crypto/tls: don't advertise TLS 1.2-only sigAlgs in TLS 1.3

If a ClientHello only supports TLS 1.3, or if a CertificateRequest is sent after selecting TLS 1.3, we should not advertise TLS 1.2-only signature_algorithms like PKCS#1 v1.5 or SHA-1. However, since crypto/x509 still supports PKCS#1 v1.5, and a direct CertPool match might not care about the signature in the certificate at all, start sending a separate signature_algorithms_cert extension to indicate support for PKCS#1 v1.5 and SHA-1 in certificates. We were already correctly rejecting these algorithms if the peer selected them in a TLS 1.3 connection. Updates #72883 Change-Id: I6a6a4656ab60e1b7fb20fdedc32604dc156953ae Reviewed-on: https://go-review.googlesource.com/c/go/+/658215 Reviewed-by: Roland Shoemaker <roland@golang.org> Reviewed-by: David Chase <drchase@google.com> Auto-Submit: Filippo Valsorda <filippo@golang.org> LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Daniel McCarney <daniel@binaryparadox.net>
author: Filippo Valsorda <filippo@golang.org> 2025-03-15 12:12:22 +0100
committer: Gopher Robot <gobot@golang.org> 2025-05-21 14:18:04 -0700
commit: e90acc814de247f58330be1d8ba3b11c78c96077 (patch)
tree: a56fd0ac07eab3c8e1155da0b1d182ab151aa589 /src/crypto/tls/testdata/Client-TLSv12-ClientCert-ECDSA-RSA
parent: 33d3f603c19f46e6529483230465cd6f420ce23b (diff)
download: go-e90acc814de247f58330be1d8ba3b11c78c96077.tar.xz
1 files changed, 49 insertions, 47 deletions
diff --git a/src/crypto/tls/testdata/Client-TLSv12-ClientCert-ECDSA-RSA b/src/crypto/tls/testdata/Client-TLSv12-ClientCert-ECDSA-RSA
index de57515d38..7356bfebfc 100644
--- a/src/crypto/tls/testdata/Client-TLSv12-ClientCert-ECDSA-RSA
+++ b/src/crypto/tls/testdata/Client-TLSv12-ClientCert-ECDSA-RSA
@@ -1,5 +1,5 @@
 >>> Flow 1 (client to server)
-00000000  16 03 01 00 fe 01 00 00  fa 03 03 00 00 00 00 00  |................|
+00000000  16 03 01 01 1c 01 00 01  18 03 03 00 00 00 00 00  |................|
 00000010  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
 00000020  00 00 00 00 00 00 00 00  00 00 00 20 00 00 00 00  |........... ....|
 00000030  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
@@ -7,21 +7,23 @@
 00000050  cc a8 c0 2b c0 2f c0 2c  c0 30 c0 09 c0 13 c0 0a  |...+./.,.0......|
 00000060  c0 14 00 9c 00 9d 00 2f  00 35 c0 12 00 0a c0 23  |......./.5.....#|
 00000070  c0 27 00 3c c0 07 c0 11  00 05 13 03 13 01 13 02  |.'.<............|
-00000080  01 00 00 7f 00 0b 00 02  01 00 ff 01 00 01 00 00  |................|
+00000080  01 00 00 9d 00 0b 00 02  01 00 ff 01 00 01 00 00  |................|
 00000090  17 00 00 00 12 00 00 00  05 00 05 01 00 00 00 00  |................|
 000000a0  00 0a 00 0a 00 08 00 1d  00 17 00 18 00 19 00 0d  |................|
 000000b0  00 1a 00 18 08 04 04 03  08 07 08 05 08 06 04 01  |................|
-000000c0  05 01 06 01 05 03 06 03  02 01 02 03 00 2b 00 09  |.............+..|
-000000d0  08 03 04 03 03 03 02 03  01 00 33 00 26 00 24 00  |..........3.&.$.|
-000000e0  1d 00 20 2f e5 7d a3 47  cd 62 43 15 28 da ac 5f  |.. /.}.G.bC.(.._|
-000000f0  bb 29 07 30 ff f6 84 af  c4 cf c2 ed 90 99 5f 58  |.).0.........._X|
-00000100  cb 3b 74                                          |.;t|
+000000c0  05 01 06 01 05 03 06 03  02 01 02 03 00 32 00 1a  |.............2..|
+000000d0  00 18 08 04 04 03 08 07  08 05 08 06 04 01 05 01  |................|
+000000e0  06 01 05 03 06 03 02 01  02 03 00 2b 00 09 08 03  |...........+....|
+000000f0  04 03 03 03 02 03 01 00  33 00 26 00 24 00 1d 00  |........3.&.$...|
+00000100  20 2f e5 7d a3 47 cd 62  43 15 28 da ac 5f bb 29  | /.}.G.bC.(.._.)|
+00000110  07 30 ff f6 84 af c4 cf  c2 ed 90 99 5f 58 cb 3b  |.0.........._X.;|
+00000120  74                                                |t|
 >>> Flow 2 (server to client)
-00000000  16 03 03 00 5d 02 00 00  59 03 03 f8 3d 7c a4 a8  |....]...Y...=|..|
-00000010  11 e3 56 0f 1c 7e 2e 7c  50 7e 75 5c de 1c 51 8e  |..V..~.|P~u\..Q.|
-00000020  de d3 8a 84 d2 90 84 f9  e9 07 d5 20 98 6a a8 c1  |........... .j..|
-00000030  f4 28 bd 0f 6a 25 a5 26  3d 8d 35 b6 3e bb 77 c6  |.(..j%.&=.5.>.w.|
-00000040  8e ab 36 bd 7d c8 a9 b1  5b 30 0f b2 c0 2f 00 00  |..6.}...[0.../..|
+00000000  16 03 03 00 5d 02 00 00  59 03 03 26 62 0d 9d 45  |....]...Y..&b..E|
+00000010  3d 25 b7 ed ec ce b8 d6  8f fd a6 68 0b 07 05 28  |=%.........h...(|
+00000020  d4 2a 9c d9 cf bf e9 a0  92 71 6f 20 18 af a0 13  |.*.......qo ....|
+00000030  72 10 57 69 cf 63 db 73  c4 44 b8 a9 27 cd 9a a0  |r.Wi.c.s.D..'...|
+00000040  3b be f1 57 ef 10 19 80  0b c0 51 94 c0 2f 00 00  |;..W......Q../..|
 00000050  11 ff 01 00 01 00 00 0b  00 04 03 00 01 02 00 17  |................|
 00000060  00 00 16 03 03 02 59 0b  00 02 55 00 02 52 00 02  |......Y...U..R..|
 00000070  4f 30 82 02 4b 30 82 01  b4 a0 03 02 01 02 02 09  |O0..K0..........|
@@ -61,18 +63,18 @@
 00000290  73 bb b3 43 77 8d 0c 1c  f1 0f a1 d8 40 83 61 c9  |s..Cw.......@.a.|
 000002a0  4c 72 2b 9d ae db 46 06  06 4d f4 c1 b3 3e c0 d1  |Lr+...F..M...>..|
 000002b0  bd 42 d4 db fe 3d 13 60  84 5c 21 d3 3b e9 fa e7  |.B...=.`.\!.;...|
-000002c0  16 03 03 00 ac 0c 00 00  a8 03 00 1d 20 5f c1 31  |............ _.1|
-000002d0  d7 64 f0 0b 72 6a 66 2c  49 d7 d1 9c dd 6f e3 3a  |.d..rjf,I....o.:|
-000002e0  ab 2c 78 6d ca b0 ed 16  26 65 9f ff 66 08 04 00  |.,xm....&e..f...|
-000002f0  80 a6 91 d0 03 b8 d2 67  48 69 16 8e 30 dc 5b 3f  |.......gHi..0.[?|
-00000300  ac 4d e4 33 5f 46 e7 0c  49 a0 71 9d 8c 60 63 f2  |.M.3_F..I.q..`c.|
-00000310  2d ff 9e 89 21 7d af 71  ce 41 6b d2 22 fc 1f bd  |-...!}.q.Ak."...|
-00000320  a9 9e 15 2c d7 c3 cb 69  6d df 23 07 7c 13 e9 2b  |...,...im.#.|..+|
-00000330  7d 05 f0 18 1e 86 c8 37  ad cd 9e 39 26 0c 8a 9b  |}......7...9&...|
-00000340  12 90 60 12 95 06 e9 bb  f2 46 41 20 10 f5 64 ea  |..`......FA ..d.|
-00000350  66 13 cb 8e 51 7e 41 78  2a 40 fa 15 e2 0d 5b 37  |f...Q~Ax*@....[7|
-00000360  a7 a8 4a f6 8e 93 82 2a  a2 91 06 66 4e 49 72 68  |..J....*...fNIrh|
-00000370  f9 16 03 03 00 3a 0d 00  00 36 03 01 02 40 00 2e  |.....:...6...@..|
+000002c0  16 03 03 00 ac 0c 00 00  a8 03 00 1d 20 22 fe 67  |............ ".g|
+000002d0  48 d3 90 04 ee 7d c2 2a  6d 9f 3a 36 3c b2 f8 14  |H....}.*m.:6<...|
+000002e0  24 76 54 5a ae ed 2f 62  fc 76 e0 00 07 08 04 00  |$vTZ../b.v......|
+000002f0  80 6d 8b e6 52 be ed 40  b8 b1 51 53 94 08 93 76  |.m..R..@..QS...v|
+00000300  9b 84 06 66 60 b9 be a8  f1 bb 5d fa 81 42 28 8e  |...f`.....]..B(.|
+00000310  aa ce 72 9f df a3 53 2d  c9 6d 34 10 78 36 da 33  |..r...S-.m4.x6.3|
+00000320  09 0c a0 5e ea 56 2e 6f  62 fc 3c 5e 5b 6d 97 c9  |...^.V.ob.<^[m..|
+00000330  39 1b 3c eb 6d 1f 0a b5  02 06 6d 9e 99 24 14 ee  |9.<.m.....m..$..|
+00000340  f9 55 cc 4d 7f 77 0c 58  2c 59 0f a4 66 4b 81 b4  |.U.M.w.X,Y..fK..|
+00000350  d9 e4 f6 24 4f ba 05 83  6c c3 6c 2f 5e 74 42 09  |...$O...l.l/^tB.|
+00000360  b3 be d1 c9 6a c8 a6 34  5c bc 36 65 58 cd 02 ae  |....j..4\.6eX...|
+00000370  16 16 03 03 00 3a 0d 00  00 36 03 01 02 40 00 2e  |.....:...6...@..|
 00000380  04 03 05 03 06 03 08 07  08 08 08 09 08 0a 08 0b  |................|
 00000390  08 04 08 05 08 06 04 01  05 01 06 01 03 03 02 03  |................|
 000003a0  03 01 02 01 03 02 02 02  04 02 05 02 06 02 00 00  |................|
@@ -113,28 +115,28 @@
 00000200  e4 fa cc b1 8a ce e2 23  a0 87 f0 e1 67 51 eb 16  |.......#....gQ..|
 00000210  03 03 00 25 10 00 00 21  20 2f e5 7d a3 47 cd 62  |...%...! /.}.G.b|
 00000220  43 15 28 da ac 5f bb 29  07 30 ff f6 84 af c4 cf  |C.(.._.).0......|
-00000230  c2 ed 90 99 5f 58 cb 3b  74 16 03 03 00 93 0f 00  |...._X.;t.......|
-00000240  00 8f 04 03 00 8b 30 81  88 02 42 01 0f 51 5e 59  |......0...B..Q^Y|
-00000250  78 34 8f 99 03 da 07 66  3b 0d 48 b2 79 57 e2 d5  |x4.....f;.H.yW..|
-00000260  d2 c2 f3 81 8e 25 98 81  e2 9a f7 1f 02 99 b0 7d  |.....%.........}|
-00000270  1c d1 1f e4 ef d7 bc a1  ad 67 c7 a9 cc 4f 67 58  |.........g...OgX|
-00000280  8b 1e 8c 3f 04 73 31 53  60 aa 67 33 27 02 42 01  |...?.s1S`.g3'.B.|
-00000290  f1 66 ba 8f ec 9e 3f 76  76 ac 7a e7 56 cb fb 46  |.f....?vv.z.V..F|
-000002a0  f4 9b 64 03 3a 72 5a d7  cf 49 39 69 26 19 68 52  |..d.:rZ..I9i&.hR|
-000002b0  8b 98 8e ea d3 8e d9 6d  93 f5 e8 23 cd 20 a8 5a  |.......m...#. .Z|
-000002c0  4c 24 10 70 bd a2 ae a3  b1 4f 38 17 dd b9 f5 93  |L$.p.....O8.....|
-000002d0  4b 14 03 03 00 01 01 16  03 03 00 28 00 00 00 00  |K..........(....|
-000002e0  00 00 00 00 e1 2b da c6  4a 5c d2 03 c0 7e f0 eb  |.....+..J\...~..|
-000002f0  a0 4b ed a1 7d e4 45 93  ec f9 37 a0 5b 7e bb 64  |.K..}.E...7.[~.d|
-00000300  af d4 fc ac                                       |....|
+00000230  c2 ed 90 99 5f 58 cb 3b  74 16 03 03 00 92 0f 00  |...._X.;t.......|
+00000240  00 8e 04 03 00 8a 30 81  87 02 42 00 8e 41 5f 48  |......0...B..A_H|
+00000250  64 4e 6e 7e 7d ed 5b da  88 7a 38 1f bd 04 ee 93  |dNn~}.[..z8.....|
+00000260  88 f8 3d e5 b7 51 4a 43  6b c5 c1 02 06 c5 2c c1  |..=..QJCk.....,.|
+00000270  48 18 2e 11 63 8a 9d 94  35 98 bc d1 d7 19 1f c0  |H...c...5.......|
+00000280  f6 dc 10 15 89 bf 99 0c  87 7d 3e bf e2 02 41 4f  |.........}>...AO|
+00000290  e3 d4 a0 b2 4d 80 ec 21  2f b3 fc df 6c b7 bd 6d  |....M..!/...l..m|
+000002a0  c7 6d 0a 7a 24 56 a4 c8  36 ec 7d 2d 65 ff 8c 4b  |.m.z$V..6.}-e..K|
+000002b0  c7 cd 52 99 f1 2d e5 19  57 89 fe 52 44 ca e0 c3  |..R..-..W..RD...|
+000002c0  34 fc c5 4a da 59 f5 62  eb c4 c5 cb 1d d7 4b 63  |4..J.Y.b......Kc|
+000002d0  14 03 03 00 01 01 16 03  03 00 28 00 00 00 00 00  |..........(.....|
+000002e0  00 00 00 5d 34 16 3d d0  04 3f b7 3d a2 be 20 8b  |...]4.=..?.=.. .|
+000002f0  19 20 09 7b f0 7e 52 95  e6 b8 f1 06 08 93 6b 91  |. .{.~R.......k.|
+00000300  ee fa c8                                          |...|
 >>> Flow 4 (server to client)
-00000000  14 03 03 00 01 01 16 03  03 00 28 d3 4a 1e 2b ea  |..........(.J.+.|
-00000010  26 12 c9 fd b0 7b e6 bf  e4 bb b6 d2 6b b4 3c 05  |&....{......k.<.|
-00000020  1f 6c 46 44 5e 25 e6 f9  80 c8 b9 16 19 59 68 90  |.lFD^%.......Yh.|
-00000030  5a 90 16                                          |Z..|
+00000000  14 03 03 00 01 01 16 03  03 00 28 c1 1c 19 bc 14  |..........(.....|
+00000010  d3 44 ec 5d 6e 84 c4 06  ba c2 83 00 80 ea dd 7d  |.D.]n..........}|
+00000020  9b 2e 75 c7 9d 75 40 e8  89 d1 9b 69 16 20 0b 23  |..u..u@....i. .#|
+00000030  94 48 42                                          |.HB|
 >>> Flow 5 (client to server)
-00000000  17 03 03 00 1e 00 00 00  00 00 00 00 01 35 25 df  |.............5%.|
-00000010  1f 16 81 00 e3 c4 9e 45  e2 a1 ef 54 72 66 99 3d  |.......E...Trf.=|
-00000020  30 13 25 15 03 03 00 1a  00 00 00 00 00 00 00 02  |0.%.............|
-00000030  16 a5 e9 36 c1 fb 02 d7  c8 7a aa bc aa 77 7b 5c  |...6.....z...w{\|
-00000040  4f a1                                             |O.|
+00000000  17 03 03 00 1e 00 00 00  00 00 00 00 01 20 ce 1a  |............. ..|
+00000010  b6 65 88 6d 17 9e 9c 9d  ec 36 af d3 7e fa e5 63  |.e.m.....6..~..c|
+00000020  bc 90 f0 15 03 03 00 1a  00 00 00 00 00 00 00 02  |................|
+00000030  e5 a6 0e 68 bc 75 29 7e  c1 ee 6b 3b d3 03 c8 0a  |...h.u)~..k;....|
+00000040  4d 75                                             |Mu|
author	Filippo Valsorda <filippo@golang.org>	2025-03-15 12:12:22 +0100
committer	Gopher Robot <gobot@golang.org>	2025-05-21 14:18:04 -0700
commit	e90acc814de247f58330be1d8ba3b11c78c96077 (patch)
tree	a56fd0ac07eab3c8e1155da0b1d182ab151aa589 /src/crypto/tls/testdata/Client-TLSv12-ClientCert-ECDSA-RSA
parent	33d3f603c19f46e6529483230465cd6f420ce23b (diff)
download	go-e90acc814de247f58330be1d8ba3b11c78c96077.tar.xz