) ⇒ String

Parameters:

• digest (String) —

  name of digest algorithm

• finished_key (String)
• hash (String)

Returns:

• (String)

# File 'lib/tttls1.3/endpoint.rb', line 142

def self.sign_finished(digest:, finished_key:, hash:)
  OpenSSL::HMAC.digest(digest, finished_key, hash)
end

.sign_psk_binder(ch1:, hrr:, ch:, binder_key:, digest:) ⇒ String

Parameters:

• ch1 (TTTLS13::Message::ClientHello)
• hrr (TTTLS13::Message::ServerHello)
• ch (TTTLS13::Message::ClientHello)
• binder_key (String)
• digest (String) —

  name of digest algorithm

Returns:

• (String)

# File 'lib/tttls1.3/endpoint.rb', line 43

def self.sign_psk_binder(ch1:, hrr:, ch:, binder_key:, digest:)
  # TODO: ext binder
  hash_len = OpenSSL::Digest.new(digest).digest_length
  tt = Transcript.new
  tt[CH1] = [ch1, ch1.serialize] unless ch1.nil?
  tt[HRR] = [hrr, hrr.serialize] unless hrr.nil?
  tt[CH] = [ch, ch.serialize]
  # transcript-hash (CH1 + HRR +) truncated-CH
  hash = tt.truncate_hash(digest, CH, hash_len + 3)
  OpenSSL::HMAC.digest(digest, binder_key, hash)
end

.trusted_certificate?(certificate_list, ca_file = nil, hostname = nil) ⇒ Boolean

Parameters:

• certificate_list (Array of CertificateEntry)
• ca_file (String) (defaults to: nil) —

  path to ca.crt

• hostname (String) (defaults to: nil)

Returns:

• (Boolean)

# File 'lib/tttls1.3/endpoint.rb', line 162

def self.trusted_certificate?(certificate_list,
                              ca_file = nil,
                              hostname = nil)
  chain = certificate_list.map(&:cert_data).map do |c|
    OpenSSL::X509::Certificate.new(c)
  end
  cert = chain.shift

  # not support CN matching, only support SAN matching
  return false if !hostname.nil? && !matching_san?(cert, hostname)

  store = OpenSSL::X509::Store.new
  store.set_default_paths
  store.add_file(ca_file) unless ca_file.nil?
  # TODO: parse authorityInfoAccess::CA Issuers
  ctx = OpenSSL::X509::StoreContext.new(store, cert, chain)
  now = Time.now
  ctx.verify && cert.not_before < now && now < cert.not_after
end

.verified_certificate_verify?(public_key:, signature_scheme:, signature:, context:, hash:) ⇒ Boolean

Parameters:

• public_key (OpenSSL::PKey::PKey)
• signature_scheme (TTTLS13::SignatureScheme)
• signature (String)
• context (String)
• hash (String)

Returns:

• (Boolean)

Raises:

• (TTTLS13::Error::ErrorAlerts)

# File 'lib/tttls1.3/endpoint.rb', line 104

def self.verified_certificate_verify?(public_key:, signature_scheme:,
                                      signature:, context:, hash:)
  content = "\x20" * 64 + context + "\x00" + hash

  # RSA signatures MUST use an RSASSA-PSS algorithm, regardless of whether
  # RSASSA-PKCS1-v1_5 algorithms appear in "signature_algorithms".
  case signature_scheme
  when SignatureScheme::RSA_PKCS1_SHA256,
       SignatureScheme::RSA_PSS_RSAE_SHA256,
       SignatureScheme::RSA_PSS_PSS_SHA256
    public_key.verify_pss('SHA256', signature, content, salt_length: :auto,
                                                        mgf1_hash: 'SHA256')
  when SignatureScheme::RSA_PKCS1_SHA384,
       SignatureScheme::RSA_PSS_RSAE_SHA384,
       SignatureScheme::RSA_PSS_PSS_SHA384
    public_key.verify_pss('SHA384', signature, content, salt_length: :auto,
                                                        mgf1_hash: 'SHA384')
  when SignatureScheme::RSA_PKCS1_SHA512,
       SignatureScheme::RSA_PSS_RSAE_SHA512,
       SignatureScheme::RSA_PSS_PSS_SHA512
    public_key.verify_pss('SHA512', signature, content, salt_length: :auto,
                                                        mgf1_hash: 'SHA512')
  when SignatureScheme::ECDSA_SECP256R1_SHA256
    public_key.verify('SHA256', signature, content)
  when SignatureScheme::ECDSA_SECP384R1_SHA384
    public_key.verify('SHA384', signature, content)
  when SignatureScheme::ECDSA_SECP521R1_SHA512
    public_key.verify('SHA512', signature, content)
  else # TODO: ED25519, ED448
    terminate(:internal_error)
  end
end

.verified_finished?(finished:, digest:, finished_key:, hash:) ⇒ Boolean

Parameters:

• finished (TTTLS13::Message::Finished)
• digest (String) —

  name of digest algorithm

• finished_key (String)
• hash (String)

Returns:

• (Boolean)

# File 'lib/tttls1.3/endpoint.rb', line 152

def self.verified_finished?(finished:, digest:, finished_key:, hash:)
  sign_finished(digest:, finished_key:, hash:) \
  == finished.verify_data
end