client side support for post handshake authentication

Author: tomato42

tlslite/constants.py

@@ -171,6 +171,7 @@ class ExtensionType(TLSEnum):
     supported_versions = 43  # TLS 1.3
     cookie = 44  # TLS 1.3
     psk_key_exchange_modes = 45  # TLS 1.3
+    post_handshake_auth = 49  # TLS 1.3
     signature_algorithms_cert = 50  # TLS 1.3
     key_share = 51  # TLS 1.3
     supports_npn = 13172

tlslite/tlsconnection.py

@@ -717,6 +717,14 @@ def _clientSendClientHello(self, settings, session, srpUsername,
         session_id = bytearray()
         # when TLS 1.3 advertised, add key shares, set fake session_id
         if next((i for i in settings.versions if i > (3, 3)), None):
+            # if we have a client cert configured, do indicate we're willing
+            # to perform Post Handshake Authentication
+            if certParams and certParams[1]:
+                extensions.append(TLSExtension(
+                    extType=ExtensionType.post_handshake_auth).
+                    create(bytearray(b'')))
+                self._client_keypair = certParams
+
             session_id = getRandomBytes(32)
             extensions.append(SupportedVersionsExtension().
                               create(settings.versions))
@@ -1435,6 +1443,8 @@ def _clientTLS13Handshake(self, settings, session, clientHello,
         # fully switch to application data
         self._changeWriteState()
 
+        self._first_handshake_hashes = self._handshake_hash.copy()
+
         resumption_master_secret = derive_secret(secret,
                                                  bytearray(b'res master'),
                                                  self._handshake_hash, prfName)

tlslite/tlsrecordlayer.py

@@ -18,7 +18,7 @@
 from .utils.compat import *
 from .utils.cryptomath import *
 from .utils.codec import Parser
-from .utils.lists import to_str_delimiter
+from .utils.lists import to_str_delimiter, getFirstMatching
 from .errors import *
 from .messages import *
 from .mathtls import *
@@ -27,6 +27,8 @@
 from .defragmenter import Defragmenter
 from .handshakehashes import HandshakeHashes
 from .bufferedsocket import BufferedSocket
+from .handshakesettings import HandshakeSettings
+from .keyexchange import KeyExchange
 
 class TLSRecordLayer(object):
     """
@@ -182,6 +184,10 @@ def __init__(self, sock):
         self._buffer_content_type = None
         self._buffer = bytearray()
 
+        # tuple with list of certificates and the private key that will be
+        # used for post handshake authentication in TLS 1.3
+        self._client_keypair = None
+
     @property
     def _send_record_limit(self):
         """Maximum size of payload that can be sent."""
@@ -300,8 +306,13 @@ def readAsync(self, max=None, min=1):
         if self.version > (3, 3):
             allowedTypes = (ContentType.application_data,
                             ContentType.handshake)
-            allowedHsTypes = (HandshakeType.new_session_ticket,
-                              HandshakeType.key_update)
+            if self._client_keypair:
+                allowedHsTypes = (HandshakeType.new_session_ticket,
+                                  HandshakeType.key_update,
+                                  HandshakeType.certificate_request)
+            else:
+                allowedHsTypes = (HandshakeType.new_session_ticket,
+                                  HandshakeType.key_update)
         else:
             allowedTypes = ContentType.application_data
             allowedHsTypes = None
@@ -316,10 +327,15 @@ def readAsync(self, max=None, min=1):
                         result.time = time.time()
                         self.tickets.append(result)
                         continue
-                    if isinstance(result, KeyUpdate):
+                    elif isinstance(result, KeyUpdate):
                         for result in self._handle_keyupdate_request(result):
                             yield result
                         continue
+                    elif isinstance(result, CertificateRequest):
+                        for result in self._handle_pha(result):
+                            if result in (0, 1):
+                                yield
+                        continue
                     applicationData = result
                     self._readBuffer += applicationData.write()
                 except TLSRemoteAlert as alert:
@@ -611,6 +627,84 @@ def fileno(self):
      # Public Functions END
      #*********************************************************
 
+    def _handle_pha(self, cert_request):
+        cert, p_key = self._client_keypair
+
+        handshake_context = self._first_handshake_hashes.copy()
+        handshake_context.update(cert_request.write())
+
+        prf_name = 'sha256'
+        prf_size = 32
+        if self.session.cipherSuite in CipherSuite.sha384PrfSuites:
+            prf_name = 'sha384'
+            prf_size = 48
+
+        msgs = []
+        msgs.append(Certificate(CertificateType.x509, self.version)
+                    .create(cert, cert_request.certificate_request_context))
+        handshake_context.update(msgs[0].write())
+        if p_key:
+            # sign the CertificateVerify only when we have a private key to do
+            # that
+            valid_sig_algs = cert_request.supported_signature_algs
+            if not valid_sig_algs:
+                for result in self._sendError(
+                        AlertDescription.missing_extension,
+                        "No signature algorithms found in CertificateRequest"):
+                    yield result
+            avail_sig_algs = self._sigHashesToList(HandshakeSettings(), p_key,
+                                                   cert, version=(3, 4))
+            sig_scheme = getFirstMatching(avail_sig_algs, valid_sig_algs)
+            scheme = SignatureScheme.toRepr(sig_scheme)
+            sig_scheme = getattr(SignatureScheme, scheme)
+
+            signature_context = \
+                KeyExchange.calcVerifyBytes((3, 4),
+                                            handshake_context,
+                                            sig_scheme, None, None, None,
+                                            prf_name, b'client')
+
+            if sig_scheme[1] == SignatureAlgorithm.ecdsa:
+                pad_type = None
+                hash_name = HashAlgorithm.toRepr(sig_scheme[0])
+                salt_len = None
+            else:
+                pad_type = SignatureScheme.getPadding(scheme)
+                hash_name = SignatureScheme.getHash(scheme)
+                salt_len = getattr(hashlib, hash_name)().digest_size
+
+            signature = p_key.sign(signature_context,
+                                   pad_type,
+                                   hash_name,
+                                   salt_len)
+            if not p_key.verify(signature, signature_context,
+                                pad_type,
+                                hash_name,
+                                salt_len):
+                for result in self._sendError(
+                        AlertDescription.internal_error,
+                        "Certificate Verify signature failed"):
+                    yield result
+            certificate_verify = CertificateVerify(self.version)
+            certificate_verify.create(signature, sig_scheme)
+
+            msgs.append(certificate_verify)
+            handshake_context.update(certificate_verify.write())
+
+        finished_key = HKDF_expand_label(self.session.cl_app_secret,
+                                         b"finished", b"",
+                                         prf_size, prf_name)
+        verify_data = secureHMAC(finished_key,
+                                 handshake_context.digest(prf_name),
+                                 prf_name)
+
+        finished = Finished((3, 4), prf_size)
+        finished.create(verify_data)
+        msgs.append(finished)
+
+        for result in self._sendMsgs(msgs):
+            yield result
+
     def _shutdown(self, resumable):
         self._recordLayer.shutdown()
         self.version = (0,0)