added Named Curve witnesses to Site Report for detail level ALL

mmaehren · mmaehren · commit e1d7456d4dc6 · 2020-10-06T13:09:48.000+02:00
diff --git a/TLS-Server-Scanner/src/main/java/de/rub/nds/tlsscanner/serverscanner/probe/NamedCurvesProbe.java b/TLS-Server-Scanner/src/main/java/de/rub/nds/tlsscanner/serverscanner/probe/NamedCurvesProbe.java
@@ -71,7 +71,7 @@ public NamedCurvesProbe(ScannerConfig config, ParallelExecutor parallelExecutor)
     @Override
     public ProbeResult executeTest() {
         try {
-            List<NamedGroup> groupsRsa = new LinkedList<>();
+            Map<NamedGroup, NamedCurveWitness> groupsRsa = new HashMap<>();
             Map<NamedGroup, NamedCurveWitness> groupsEcdsaStatic = new HashMap<>();
             Map<NamedGroup, NamedCurveWitness> groupsEcdsaEphemeral = new HashMap<>();
             Map<NamedGroup, NamedCurveWitness> groupsTls13 = new HashMap<>();
@@ -108,14 +108,14 @@ public ProbeResult executeTest() {
         }
     }
 
-    private List<NamedGroup> getSupportedNamedGroupsRsa() {
+    private Map<NamedGroup, NamedCurveWitness> getSupportedNamedGroupsRsa() {
 
         Config tlsConfig = getBasicConfig();
         tlsConfig.setDefaultClientSupportedCiphersuites(getEcRsaCiphersuites());
         List<NamedGroup> toTestList = new ArrayList<>(Arrays.asList(NamedGroup.values()));
         TlsContext context;
         NamedGroup selectedGroup = null;
-        List<NamedGroup> supportedNamedCurves = new LinkedList<>();
+        Map<NamedGroup, NamedCurveWitness> supportedNamedCurves = new HashMap<>();
         do {
             context = testCurves(toTestList, tlsConfig);
 
@@ -127,7 +127,7 @@ private List<NamedGroup> getSupportedNamedGroupsRsa() {
                     break;
                 }
 
-                supportedNamedCurves.add(selectedGroup);
+                supportedNamedCurves.put(selectedGroup, new NamedCurveWitness(context.getSelectedCipherSuite()));
                 toTestList.remove(selectedGroup);
             }
         } while (context != null && toTestList.size() > 0);
@@ -177,10 +177,10 @@ private Map<NamedGroup, NamedCurveWitness> getSupportedNamedGroupsEcdsa(List<Cip
                     }
                     if (cipherSuites.get(0).isEphemeral()) {
                         namedCurveMap.put(selectedGroup, new NamedCurveWitness(null, certificateGroup, null,
-                                certificateSigGroup));
+                                certificateSigGroup, context.getSelectedCipherSuite()));
                     } else {
                         namedCurveMap.put(selectedGroup, new NamedCurveWitness(certificateGroup, null,
-                                certificateSigGroup, null));
+                                certificateSigGroup, null, context.getSelectedCipherSuite()));
 
                     }
 
@@ -392,7 +392,7 @@ private Map<NamedGroup, NamedCurveWitness> getTls13SupportedGroups() {
                 }
 
                 namedCurveMap.put(selectedGroup, new NamedCurveWitness(null, certificateGroup, null,
-                        certificateSigGroup));
+                        certificateSigGroup, context.getSelectedCipherSuite()));
                 toTestList.remove(selectedGroup);
             }
         } while (context != null && !toTestList.isEmpty());
@@ -433,11 +433,11 @@ public TlsContext getTls13SupportedGroup(List<NamedGroup> groups) {
         }
     }
 
-    private Map<NamedGroup, NamedCurveWitness> composeFullMap(List<NamedGroup> rsaGroups,
+    private Map<NamedGroup, NamedCurveWitness> composeFullMap(Map<NamedGroup, NamedCurveWitness> rsaGroups,
             Map<NamedGroup, NamedCurveWitness> groupsEcdsaStatic,
             Map<NamedGroup, NamedCurveWitness> groupsEcdsaEphemeral) {
         List<NamedGroup> foundOverall = new LinkedList();
-        for (NamedGroup group : rsaGroups) {
+        for (NamedGroup group : rsaGroups.keySet()) {
             if (!foundOverall.contains(group)) {
                 foundOverall.add(group);
             }
@@ -456,16 +456,16 @@ private Map<NamedGroup, NamedCurveWitness> composeFullMap(List<NamedGroup> rsaGr
         HashMap<NamedGroup, NamedCurveWitness> groupMap = new HashMap<>();
         for (NamedGroup group : foundOverall) {
             NamedCurveWitness witness = new NamedCurveWitness();
-            if (rsaGroups.contains(group)) {
-                witness.setFoundUsingRsaCipher(true);
+            if (rsaGroups.containsKey(group)) {
+                witness.getCipherSuites().addAll(rsaGroups.get(group).getCipherSuites());
             }
             if (groupsEcdsaStatic.containsKey(group)) {
-                witness.setFoundUsingEcdsaStaticCipher(true);
+                witness.getCipherSuites().addAll(groupsEcdsaStatic.get(group).getCipherSuites());
                 witness.setEcdsaPkGroupStatic(groupsEcdsaStatic.get(group).getEcdsaPkGroupStatic());
                 witness.setEcdsaSigGroupStatic(groupsEcdsaStatic.get(group).getEcdsaSigGroupStatic());
             }
             if (groupsEcdsaEphemeral.containsKey(group)) {
-                witness.setFoundUsingEcdsaEphemeralCipher(true);
+                witness.getCipherSuites().addAll(groupsEcdsaEphemeral.get(group).getCipherSuites());
                 witness.setEcdsaPkGroupEphemeral(groupsEcdsaEphemeral.get(group).getEcdsaPkGroupEphemeral());
                 witness.setEcdsaSigGroupEphemeral(groupsEcdsaEphemeral.get(group).getEcdsaSigGroupEphemeral());
             }
@@ -476,10 +476,10 @@ private Map<NamedGroup, NamedCurveWitness> composeFullMap(List<NamedGroup> rsaGr
     }
 
     private TestResult getGroupsDependOnCiphersuite(Map<NamedGroup, NamedCurveWitness> overallSupported,
-            List<NamedGroup> groupsRsa, Map<NamedGroup, NamedCurveWitness> groupsEcdsaStatic,
+            Map<NamedGroup, NamedCurveWitness> groupsRsa, Map<NamedGroup, NamedCurveWitness> groupsEcdsaStatic,
             Map<NamedGroup, NamedCurveWitness> groupsEcdsaEphemeral) {
         for (NamedGroup group : overallSupported.keySet()) {
-            if (((testUsingRsa && !groupsRsa.contains(group))
+            if (((testUsingRsa && !groupsRsa.containsKey(group))
                     || (testUsingEcdsaStatic && !groupsEcdsaStatic.containsKey(group)) || (testUsingEcdsaEphemeral && !groupsEcdsaEphemeral
                     .containsKey(group))) && group.isCurve()) {
                 return TestResult.TRUE;
diff --git a/TLS-Server-Scanner/src/main/java/de/rub/nds/tlsscanner/serverscanner/probe/namedcurve/NamedCurveWitness.java b/TLS-Server-Scanner/src/main/java/de/rub/nds/tlsscanner/serverscanner/probe/namedcurve/NamedCurveWitness.java
@@ -8,13 +8,17 @@
  */
 package de.rub.nds.tlsscanner.serverscanner.probe.namedcurve;
 
+import de.rub.nds.tlsattacker.core.constants.AlgorithmResolver;
+import de.rub.nds.tlsattacker.core.constants.CertificateKeyType;
 import de.rub.nds.tlsattacker.core.constants.CipherSuite;
+import de.rub.nds.tlsattacker.core.constants.KeyExchangeAlgorithm;
 import de.rub.nds.tlsattacker.core.constants.NamedGroup;
+import java.util.HashSet;
+import java.util.Set;
 
 public class NamedCurveWitness {
-    private boolean foundUsingRsaCipher = false;
-    private boolean foundUsingEcdsaStaticCipher = false;
-    private boolean foundUsingEcdsaEphemeralCipher = false;
+
+    private Set<CipherSuite> cipherSuites;
 
     // the curves used to generate an ecdsa sig inside the key ex. message
     private NamedGroup ecdsaPkGroupStatic;
@@ -25,15 +29,22 @@ public class NamedCurveWitness {
     private NamedGroup ecdsaSigGroupEphemeral;
 
     public NamedCurveWitness() {
-
+        cipherSuites = new HashSet<>();
     }
 
     public NamedCurveWitness(NamedGroup ecdsaPkGroupStatic, NamedGroup ecdsaPkGroupEphemeral,
-            NamedGroup ecdsaSigGroupStatic, NamedGroup ecdsaSigGroupEphemeral) {
+            NamedGroup ecdsaSigGroupStatic, NamedGroup ecdsaSigGroupEphemeral, CipherSuite cipherSuite) {
         this.ecdsaPkGroupStatic = ecdsaPkGroupStatic;
         this.ecdsaPkGroupEphemeral = ecdsaPkGroupEphemeral;
         this.ecdsaSigGroupStatic = ecdsaSigGroupStatic;
         this.ecdsaSigGroupEphemeral = ecdsaSigGroupEphemeral;
+        cipherSuites = new HashSet<>();
+        cipherSuites.add(cipherSuite);
+    }
+
+    public NamedCurveWitness(CipherSuite cipherSuite) {
+        cipherSuites = new HashSet<>();
+        cipherSuites.add(cipherSuite);
     }
 
     public NamedGroup getEcdsaPkGroupStatic() {
@@ -53,27 +64,30 @@ public NamedGroup getEcdsaSigGroupEphemeral() {
     }
 
     public boolean isFoundUsingRsaCipher() {
-        return foundUsingRsaCipher;
-    }
-
-    public void setFoundUsingRsaCipher(boolean foundUsingRsaCipher) {
-        this.foundUsingRsaCipher = foundUsingRsaCipher;
+        for (CipherSuite cipherSuite : cipherSuites) {
+            if (AlgorithmResolver.getCertificateKeyType(cipherSuite) == CertificateKeyType.RSA) {
+                return true;
+            }
+        }
+        return false;
     }
 
     public boolean isFoundUsingEcdsaStaticCipher() {
-        return foundUsingEcdsaStaticCipher;
-    }
-
-    public void setFoundUsingEcdsaStaticCipher(boolean foundUsingEcdsaStaticCipher) {
-        this.foundUsingEcdsaStaticCipher = foundUsingEcdsaStaticCipher;
+        for (CipherSuite cipherSuite : cipherSuites) {
+            if (AlgorithmResolver.getKeyExchangeAlgorithm(cipherSuite) == KeyExchangeAlgorithm.ECDH_ECDSA) {
+                return true;
+            }
+        }
+        return false;
     }
 
     public boolean isFoundUsingEcdsaEphemeralCipher() {
-        return foundUsingEcdsaEphemeralCipher;
-    }
-
-    public void setFoundUsingEcdsaEphemeralCipher(boolean foundUsingEcdsaEphemeralCipher) {
-        this.foundUsingEcdsaEphemeralCipher = foundUsingEcdsaEphemeralCipher;
+        for (CipherSuite cipherSuite : cipherSuites) {
+            if (AlgorithmResolver.getKeyExchangeAlgorithm(cipherSuite) == KeyExchangeAlgorithm.ECDHE_ECDSA) {
+                return true;
+            }
+        }
+        return false;
     }
 
     public void setEcdsaPkGroupStatic(NamedGroup ecdsaPkGroupStatic) {
@@ -92,4 +106,12 @@ public void setEcdsaSigGroupEphemeral(NamedGroup ecdsaSigGroupEphemeral) {
         this.ecdsaSigGroupEphemeral = ecdsaSigGroupEphemeral;
     }
 
+    public Set<CipherSuite> getCipherSuites() {
+        return cipherSuites;
+    }
+
+    public void setCipherSuites(Set<CipherSuite> cipherSuites) {
+        this.cipherSuites = cipherSuites;
+    }
+
 }
diff --git a/TLS-Server-Scanner/src/main/java/de/rub/nds/tlsscanner/serverscanner/report/SiteReportPrinter.java b/TLS-Server-Scanner/src/main/java/de/rub/nds/tlsscanner/serverscanner/report/SiteReportPrinter.java
@@ -40,6 +40,7 @@
 import de.rub.nds.tlsscanner.serverscanner.probe.handshakeSimulation.SimulatedClientResult;
 import de.rub.nds.tlsscanner.serverscanner.probe.invalidCurve.InvalidCurveResponse;
 import de.rub.nds.tlsscanner.serverscanner.probe.mac.CheckPattern;
+import de.rub.nds.tlsscanner.serverscanner.probe.namedcurve.NamedCurveWitness;
 import de.rub.nds.tlsscanner.serverscanner.probe.padding.KnownPaddingOracleVulnerability;
 import de.rub.nds.tlsscanner.serverscanner.probe.padding.PaddingOracleStrength;
 import de.rub.nds.tlsscanner.serverscanner.rating.PropertyResultRatingInfluencer;
@@ -68,6 +69,7 @@
 import java.util.LinkedHashMap;
 import java.util.LinkedList;
 import java.util.List;
+import java.util.Map;
 import java.util.Objects;
 import java.util.concurrent.TimeUnit;
 import javax.xml.bind.JAXBException;
@@ -1572,7 +1574,32 @@ public StringBuilder appendCurves(StringBuilder builder) {
             prettyAppendHeading(builder, "Supported Named Groups");
             if (report.getSupportedNamedGroups().size() > 0) {
                 for (NamedGroup group : report.getSupportedNamedGroups()) {
-                    builder.append(group.name()).append("\n");
+                    builder.append(group.name());
+                    if (detail == ScannerDetail.ALL) {
+                        builder.append("\n  Found using:");
+                        NamedCurveWitness witness = report.getSupportedNamedGroupsWitnesses().get(group);
+                        for (CipherSuite cipher : witness.getCipherSuites()) {
+                            builder.append("\n    ").append(cipher.toString());
+                        }
+                        builder.append("\n  ECDSA Required Groups:");
+                        if (witness.getEcdsaPkGroupEphemeral() != null && witness.getEcdsaPkGroupEphemeral() != group) {
+                            builder.append("\n    ").append(witness.getEcdsaPkGroupEphemeral())
+                                    .append(" (Ephemeral Certificate Public Key)");
+                        }
+                        if (witness.getEcdsaSigGroupEphemeral() != null && witness.getEcdsaSigGroupEphemeral() != group) {
+                            builder.append("\n    ").append(witness.getEcdsaSigGroupEphemeral())
+                                    .append(" (Ephemeral Certificate Signature)");
+                        }
+                        if (witness.getEcdsaPkGroupStatic() != null && witness.getEcdsaPkGroupStatic() != group) {
+                            builder.append("\n    ").append(witness.getEcdsaPkGroupStatic())
+                                    .append(" (Static Certificate Public Key)");
+                        }
+                        if (witness.getEcdsaSigGroupStatic() != null && witness.getEcdsaSigGroupStatic() != group) {
+                            builder.append("\n    ").append(witness.getEcdsaSigGroupStatic())
+                                    .append(" (Static Certificate Signature)");
+                        }
+                    }
+                    builder.append("\n");
                 }
                 if (report.getResult(AnalyzedProperty.GROUPS_DEPEND_ON_CIPHER) == TestResult.TRUE) {
                     prettyAppend(builder, "Not all Groups are supported for all Cipher Suites");
