Merge pull request #1797 from atroost/hex2curves

Hex2curves
This commit is contained in:
Dirk Wetter 2020-12-03 12:44:21 +01:00 committed by GitHub
commit f6e2a5c381
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 86 additions and 1 deletions

View File

@ -28,6 +28,8 @@ If you want to check trust against e.g. a company internal CA you need to use ``
* ``cipher-mapping.txt`` contains information about all of the cipher suites defined for SSL/TLS * ``cipher-mapping.txt`` contains information about all of the cipher suites defined for SSL/TLS
* ``curves-mapping.txt`` contains information about all of the eliptic curves defined by IANA
* ``ca_hashes.txt`` is used for HPKP test in order to have a fast comparison with known CAs. Use * ``ca_hashes.txt`` is used for HPKP test in order to have a fast comparison with known CAs. Use
``~/utils/create_ca_hashes.sh`` for an update ``~/utils/create_ca_hashes.sh`` for an update

View File

@ -14,7 +14,7 @@ The whole process is done manually.
* Retrieve "handshakebytes" by marking the Record Layer --> Copy --> As a hex stream. * Retrieve "handshakebytes" by marking the Record Layer --> Copy --> As a hex stream.
* Figure out "protos" and "tlsvers" by looking at the supported_versions TLS extension (43=0x002b). May work only on modern clients. Be careful as some do not list all TLS versions here (OpenSSL 1.1.1 lists only TLS 1.2/1.3 here) * Figure out "protos" and "tlsvers" by looking at the supported_versions TLS extension (43=0x002b). May work only on modern clients. Be careful as some do not list all TLS versions here (OpenSSL 1.1.1 lists only TLS 1.2/1.3 here)
* Adjust "lowest_protocol" and "highest_protocol" accordingly. * Adjust "lowest_protocol" and "highest_protocol" accordingly.
* Get "curves" from at the supported groups TLS extension 10 = 0x00a. Omit any GREASE. * For "curves" mark the supported groups TLS extension --> Copy --> As a hex stream, remove any leading GREASE ciphers (?a?a) and supply it to `~/utils/hexstream2curves.sh`
* Retrieve "alpn" by looking at the alpn TLS extension 16 (=0x0010). * Retrieve "alpn" by looking at the alpn TLS extension 16 (=0x0010).
* Review TLS extension 13 (=0x000d) whether any SHA1 signature algorithm is listed. If not "requiresSha2" is true * Review TLS extension 13 (=0x000d) whether any SHA1 signature algorithm is listed. If not "requiresSha2" is true
* Leave "maxDhBits"/"minDhBits" and "minRsaBits"/"maxRsaBits" at -1, unless you know for sure what the client can handle * Leave "maxDhBits"/"minDhBits" and "minRsaBits"/"maxRsaBits" at -1, unless you know for sure what the client can handle

47
etc/curves-mapping.txt Normal file
View File

@ -0,0 +1,47 @@
0x00,0x00 - NULL TPM_ECC_NONE
0x00,0x01 - sect163k1 sect163k1
0x00,0x02 - sect163r1 sect163r1
0x00,0x03 - sect163r2 sect163r2
0x00,0x04 - sect193r1 sect193r1
0x00,0x05 - sect193r2 sect193r2
0x00,0x06 - sect233k1 sect233k1
0x00,0x07 - sect233r1 sect233r1
0x00,0x08 - sect239k1 sect239k1
0x00,0x09 - sect283k1 sect283k1
0x00,0x0a - sect283r1 sect283r1
0x00,0x0b - sect409k1 sect409k1
0x00,0x0c - sect409r1 sect409r1
0x00,0x0d - sect571k1 sect571k1
0x00,0x0e - sect571r1 sect571r1
0x00,0x0f - secp160k1 secp160k1
0x00,0x10 - secp160r1 secp160r1
0x00,0x11 - secp160r2 secp160r2
0x00,0x12 - secp192k1 secp192k1
0x00,0x13 - secp192r1 secp192r1
0x00,0x14 - secp224k1 secp224k1
0x00,0x15 - secp224r1 secp224r1
0x00,0x16 - secp256k1 secp256k1
0x00,0x17 - secp256r1 secp256r1
0x00,0x18 - secp384r1 secp384r1
0x00,0x19 - secp521r1 secp521r1
0x00,0x1a - brainpoolP256r1 brainpoolP256r1
0x00,0x1b - brainpoolP384r1 brainpoolP384r1
0x00,0x1c - brainpoolP512r1 brainpoolP512r1
0x00,0x1d - x25519 x25519
0x00,0x1e - x448 x448
0x00,0x1f - brainpoolP256r1tls13 brainpoolP256r1tls13
0x00,0x20 - brainpoolP384r1tls13 brainpoolP384r1tls13
0x00,0x21 - brainpoolP512r1tls13 brainpoolP512r1tls13
0x00,0x22 - GC256A GC256A
0x00,0x23 - GC256B GC256B
0x00,0x24 - GC256C GC256C
0x00,0x25 - GC256D GC256D
0x00,0x26 - GC512A GC512A
0x00,0x27 - GC512B GC512B
0x00,0x28 - GC512C GC512C
0x00,0x29 - curveSM2 curveSM2
0x00,0x100 - ffdhe2048 ffdhe2048
0x00,0x101 - ffdhe3072 ffdhe3072
0x00,0x102 - ffdhe4096 ffdhe4096
0x00,0x103 - ffdhe6144 ffdhe6144
0x00,0x104 - ffdhe8192 ffdhe8192

36
utils/hexstream2curves.sh Executable file
View File

@ -0,0 +1,36 @@
#!/bin/bash
hs="$1"
len=${#hs}
echo "# curves: $((len/4))"
mapfile="etc/curves-mapping.txt"
[ -s $mapfile ] || mapfile="../$mapfile"
[ -s $mapfile ] || exit 255
cur=""
first=true
for ((i=0; i<len ; i+=4)); do
printf "%02d" "$i"
echo -n ": ${hs:$i:4}"
grepstr="0x${hs:$i:2},0x${hs:$((i+2)):2}"
echo -n " --> $grepstr --> "
cur=$(grep -i -E "^ *${grepstr}" $mapfile | awk '{ print $3 }')
if [[ $grepstr == 0x00,0xff ]]; then
echo TPM_ECC_NONE
else
echo $cur
fi
if "$first"; then
curves="$cur"
first=false
else
curves="$curves:$cur"
fi
done
echo
# remove leading : because of GREASE, and trailing because of TPM_ECC_NONE
curves="${curves%:}"
echo ${curves#:}