ECDSA support for l_parse_ssl_certificate

[Brandon Paulsen <pauls658 () d umn edu>]

Hello list!

I'm scraping the github issue list for something I can do this summer to
contribute to nmap, and I've been looking into issue 173 [1].

Solving this issue is trivial for servers that use ECDHE. In this type of
key exchange, the server will send a SeverKeyExchange TLS record which can
be parsed for the curve name using the key exchange functions found in
nselib/tls.lua (namely unpack_ecdhparams). In addition, the function
supports extracting parameters for non-named curves.

The solution isn't as trivial when the server uses ECDH ECDSA. In this type
of key exchange, the server sends the exchange parameters (for non-named
curves) or the curve name (for named curves) in the certificate. As far as
I can tell, nmap doesn't have any functions in its lua library for
extracting these parameters from a certificate. The NSE uses C for parsing
certificates so that it can use the openssl API. The function that does the
parsing is l_parse_ssl_certificate found in nse_ssl_cert.cc. I've already
altered this function to extract the curve name, and I'd like to write a
patch that works for all types of curves and returns them in a lua object
structured similarly to the one that unpack_ecdhparams returns. That is,
the object returned by get_ssl_certificate found in sslcert.lua would have
an additional member in pubkey called ecdhparams (if ECDH is being used)
like so:

-- subject = { commonName = "...", countryName = "...",
--             { "2", "5", "4", "15" } = "...", ... },subject = {
commonName = "...", countryName = "...",
--             { "2", "5", "4", "15" } = "...", ... },
-- issuer = { commonName = "...", ... },
-- pubkey = { type = "ec", bits = 256, ecdhparams = { ec_curve_type =
"...", ... } },
-- validity = { notBefore = { year = 2020, month = 5, day = 5,
--                            hour = 0, min = 0, sec = 0 },
--              notAfter = { year = 2021, month = 5, day = 5,
--                           hour = 0, min = 0, sec = 0 } },
-- pem = "-----BEGIN CERTIFICATE-----\nMIIFxzCCBK+gAwIBAgIQX02QuADDB7CVj..."


Thoughts? Suggestions? Is this something the nmap community would like to
have? The implementation would be relatively straight simple because the
openssl API provides functions for parsing the ecdh parameters.

Brandon

[1] https://github.com/nmap/nmap/issues/173

_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/