Closed Bug 1575735 Opened 5 years ago Closed 5 years ago

Explicitly check key strength of TLS channel

Categories

(Core :: Security: PSM, enhancement, P2)

Product:
Core
Component:
Security: PSM
Type:
enhancement

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla72
Tracking Flags:
Tracking Status
firefox72 --- fixed

People

(Reporter: mt, Assigned: kjacobs)

References

Details

(Whiteboard: [psm-backlog])

Attachments

(1 file, 1 obsolete file)

Bug 1575735 - Explicitly check key strength of TLS channel by setting authKeyBits earlier in SSL_AuthCertificate
47 bytes, text/x-phabricator-request
Details | Review

With delegated credentials, the key strength checks in moz::pkix aren't sufficient to ensure that all keys used in the chain of delegations are strong enough, they miss checking the final key.

We need to check the negotiated key strength as reported in the SSLChannelInfo (see bug 1563078) in addition to the keys in the certificate chain.

When we aren't using delegated credentials, this work will be duplicative, but that's OK.

Note that we will want to enable new signature schemes for delegated credentials, so it makes sense to enable a wider set of keys when doing this. Concretely, that means that we might want to allow PSS signatures from credentials that use the PSS SPKI and Ed25519, even if neither are currently enabled in the browser for other reasons.

Priority: -- → P2
Whiteboard: [psm-backlog]
Assignee: nobody → kjacobs.bugzilla

This patch adds the necessary plumbing for CertVerifier to check the strength of a delegated credential key (as well as a test to confirm this ability).

Unfortunately there were some NSS changes required. Notably, we're now setting authKeyBits prior to dispatching AuthCertificate. This was already done for TLS versions prior to 1.3, but for 1.3 they're set in tls13_HandleCertificateVerify, which is too late. Since we have the DC after receiving the Certificate message, it seems reasonable to reference it earlier. The alternate way to do this would be to check the DC strength in a callback (e.g. HandshakeCallback), but it seems preferable to avoid splitting up the logic like this. The scheme/authType mapping is also rather unfortunate.

The NSS changes are included in this patch, primarily for feedback on the approach as whole.

Any and all feedback welcome, especially on the inline FIXME comments.

This patch adjusts where we set authKeyBits (Et al.) for TLS 1.3, such that CertVerifier can check the strength of a delegated credential keypair. The entire NSS+PSM changeset is in D47181, where NSS changes will be removed in favor of this revision.

This has not yet gone through a Try run, but I'd appreciate early feedback on whether there any major issues with these changes (such that we'd need to re-think the overall approach).

Depends on: 1588244

Comment on attachment 9097830 [details]
Bug 1575735 - Set TLS 1.3 authKeyBits and scheme prior to authCertificate call. Support rsaEncryption certificates in SSLExp_DelegateCredential.

Revision D47849 was moved to bug 1588244. Setting attachment 9097830 [details] to obsolete.

Attachment #9097830 - Attachment is obsolete: true
Attachment #9095360 - Attachment description: Bug 1575735 - WIP - Explicitly check key strength of TLS channel by setting authKeyBits earlier in SSL_AuthCertificate → Bug 1575735 - Explicitly check key strength of TLS channel by setting authKeyBits earlier in SSL_AuthCertificate
Pushed by csabou@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/5b16a917ca17 Explicitly check key strength of TLS channel by setting authKeyBits earlier in SSL_AuthCertificate r=keeler

https://hg.mozilla.org/mozilla-central/rev/5b16a917ca17

Status: NEW → RESOLVED
Closed: 5 years ago
status-firefox72: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla72
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: