Closed Bug 1588244 Opened 4 months ago Closed 3 months ago

NSS changes for Delegated Credential key strength checks

Categories

(NSS :: Libraries, enhancement, P1)

enhancement

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: kjacobs, Assigned: kjacobs)

References

Details

Attachments

(2 files)

This bug will contain two NSS changesets in support of PSM bug 1575735:

  1. Set Delegated Credential key attributes prior to the AuthCertificate call, enabling PSM to check these while verifying the certificate chain.

  2. SSLExp_DelegateCredential to support an rsaEncryption OID in the EE certificate SPKI.

This patch adjusts where we set authKeyBits (Et al.) for TLS 1.3, such that CertVerifier can check the strength of a delegated credential keypair.

The corresponding PSM changeset is in D47181.

If an end-entity cert has an SPKI type of 'rsaEncryption', override the DC alg to be ssl_sig_rsa_pss_rsae_sha256.

Priority: -- → P1
Status: ASSIGNED → RESOLVED
Closed: 3 months ago
Resolution: --- → FIXED
Target Milestone: 3.47 → 3.48
You need to log in before you can comment on or make changes to this bug.