Source code
Revision control
Copy as Markdown
Other Tools
/* -*- Mode: C; tab-width: 8; indent-tabs-mode: nil; c-basic-offset: 4 -*- */
/*
* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
#include "nss.h"
#include "pk11func.h"
#include "secder.h"
#include "sechash.h"
#include "ssl.h"
#include "sslproto.h"
#include "sslimpl.h"
#include "ssl3exthandle.h"
#include "tls13exthandle.h"
#include "tls13hkdf.h"
#include "tls13subcerts.h"
/* Parses the delegated credential (DC) from the raw extension |b| of length
* |length|. Memory for the DC is allocated and set to |*dcp|.
*
* It's the caller's responsibility to invoke |tls13_DestroyDelegatedCredential|
* when this data is no longer needed.
*/
SECStatus
tls13_ReadDelegatedCredential(PRUint8 *b, PRUint32 length,
sslDelegatedCredential **dcp)
{
sslDelegatedCredential *dc = NULL;
SECStatus rv;
PRUint64 n;
sslReadBuffer tmp;
sslReader rdr = SSL_READER(b, length);
PORT_Assert(!*dcp);
dc = PORT_ZNew(sslDelegatedCredential);
if (!dc) {
PORT_SetError(SEC_ERROR_NO_MEMORY);
goto loser;
}
/* Read the valid_time field of DelegatedCredential.cred. */
rv = sslRead_ReadNumber(&rdr, 4, &n);
if (rv != SECSuccess) {
goto loser;
}
dc->validTime = n;
/* Read the expected_cert_verify_algorithm field of
* DelegatedCredential.cred. */
rv = sslRead_ReadNumber(&rdr, 2, &n);
if (rv != SECSuccess) {
goto loser;
}
dc->expectedCertVerifyAlg = n;
/* Read the ASN1_subjectPublicKeyInfo field of DelegatedCredential.cred. */
rv = sslRead_ReadVariable(&rdr, 3, &tmp);
if (rv != SECSuccess) {
goto loser;
}
rv = SECITEM_MakeItem(NULL, &dc->derSpki, tmp.buf, tmp.len);
if (rv != SECSuccess) {
goto loser;
}
/* Parse the DER-encoded SubjectPublicKeyInfo. */
dc->spki = SECKEY_DecodeDERSubjectPublicKeyInfo(&dc->derSpki);
if (!dc->spki) {
goto loser;
}
/* Read the algorithm field of the DelegatedCredential. */
rv = sslRead_ReadNumber(&rdr, 2, &n);
if (rv != SECSuccess) {
goto loser;
}
dc->alg = n;
/* Read the signature field of the DelegatedCredential. */
rv = sslRead_ReadVariable(&rdr, 2, &tmp);
if (rv != SECSuccess) {
goto loser;
}
rv = SECITEM_MakeItem(NULL, &dc->signature, tmp.buf, tmp.len);
if (rv != SECSuccess) {
goto loser;
}
/* There should be nothing left to read. */
if (SSL_READER_REMAINING(&rdr) > 0) {
goto loser;
}
*dcp = dc;
return SECSuccess;
loser:
tls13_DestroyDelegatedCredential(dc);
*dcp = NULL;
return SECFailure;
}
/* Frees |dc| from the heap. */
void
tls13_DestroyDelegatedCredential(sslDelegatedCredential *dc)
{
if (!dc) {
return;
}
SECKEY_DestroySubjectPublicKeyInfo(dc->spki);
SECITEM_FreeItem(&dc->derSpki, PR_FALSE);
SECITEM_FreeItem(&dc->signature, PR_FALSE);
PORT_ZFree(dc, sizeof(sslDelegatedCredential));
}
/* Sets |*certVerifyAlg| to the expected_cert_verify_algorithm field from the
* serialized DC |in|. Returns SECSuccess upon success; SECFailure indicates a
* decoding failure or the input wasn't long enough.
*/
static SECStatus
tls13_GetExpectedCertVerifyAlg(SECItem in, SSLSignatureScheme *certVerifyAlg)
{
SECStatus rv;
PRUint64 n;
sslReader rdr = SSL_READER(in.data, in.len);
if (in.len < 6) { /* Buffer too short to contain the first two params. */
return SECFailure;
}
rv = sslRead_ReadNumber(&rdr, 4, &n);
if (rv != SECSuccess) {
return SECFailure;
}
rv = sslRead_ReadNumber(&rdr, 2, &n);
if (rv != SECSuccess) {
return SECFailure;
}
*certVerifyAlg = n;
return SECSuccess;
}
/* Returns PR_TRUE if the host is verifying the handshake with a DC. */
PRBool
tls13_IsVerifyingWithDelegatedCredential(const sslSocket *ss)
{
/* We currently do not support client-delegated credentials. */
if (ss->sec.isServer ||
!ss->opt.enableDelegatedCredentials ||
!ss->xtnData.peerDelegCred) {
return PR_FALSE;
}
return PR_TRUE;
}
/* Returns PR_TRUE if the host is signing the handshake with a DC. */
PRBool
tls13_IsSigningWithDelegatedCredential(const sslSocket *ss)
{
if (!ss->sec.isServer ||
!ss->xtnData.sendingDelegCredToPeer ||
!ss->xtnData.peerRequestedDelegCred) {
return PR_FALSE;
}
return PR_TRUE;
}
/* Commits to authenticating with a DC if all of the following conditions hold:
* - the negotiated protocol is TLS 1.3 or newer;
* - the selected certificate has a DC configured;
* - the peer has indicated support for this extension;
* - the peer has indicated support for the DC signature scheme; and
* - the host supports the DC signature scheme.
*
* It's the caller's responsibility to ensure that the version has been
* negotiated and the certificate has been selected.
*/
SECStatus
tls13_MaybeSetDelegatedCredential(sslSocket *ss)
{
SECStatus rv;
PRBool doesRsaPss;
SECKEYPrivateKey *priv;
SSLSignatureScheme scheme;
/* Assert that the host is the server (we do not currently support
* client-delegated credentials), the certificate has been
* chosen, TLS 1.3 or higher has been negotiated, and that the set of
* signature schemes supported by the client is known.
*/
PORT_Assert(ss->sec.isServer);
PORT_Assert(ss->sec.serverCert);
PORT_Assert(ss->version >= SSL_LIBRARY_VERSION_TLS_1_3);
PORT_Assert(ss->xtnData.peerRequestedDelegCred == !!ss->xtnData.delegCredSigSchemes);
/* Check that the peer has indicated support and that a DC has been
* configured for the selected certificate.
*/
if (!ss->xtnData.peerRequestedDelegCred ||
!ss->xtnData.delegCredSigSchemes ||
!ss->sec.serverCert->delegCred.len ||
!ss->sec.serverCert->delegCredKeyPair) {
return SECSuccess;
}
/* Check that the host and peer both support the signing algorithm used with
* the DC.
*/
rv = tls13_GetExpectedCertVerifyAlg(ss->sec.serverCert->delegCred,
&scheme);
if (rv != SECSuccess) {
return SECFailure;
}
priv = ss->sec.serverCert->delegCredKeyPair->privKey;
rv = ssl_PrivateKeySupportsRsaPss(priv, NULL, NULL, &doesRsaPss);
if (rv != SECSuccess) {
return SECFailure;
}
if (!ssl_SignatureSchemeEnabled(ss, scheme) ||
!ssl_CanUseSignatureScheme(scheme,
ss->xtnData.delegCredSigSchemes,
ss->xtnData.numDelegCredSigSchemes,
PR_FALSE /* requireSha1 */,
doesRsaPss)) {
return SECSuccess;
}
/* Commit to sending a DC and set the handshake signature scheme to the
* indicated algorithm.
*/
ss->xtnData.sendingDelegCredToPeer = PR_TRUE;
ss->ssl3.hs.signatureScheme = scheme;
return SECSuccess;
}
/* Serializes the DC up to the signature. */
static SECStatus
tls13_AppendCredentialParams(sslBuffer *buf, sslDelegatedCredential *dc)
{
SECStatus rv;
rv = sslBuffer_AppendNumber(buf, dc->validTime, 4);
if (rv != SECSuccess) {
return SECFailure; /* Error set by caller. */
}
rv = sslBuffer_AppendNumber(buf, dc->expectedCertVerifyAlg, 2);
if (rv != SECSuccess) {
return SECFailure;
}
rv = sslBuffer_AppendVariable(buf, dc->derSpki.data, dc->derSpki.len, 3);
if (rv != SECSuccess) {
return SECFailure;
}
rv = sslBuffer_AppendNumber(buf, dc->alg, 2);
if (rv != SECSuccess) {
return SECFailure;
}
return SECSuccess;
}
/* Serializes the DC signature. */
static SECStatus
tls13_AppendCredentialSignature(sslBuffer *buf, sslDelegatedCredential *dc)
{
SECStatus rv;
rv = sslBuffer_AppendVariable(buf, dc->signature.data,
dc->signature.len, 2);
if (rv != SECSuccess) {
return SECFailure;
}
return SECSuccess;
}
/* Hashes the message used to sign/verify the DC. */
static SECStatus
tls13_HashCredentialSignatureMessage(SSL3Hashes *hash,
SSLSignatureScheme scheme,
const CERTCertificate *cert,
const sslBuffer *dcBuf)
{
SECStatus rv;
PK11Context *ctx = NULL;
unsigned int hashLen;
/* Set up hash context. */
hash->hashAlg = ssl_SignatureSchemeToHashType(scheme);
ctx = PK11_CreateDigestContext(ssl3_HashTypeToOID(hash->hashAlg));
if (!ctx) {
PORT_SetError(SEC_ERROR_NO_MEMORY);
goto loser;
}
static const PRUint8 kCtxStrPadding[64] = {
0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20,
0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20, 0x20
};
static const PRUint8 kCtxStr[] = "TLS, server delegated credentials";
/* Hash the message signed by the peer. */
rv = SECSuccess;
rv |= PK11_DigestBegin(ctx);
rv |= PK11_DigestOp(ctx, kCtxStrPadding, sizeof kCtxStrPadding);
rv |= PK11_DigestOp(ctx, kCtxStr, 1 /* 0-byte */ + strlen((const char *)kCtxStr));
rv |= PK11_DigestOp(ctx, cert->derCert.data, cert->derCert.len);
rv |= PK11_DigestOp(ctx, dcBuf->buf, dcBuf->len);
rv |= PK11_DigestFinal(ctx, hash->u.raw, &hashLen, sizeof hash->u.raw);
if (rv != SECSuccess) {
PORT_SetError(SSL_ERROR_SHA_DIGEST_FAILURE);
goto loser;
}
hash->len = hashLen;
if (ctx) {
PK11_DestroyContext(ctx, PR_TRUE);
}
return SECSuccess;
loser:
if (ctx) {
PK11_DestroyContext(ctx, PR_TRUE);
}
return SECFailure;
}
/* Verifies the DC signature. */
static SECStatus
tls13_VerifyCredentialSignature(sslSocket *ss, sslDelegatedCredential *dc)
{
SECStatus rv = SECSuccess;
SSL3Hashes hash;
sslBuffer dcBuf = SSL_BUFFER_EMPTY;
CERTCertificate *cert = ss->sec.peerCert;
SECKEYPublicKey *pubKey = NULL;
/* Serialize the DC parameters. */
rv = tls13_AppendCredentialParams(&dcBuf, dc);
if (rv != SECSuccess) {
goto loser; /* Error set by caller. */
}
/* Hash the message that was signed by the delegator. */
rv = tls13_HashCredentialSignatureMessage(&hash, dc->alg, cert, &dcBuf);
if (rv != SECSuccess) {
FATAL_ERROR(ss, PORT_GetError(), internal_error);
goto loser;
}
pubKey = SECKEY_ExtractPublicKey(&cert->subjectPublicKeyInfo);
if (pubKey == NULL) {
FATAL_ERROR(ss, SSL_ERROR_EXTRACT_PUBLIC_KEY_FAILURE, internal_error);
goto loser;
}
/* Verify the signature of the message. */
rv = ssl_VerifySignedHashesWithPubKey(ss, pubKey, dc->alg,
&hash, &dc->signature);
if (rv != SECSuccess) {
FATAL_ERROR(ss, SSL_ERROR_DC_BAD_SIGNATURE, illegal_parameter);
goto loser;
}
SECOidTag spkiAlg = SECOID_GetAlgorithmTag(&(dc->spki->algorithm));
if (spkiAlg == SEC_OID_PKCS1_RSA_ENCRYPTION) {
FATAL_ERROR(ss, SSL_ERROR_INCORRECT_SIGNATURE_ALGORITHM, illegal_parameter);
goto loser;
}
SECKEY_DestroyPublicKey(pubKey);
sslBuffer_Clear(&dcBuf);
return SECSuccess;
loser:
SECKEY_DestroyPublicKey(pubKey);
sslBuffer_Clear(&dcBuf);
return SECFailure;
}
/* Checks that the peer's end-entity certificate has the correct key usage. */
static SECStatus
tls13_CheckCertDelegationUsage(sslSocket *ss)
{
int i;
PRBool found;
CERTCertExtension *ext;
SECItem delegUsageOid = { siBuffer, NULL, 0 };
const CERTCertificate *cert = ss->sec.peerCert;
/* 1.3.6.1.4.1.44363.44, as defined in draft-ietf-tls-subcerts. */
static unsigned char kDelegationUsageOid[] = {
0x2b,
0x06,
0x01,
0x04,
0x01,
0x82,
0xda,
0x4b,
0x2c
};
delegUsageOid.data = kDelegationUsageOid;
delegUsageOid.len = sizeof kDelegationUsageOid;
/* The certificate must have the delegationUsage extension that authorizes
* it to negotiate delegated credentials.
*/
found = PR_FALSE;
for (i = 0; cert->extensions[i] != NULL; i++) {
ext = cert->extensions[i];
if (SECITEM_CompareItem(&ext->id, &delegUsageOid) == SECEqual) {
found = PR_TRUE;
break;
}
}
/* The certificate must also have the digitalSignature keyUsage set. */
if (!found ||
!cert->keyUsagePresent ||
!(cert->keyUsage & KU_DIGITAL_SIGNATURE)) {
FATAL_ERROR(ss, SSL_ERROR_DC_INVALID_KEY_USAGE, illegal_parameter);
return SECFailure;
}
return SECSuccess;
}
static SECStatus
tls13_CheckCredentialExpiration(sslSocket *ss, sslDelegatedCredential *dc)
{
SECStatus rv;
CERTCertificate *cert = ss->sec.peerCert;
/* 7 days in microseconds */
static const PRTime kMaxDcValidity = ((PRTime)7 * 24 * 60 * 60 * PR_USEC_PER_SEC);
PRTime start, now, end; /* microseconds */
rv = DER_DecodeTimeChoice(&start, &cert->validity.notBefore);
if (rv != SECSuccess) {
FATAL_ERROR(ss, PORT_GetError(), internal_error);
return SECFailure;
}
end = start + ((PRTime)dc->validTime * PR_USEC_PER_SEC);
now = ssl_Time(ss);
if (now > end || end < 0) {
FATAL_ERROR(ss, SSL_ERROR_DC_EXPIRED, illegal_parameter);
return SECFailure;
}
/* Not more than 7 days remaining in the validity period. */
if (end - now > kMaxDcValidity) {
FATAL_ERROR(ss, SSL_ERROR_DC_INAPPROPRIATE_VALIDITY_PERIOD, illegal_parameter);
return SECFailure;
}
return SECSuccess;
}
/* Returns SECSucces if |dc| is a DC for the current handshake; otherwise it
* returns SECFailure. A valid DC meets three requirements: (1) the signature
* was produced by the peer's end-entity certificate, (2) the end-entity
* certificate must have the correct key usage, and (3) the DC must not be
* expired and its remaining TTL must be <= the maximum validity period (fixed
* as 7 days).
*
* This function calls FATAL_ERROR() when an error occurs.
*/
SECStatus
tls13_VerifyDelegatedCredential(sslSocket *ss,
sslDelegatedCredential *dc)
{
SECStatus rv;
PRTime start;
PRExplodedTime end;
CERTCertificate *cert = ss->sec.peerCert;
char endStr[256];
rv = DER_DecodeTimeChoice(&start, &cert->validity.notBefore);
if (rv != SECSuccess) {
FATAL_ERROR(ss, PORT_GetError(), internal_error);
return SECFailure;
}
PR_ExplodeTime(start + (dc->validTime * PR_USEC_PER_SEC),
PR_GMTParameters, &end);
if (PR_FormatTime(endStr, sizeof(endStr), "%a %b %d %H:%M:%S %Y", &end)) {
SSL_TRC(20, ("%d: TLS13[%d]: Received delegated credential (expires %s)",
SSL_GETPID(), ss->fd, endStr));
} else {
SSL_TRC(20, ("%d: TLS13[%d]: Received delegated credential",
SSL_GETPID(), ss->fd));
}
rv = SECSuccess;
rv |= tls13_VerifyCredentialSignature(ss, dc);
rv |= tls13_CheckCertDelegationUsage(ss);
rv |= tls13_CheckCredentialExpiration(ss, dc);
return rv;
}
static CERTSubjectPublicKeyInfo *
tls13_MakePssSpki(const SECKEYPublicKey *pub, SECOidTag hashOid)
{
SECStatus rv;
PLArenaPool *arena = PORT_NewArena(DER_DEFAULT_CHUNKSIZE);
if (!arena) {
goto loser; /* Code already set. */
}
CERTSubjectPublicKeyInfo *spki = PORT_ArenaZNew(arena, CERTSubjectPublicKeyInfo);
if (!spki) {
goto loser; /* Code already set. */
}
spki->arena = arena;
SECKEYRSAPSSParams params = { 0 };
params.hashAlg = PORT_ArenaZNew(arena, SECAlgorithmID);
rv = SECOID_SetAlgorithmID(arena, params.hashAlg, hashOid, NULL);
if (rv != SECSuccess) {
goto loser; /* Code already set. */
}
/* Set the mask hash algorithm too, which is an argument to
* a SEC_OID_PKCS1_MGF1 value. */
SECAlgorithmID maskHashAlg;
memset(&maskHashAlg, 0, sizeof(maskHashAlg));
rv = SECOID_SetAlgorithmID(arena, &maskHashAlg, hashOid, NULL);
if (rv != SECSuccess) {
goto loser; /* Code already set. */
}
SECItem *maskHashAlgItem =
SEC_ASN1EncodeItem(arena, NULL, &maskHashAlg,
SEC_ASN1_GET(SECOID_AlgorithmIDTemplate));
if (!maskHashAlgItem) {
/* Probably OOM, but not certain. */
PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
goto loser;
}
params.maskAlg = PORT_ArenaZNew(arena, SECAlgorithmID);
rv = SECOID_SetAlgorithmID(arena, params.maskAlg, SEC_OID_PKCS1_MGF1,
maskHashAlgItem);
if (rv != SECSuccess) {
goto loser; /* Code already set. */
}
/* Always include saltLength: all hashes are larger than 20. */
unsigned int saltLength = HASH_ResultLenByOidTag(hashOid);
PORT_Assert(saltLength > 20);
if (!SEC_ASN1EncodeInteger(arena, ¶ms.saltLength, saltLength)) {
PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
goto loser;
}
/* Omit the trailerField always. */
SECItem *algorithmItem =
SEC_ASN1EncodeItem(arena, NULL, ¶ms,
SEC_ASN1_GET(SECKEY_RSAPSSParamsTemplate));
if (!algorithmItem) {
PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
goto loser; /* Code already set. */
}
rv = SECOID_SetAlgorithmID(arena, &spki->algorithm,
SEC_OID_PKCS1_RSA_PSS_SIGNATURE, algorithmItem);
if (rv != SECSuccess) {
goto loser; /* Code already set. */
}
SECItem *pubItem = SEC_ASN1EncodeItem(arena, &spki->subjectPublicKey, pub,
SEC_ASN1_GET(SECKEY_RSAPublicKeyTemplate));
if (!pubItem) {
PORT_SetError(SEC_ERROR_LIBRARY_FAILURE);
goto loser;
}
spki->subjectPublicKey.len *= 8; /* Key length is in bits. */
return spki;
loser:
PORT_FreeArena(arena, PR_FALSE);
return NULL;
}
static CERTSubjectPublicKeyInfo *
tls13_MakeDcSpki(const SECKEYPublicKey *dcPub, SSLSignatureScheme dcCertVerifyAlg)
{
switch (SECKEY_GetPublicKeyType(dcPub)) {
case rsaKey: {
SECOidTag hashOid;
switch (dcCertVerifyAlg) {
/* Note: RSAE schemes are NOT permitted within DC SPKIs. However,
* support for their issuance remains so as to enable negative
* testing of client behavior. */
case ssl_sig_rsa_pss_rsae_sha256:
case ssl_sig_rsa_pss_rsae_sha384:
case ssl_sig_rsa_pss_rsae_sha512:
return SECKEY_CreateSubjectPublicKeyInfo(dcPub);
case ssl_sig_rsa_pss_pss_sha256:
hashOid = SEC_OID_SHA256;
break;
case ssl_sig_rsa_pss_pss_sha384:
hashOid = SEC_OID_SHA384;
break;
case ssl_sig_rsa_pss_pss_sha512:
hashOid = SEC_OID_SHA512;
break;
default:
PORT_SetError(SSL_ERROR_INCORRECT_SIGNATURE_ALGORITHM);
return NULL;
}
return tls13_MakePssSpki(dcPub, hashOid);
}
case ecKey: {
const sslNamedGroupDef *group = ssl_ECPubKey2NamedGroup(dcPub);
if (!group) {
PORT_SetError(SSL_ERROR_INCORRECT_SIGNATURE_ALGORITHM);
return NULL;
}
SSLSignatureScheme keyScheme;
switch (group->name) {
case ssl_grp_ec_secp256r1:
keyScheme = ssl_sig_ecdsa_secp256r1_sha256;
break;
case ssl_grp_ec_secp384r1:
keyScheme = ssl_sig_ecdsa_secp384r1_sha384;
break;
case ssl_grp_ec_secp521r1:
keyScheme = ssl_sig_ecdsa_secp521r1_sha512;
break;
default:
PORT_SetError(SEC_ERROR_INVALID_KEY);
return NULL;
}
if (keyScheme != dcCertVerifyAlg) {
PORT_SetError(SSL_ERROR_INCORRECT_SIGNATURE_ALGORITHM);
return NULL;
}
return SECKEY_CreateSubjectPublicKeyInfo(dcPub);
}
default:
break;
}
PORT_SetError(SEC_ERROR_INVALID_KEY);
return NULL;
}
/* Returns a serialized DC with the given parameters.
*
* Note that this function is meant primarily for testing. In particular, it
* DOES NOT verify any of the following:
* - |certPriv| is the private key corresponding to |cert|;
* - that |checkCertKeyUsage(cert) == SECSuccess|;
* - |dcValidFor| is less than 7 days (the maximum permitted by the spec); or
* - validTime doesn't overflow a PRUint32.
*
* These conditions are things we want to test for, which is why we allow them
* here. A real API for creating DCs would want to explicitly check ALL of these
* conditions are met.
*/
SECStatus
SSLExp_DelegateCredential(const CERTCertificate *cert,
const SECKEYPrivateKey *certPriv,
const SECKEYPublicKey *dcPub,
SSLSignatureScheme dcCertVerifyAlg,
PRUint32 dcValidFor,
PRTime now,
SECItem *out)
{
SECStatus rv;
SSL3Hashes hash;
CERTSubjectPublicKeyInfo *spki = NULL;
SECKEYPrivateKey *tmpPriv = NULL;
sslDelegatedCredential *dc = NULL;
sslBuffer dcBuf = SSL_BUFFER_EMPTY;
if (!cert || !certPriv || !dcPub || !out) {
PORT_SetError(SEC_ERROR_INVALID_ARGS);
return SECFailure;
}
dc = PORT_ZNew(sslDelegatedCredential);
if (!dc) {
PORT_SetError(SEC_ERROR_NO_MEMORY);
goto loser;
}
/* Serialize the DC parameters. */
PRTime start;
rv = DER_DecodeTimeChoice(&start, &cert->validity.notBefore);
if (rv != SECSuccess) {
goto loser;
}
dc->validTime = ((now - start) / PR_USEC_PER_SEC) + dcValidFor;
/* Building the SPKI also validates |dcCertVerifyAlg|. */
spki = tls13_MakeDcSpki(dcPub, dcCertVerifyAlg);
if (!spki) {
goto loser;
}
dc->expectedCertVerifyAlg = dcCertVerifyAlg;
SECItem *spkiDer =
SEC_ASN1EncodeItem(NULL /*arena*/, &dc->derSpki, spki,
SEC_ASN1_GET(CERT_SubjectPublicKeyInfoTemplate));
if (!spkiDer) {
goto loser;
}
rv = ssl_SignatureSchemeFromSpki(&cert->subjectPublicKeyInfo,
PR_TRUE /* isTls13 */, &dc->alg);
if (rv != SECSuccess) {
goto loser;
}
if (dc->alg == ssl_sig_none) {
SECOidTag spkiOid = SECOID_GetAlgorithmTag(&cert->subjectPublicKeyInfo.algorithm);
/* If the Cert SPKI contained an AlgorithmIdentifier of "rsaEncryption", set a
* default rsa_pss_rsae_sha256 scheme. NOTE: RSAE SPKIs are not permitted within
* "real" Delegated Credentials. However, since this function is primarily used for
* testing, we retain this support in order to verify that these DCs are rejected
* by tls13_VerifyDelegatedCredential. */
if (spkiOid == SEC_OID_PKCS1_RSA_ENCRYPTION) {
SSLSignatureScheme scheme = ssl_sig_rsa_pss_rsae_sha256;
if (ssl_SignatureSchemeValid(scheme, spkiOid, PR_TRUE /* isTls13 */)) {
dc->alg = scheme;
}
}
}
PORT_Assert(dc->alg != ssl_sig_none);
rv = tls13_AppendCredentialParams(&dcBuf, dc);
if (rv != SECSuccess) {
goto loser;
}
/* Hash signature message. */
rv = tls13_HashCredentialSignatureMessage(&hash, dc->alg, cert, &dcBuf);
if (rv != SECSuccess) {
goto loser;
}
/* Sign the hash with the delegation key.
*
* The PK11 API discards const qualifiers, so we have to make a copy of
* |certPriv| and pass the copy to |ssl3_SignHashesWithPrivKey|.
*/
tmpPriv = SECKEY_CopyPrivateKey(certPriv);
rv = ssl3_SignHashesWithPrivKey(&hash, tmpPriv, dc->alg,
PR_TRUE /* isTls */, &dc->signature);
if (rv != SECSuccess) {
goto loser;
}
/* Serialize the DC signature. */
rv = tls13_AppendCredentialSignature(&dcBuf, dc);
if (rv != SECSuccess) {
goto loser;
}
/* Copy the serialized DC to |out|. */
rv = SECITEM_MakeItem(NULL, out, dcBuf.buf, dcBuf.len);
if (rv != SECSuccess) {
goto loser;
}
PRINT_BUF(20, (NULL, "delegated credential", dcBuf.buf, dcBuf.len));
SECKEY_DestroySubjectPublicKeyInfo(spki);
SECKEY_DestroyPrivateKey(tmpPriv);
tls13_DestroyDelegatedCredential(dc);
sslBuffer_Clear(&dcBuf);
return SECSuccess;
loser:
SECKEY_DestroySubjectPublicKeyInfo(spki);
SECKEY_DestroyPrivateKey(tmpPriv);
tls13_DestroyDelegatedCredential(dc);
sslBuffer_Clear(&dcBuf);
return SECFailure;
}