Merge pull request #613 from RUB-NDS/pemCertificateDelegate

ic0ns · web-flow · commit 400459fa6790 · 2020-01-20T13:22:01.000+01:00
Pem certificate delegate
diff --git a/README.md b/README.md
@@ -1,6 +1,6 @@
 # TLS-Attacker
 
-[![release](https://img.shields.io/badge/Release-v3.3.0-blue.svg)](https://github.com/RUB-NDS/TLS-Attacker/releases)
+[![release](https://img.shields.io/badge/Release-v3.4.0-blue.svg)](https://github.com/RUB-NDS/TLS-Attacker/releases)
 ![licence](https://img.shields.io/badge/License-Apachev2-brightgreen.svg)
 [![travis](https://travis-ci.org/RUB-NDS/TLS-Attacker.svg?branch=master)](https://travis-ci.org/RUB-NDS/TLS-Attacker)
 
diff --git a/TLS-Core/src/main/java/de/rub/nds/tlsattacker/core/certificate/CertificateKeyPair.java b/TLS-Core/src/main/java/de/rub/nds/tlsattacker/core/certificate/CertificateKeyPair.java
@@ -359,7 +359,7 @@ public void adjustInContext(TlsContext context, ConnectionEndType connectionEnd)
         if (privateKey != null) {
             privateKey.adjustInContext(context, connectionEnd);
         }
-        context.setSelectedGroup(publicKeyGroup);
+        context.setEcCertificateCurve(publicKeyGroup);
         if (context.getConfig().getAutoAdjustSignatureAndHashAlgorithm()) {
             // TODO rething auto selection
             SignatureAlgorithm signatureAlgorithm = SignatureAlgorithm.RSA;
diff --git a/TLS-Core/src/main/java/de/rub/nds/tlsattacker/core/config/delegate/CertificateDelegate.java b/TLS-Core/src/main/java/de/rub/nds/tlsattacker/core/config/delegate/CertificateDelegate.java
@@ -11,11 +11,15 @@
 import com.beust.jcommander.Parameter;
 import com.beust.jcommander.ParameterException;
 import de.rub.nds.tlsattacker.core.certificate.CertificateKeyPair;
+import de.rub.nds.tlsattacker.core.certificate.PemUtil;
 import de.rub.nds.tlsattacker.core.config.Config;
+import de.rub.nds.tlsattacker.core.crypto.keys.CustomPrivateKey;
 import de.rub.nds.tlsattacker.core.exceptions.ConfigurationException;
+import de.rub.nds.tlsattacker.core.util.CertificateUtils;
 import de.rub.nds.tlsattacker.core.util.JKSLoader;
 import de.rub.nds.tlsattacker.transport.ConnectionEndType;
 import de.rub.nds.tlsattacker.util.KeystoreHandler;
+import java.io.File;
 import java.io.IOException;
 import java.security.KeyStore;
 import java.security.KeyStoreException;
@@ -32,6 +36,12 @@
 
 public class CertificateDelegate extends Delegate {
 
+    @Parameter(names = "-cert", description = "PEM encoded certificate file")
+    private String certificate = null;
+
+    @Parameter(names = "-key", description = "PEM encoded private key")
+    private String key = null;
+
     @Parameter(names = "-keystore", description = "Java Key Store (JKS) file to use as a certificate")
     private String keystore = null;
 
@@ -68,12 +78,56 @@ public void setAlias(String alias) {
         this.alias = alias;
     }
 
+    public String getCertificate() {
+        return certificate;
+    }
+
+    public void setCertificate(String certificate) {
+        this.certificate = certificate;
+    }
+
+    public String getKey() {
+        return key;
+    }
+
+    public void setKey(String key) {
+        this.key = key;
+    }
+
     @Override
     public void applyDelegate(Config config) {
         Map<String, String> mandatoryParameters = new HashMap<>();
         mandatoryParameters.put("keystore", keystore);
         mandatoryParameters.put("password", password);
         mandatoryParameters.put("alias", alias);
+
+        PrivateKey privateKey = null;
+        if (key != null) {
+            LOGGER.debug("Loading private key");
+            try {
+                privateKey = PemUtil.readPrivateKey(new File(key));
+                CustomPrivateKey customPrivateKey = CertificateUtils.parseCustomPrivateKey(privateKey);
+                customPrivateKey.adjustInConfig(config, ConnectionEndType.CLIENT);
+                customPrivateKey.adjustInConfig(config, ConnectionEndType.SERVER);
+
+            } catch (IOException ex) {
+                LOGGER.warn("Could not read private key", ex);
+            }
+        }
+        if (certificate != null) {
+            LOGGER.debug("Loading ceritificate");
+            try {
+                Certificate cert = PemUtil.readCertificate(new File(certificate));
+                if (privateKey != null) {
+                    config.setDefaultExplicitCertificateKeyPair(new CertificateKeyPair(cert, privateKey));
+                } else {
+                    config.setDefaultExplicitCertificateKeyPair(new CertificateKeyPair(cert));
+                }
+                config.setAutoSelectCertificate(false);
+            } catch (Exception ex) {
+                LOGGER.warn("Could not read certificate", ex);
+            }
+        }
         List<String> missingParameters = new ArrayList<>();
         for (String p : mandatoryParameters.keySet()) {
             if (mandatoryParameters.get(p) == null) {
@@ -102,7 +156,6 @@ public void applyDelegate(Config config) {
             }
             KeyStore store = KeystoreHandler.loadKeyStore(keystore, password);
             Certificate cert = JKSLoader.loadTLSCertificate(store, alias);
-            PrivateKey privateKey = null;
             privateKey = (PrivateKey) store.getKey(alias, password.toCharArray());
             CertificateKeyPair pair = new CertificateKeyPair(cert, privateKey);
             pair.adjustInConfig(config, type);
diff --git a/TLS-Core/src/main/java/de/rub/nds/tlsattacker/core/crypto/keys/CustomECPrivateKey.java b/TLS-Core/src/main/java/de/rub/nds/tlsattacker/core/crypto/keys/CustomECPrivateKey.java
@@ -85,11 +85,11 @@ public void adjustInContext(TlsContext context, ConnectionEndType ownerOfKey) {
             switch (ownerOfKey) {
                 case CLIENT:
                     context.setClientEcPrivateKey(privatekey);
-                    context.setSelectedGroup(group);
+                    context.setEcCertificateCurve(group);
                     break;
                 case SERVER:
                     context.setServerEcPrivateKey(privatekey);
-                    context.setSelectedGroup(group);
+                    context.setEcCertificateCurve(group);
                     break;
                 default:
                     throw new IllegalArgumentException("Owner of Key " + ownerOfKey + " is not supported");
@@ -105,11 +105,11 @@ public void adjustInConfig(Config config, ConnectionEndType ownerOfKey) {
             switch (ownerOfKey) {
                 case CLIENT:
                     config.setDefaultClientEcPrivateKey(privatekey);
-                    config.setDefaultSelectedNamedGroup(group);
+                    config.setDefaultEcCertificateCurve(group);
                     break;
                 case SERVER:
                     config.setDefaultServerEcPrivateKey(privatekey);
-                    config.setDefaultSelectedNamedGroup(group);
+                    config.setDefaultEcCertificateCurve(group);
                     break;
                 default:
                     throw new IllegalArgumentException("Owner of Key " + ownerOfKey + " is not supported");
diff --git a/TLS-Core/src/main/java/de/rub/nds/tlsattacker/core/crypto/keys/CustomEcPublicKey.java b/TLS-Core/src/main/java/de/rub/nds/tlsattacker/core/crypto/keys/CustomEcPublicKey.java
@@ -73,11 +73,15 @@ public void adjustInContext(TlsContext context, ConnectionEndType ownerOfKey) {
             switch (ownerOfKey) {
                 case CLIENT:
                     context.setClientEcPublicKey(point);
-                    context.setSelectedGroup(group);
+                    if (group != null) {
+                        context.setEcCertificateCurve(group);
+                    }
                     break;
                 case SERVER:
                     context.setServerEcPublicKey(point);
-                    context.setSelectedGroup(group);
+                    if (group != null) {
+                        context.setEcCertificateCurve(group);
+                    }
                     break;
                 default:
                     throw new IllegalArgumentException("Owner of Key " + ownerOfKey + " is not supported");
@@ -125,11 +129,15 @@ public void adjustInConfig(Config config, ConnectionEndType ownerOfKey) {
             switch (ownerOfKey) {
                 case CLIENT:
                     config.setDefaultClientEcPublicKey(point);
-                    config.setDefaultSelectedNamedGroup(group);
+                    if (group != null) {
+                        config.setDefaultEcCertificateCurve(group);
+                    }
                     break;
                 case SERVER:
                     config.setDefaultServerEcPublicKey(point);
-                    config.setDefaultSelectedNamedGroup(group);
+                    if (group != null) {
+                        config.setDefaultEcCertificateCurve(group);
+                    }
                     break;
                 default:
                     throw new IllegalArgumentException("Owner of Key " + ownerOfKey + " is not supported");

Original file line number	Diff line number	Diff line change
`@@ -359,7 +359,7 @@ public void adjustInContext(TlsContext context, ConnectionEndType connectionEnd)`
`359`	`359`	`if (privateKey != null) {`
`360`	`360`	`privateKey.adjustInContext(context, connectionEnd);`
`361`	`361`	`}`
`362`		`- context.setSelectedGroup(publicKeyGroup);`
	`362`	`+ context.setEcCertificateCurve(publicKeyGroup);`
`363`	`363`	`if (context.getConfig().getAutoAdjustSignatureAndHashAlgorithm()) {`
`364`	`364`	`// TODO rething auto selection`
`365`	`365`	`SignatureAlgorithm signatureAlgorithm = SignatureAlgorithm.RSA;`