Closed Bug 1658042 Opened 6 months ago Closed 5 months ago

osclientcerts: differentiate between keys that can/cannot do modern crypto

Categories

(Core :: Security: PSM, enhancement, P1)

enhancement

Tracking

()

RESOLVED FIXED
81 Branch
Tracking Status
firefox81 --- fixed

People

(Reporter: keeler, Assigned: keeler)

References

(Blocks 1 open bug)

Details

(Whiteboard: [psm-assigned])

Attachments

(1 file)

Right now, osclientcerts has one slot that it claims can do RSA PKCS#1, ECDSA, and RSA-PSS. However, since the keys backing these operations may live on modules that cannot actually do these operations, we need to separate them into two slots: one that can only do RSA PKCS#1 and another that can do all of them.

The keys exposed by osclientcerts may be from tokens that cannot do modern
crypto (namely, ECDSA and RSA-PSS). This patch attempts to identify and
differentiate between these keys. Unfortunately, there is no good way of doing
this on macOS at this time, so the implementation assumes everything supports
modern crypto on that platform.

Pushed by dkeeler@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/a93095760b1f
osclientcerts: differentiate between keys that can and cannot do modern crypto r=kjacobs,rmf
Status: NEW → RESOLVED
Closed: 5 months ago
Resolution: --- → FIXED
Target Milestone: --- → 81 Branch

Backed out changeset a93095760b1f (Bug 1658042) for causing Bug 1658576 a=backout

Backout: https://hg.mozilla.org/mozilla-central/rev/7bd6cb8b76c078f5e687574decdde97f1e4affce

Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Target Milestone: 81 Branch → ---
Pushed by dkeeler@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/7e5f806e44a8
osclientcerts: differentiate between keys that can and cannot do modern crypto r=kjacobs,rmf
Status: REOPENED → RESOLVED
Closed: 5 months ago5 months ago
Resolution: --- → FIXED
Target Milestone: --- → 81 Branch

After this code has landed to nightly - I have issues with sites requiring SSL certificate for SignIn on Windows 10 - FF just freezes and never passes the SSL authentication. The it's only possible to kill it via task manager.

Dana's out this week, so I'm needinfoing her for this on her return.
ivivanov.bg - Can you open a new bug to track that regression, and maybe give us a bit more information about the client certificate/key you're using? Since this already landed in Beta, we'll need to track the hang separately. Please do cc me directly into it - jjones@mozilla.com. Thanks!

Flags: needinfo?(dkeeler)

Opened: Bug 1662636
Please let me know if you need any more info about the certificates.

Flags: needinfo?(dkeeler)
You need to log in before you can comment on or make changes to this bug.