ECDSA_SECP521R1_SHA512 not working in server mode getting DECRYPT ERROR

[ghost]

I'm trying to handshake with openssl s_client -connect 127.0.0.1:54000 -msg -tls1_3 -sigalgs ecdsa_secp521r1_sha512

In server code:

package TLS13.samples;

import de.rub.nds.tlsattacker.core.certificate.CertificateKeyPair;
import de.rub.nds.tlsattacker.core.certificate.PemUtil;
import de.rub.nds.tlsattacker.core.config.Config;
import de.rub.nds.tlsattacker.core.connection.InboundConnection;
import de.rub.nds.tlsattacker.core.constants.HandshakeMessageType;
import de.rub.nds.tlsattacker.core.constants.ProtocolVersion;
import de.rub.nds.tlsattacker.core.constants.RunningModeType;
import de.rub.nds.tlsattacker.core.exceptions.WorkflowExecutionException;
import de.rub.nds.tlsattacker.core.state.State;
import de.rub.nds.tlsattacker.core.workflow.WorkflowExecutor;
import de.rub.nds.tlsattacker.core.workflow.WorkflowExecutorFactory;
import de.rub.nds.tlsattacker.core.workflow.WorkflowTraceUtil;
import org.apache.logging.log4j.Level;
import org.apache.logging.log4j.core.config.Configurator;
import org.bouncycastle.crypto.tls.*;
import org.bouncycastle.jce.provider.BouncyCastleProvider;

import java.io.File;
import java.io.IOException;
import java.security.PrivateKey;
import java.security.Security;
import java.security.cert.CertificateException;

public class server {

    public static void main(String[] args) throws IOException, CertificateException {
        Configurator.setAllLevels("", Level.DEBUG);
        Security.addProvider(new BouncyCastleProvider());

        Config conf = Config.createConfig();
        InboundConnection inboundConnection = conf.getDefaultServerConnection();
        inboundConnection.setPort(54000);
        conf.setDefaultRunningMode(RunningModeType.SERVER);

        Certificate readCertificate = PemUtil.readCertificate(new FileInputStream("resources/p521crt.pem"));
        PrivateKey privateKey = PemUtil.readPrivateKey(new FileInputStream("resources/p521key.pem"));
        conf.setDefaultExplicitCertificateKeyPair(new CertificateKeyPair(readCertificate, privateKey));

        conf.setAutoSelectCertificate(false);

        conf.setDefaultServerConnection(inboundConnection);
        conf.setQuickReceive(false);

        List<CipherSuite> cipherSuiteList = new LinkedList<>();
        cipherSuiteList.add(CipherSuite.TLS_AES_256_GCM_SHA384);
        cipherSuiteList.add(CipherSuite.TLS_AES_128_GCM_SHA256);
        conf.setDefaultServerSupportedCiphersuites(cipherSuiteList);

        List<SignatureAndHashAlgorithm> signatureAndHashAlgorithms = new LinkedList<>();
        signatureAndHashAlgorithms.add(SignatureAndHashAlgorithm.ECDSA_SHA256);
        signatureAndHashAlgorithms.add(SignatureAndHashAlgorithm.ECDSA_SHA384);
        signatureAndHashAlgorithms.add(SignatureAndHashAlgorithm.ECDSA_SHA512);
        signatureAndHashAlgorithms.add(SignatureAndHashAlgorithm.RSA_PSS_RSAE_SHA256);
        signatureAndHashAlgorithms.add(SignatureAndHashAlgorithm.RSA_PSS_RSAE_SHA384);
        signatureAndHashAlgorithms.add(SignatureAndHashAlgorithm.RSA_PSS_RSAE_SHA512);
        signatureAndHashAlgorithms.add(SignatureAndHashAlgorithm.RSA_PSS_PSS_SHA256);
        signatureAndHashAlgorithms.add(SignatureAndHashAlgorithm.RSA_PSS_PSS_SHA384);
        signatureAndHashAlgorithms.add(SignatureAndHashAlgorithm.RSA_PSS_PSS_SHA512);
        conf.setDefaultServerSupportedSignatureAndHashAlgorithms(signatureAndHashAlgorithms);

        List<NamedGroup> namedGroups = new LinkedList<>();
        namedGroups.add(NamedGroup.SECP256R1);
        namedGroups.add(NamedGroup.SECP384R1);
        namedGroups.add(NamedGroup.SECP521R1);
        namedGroups.add(NamedGroup.ECDH_X25519);
        namedGroups.add(NamedGroup.ECDH_X448);
        conf.setDefaultServerNamedGroups(namedGroups);

        conf.setHighestProtocolVersion(ProtocolVersion.TLS13);
        conf.setSupportedVersions(ProtocolVersion.TLS13);

        conf.setEnforceSettings(false);
        conf.setEarlyStop(true);
        conf.setStopReceivingAfterFatal(true);
        conf.setStopActionsAfterFatal(true);
        conf.setAddECPointFormatExtension(false);
        conf.setAddEllipticCurveExtension(false);
        conf.setAddSignatureAndHashAlgorithmsExtension(false);
        conf.setAddSupportedVersionsExtension(true);
        conf.setAddKeyShareExtension(true);
        conf.setAddServerNameIndicationExtension(false);
        conf.setAddRenegotiationInfoExtension(false);
        conf.setAddCertificateStatusRequestExtension(false);
        conf.setServerSendsApplicationData(true);
        conf.setUseFreshRandom(true);

        State state = new State(conf);
        WorkflowExecutor workflowExecutor = WorkflowExecutorFactory.createWorkflowExecutor(
                conf.getWorkflowExecutorType(), state);

        try {
            workflowExecutor.executeWorkflow();
        } catch (WorkflowExecutionException ex) {
            System.out.println("The TLS protocol flow was not executed completely, follow the debug messages for more information.");
            System.out.println(ex.getLocalizedMessage());
        }

        if (!WorkflowTraceUtil.didReceiveMessage(HandshakeMessageType.CLIENT_HELLO, state.getWorkflowTrace())) {
            System.out.println("Did not receive Client hello");
        } else {
            System.out.println("Received Client hello");
        }
    }
}

when I'm getting fatal decrypt error.

with openssl s_server I'm able do handshake.

Let me know, if I miss something.

Attached debug log ecdsa_sha512_debug.log

[ic0ns]

And other signature and hash algorithms work? Only SHA512 is not working?

[ghost]

These are working with my above code:

working: RSA_PSS_RSAE_SHA256, RSA_PSS_RSAE_SHA384, RSA_PSS_RSAE_SHA512

These are not working with my code: Not working : ECDSA_SHA384, ECDSA_SHA512, RSA_PSS_PSS_SHA256, RSA_PSS_PSS_SHA384, RSA_PSS_PSS_SHA512

these signature algorithm are also not working in TLS1.2 and TLS1.3 server mode. And I'm loading corresponding certificate and key for every signature Algorithm.

[ic0ns]

I think the PSS_PSS ones should not work in the public release, as they are not implemented there yet. But AFAIK ecdsa should - do you have an idea @mmaehren ?

[mmaehren]

Looking through the commits of our development branch, I think this was caused by the KeyGenerator always using the defaultEcCertificateCurve from the Config instead of the curve defined in the certificate. This should be the case here, as the default group for this is SECP256R1 and the length of the signature (71) seems plausible for this. Unless I'm missing anything, applying the fix should consist of these changes: (before you do this, you could change the value of defaultEcCertificateCurve first to test if this suffices)

1. Replace the getECPrivateKey method in KeyGenerator class

   public static ECPrivateKey getECPrivateKey(Chooser chooser) {
       if (chooser.getConnectionEndType() == ConnectionEndType.CLIENT) {
           return new CustomECPrivateKey(chooser.getClientEcPrivateKey(), chooser.getEcCertificateCurve());
       } else {
           return new CustomECPrivateKey(chooser.getServerEcPrivateKey(), chooser.getEcCertificateCurve());
       }
   }

2. Replace the getECCertificateCurve method of the DefaultChooser class

   public NamedGroup getEcCertificateCurve() {
       if (context.getEcCertificateCurve() != null) {
           return context.getEcCertificateCurve();
       } else {
           return config.getDefaultEcCertificateCurve();
       }
   }

[ghost]

working as expected with @mmaehren patch. 👍🏼

if possible can you please give access to development branch . so we can test our tls project.

[ic0ns]

Yes, i think for this release we can provide early access. You can find it here: https://github.com/tls-attacker/TLS-Attacker/tree/dev