Closed Bug 1658042 Opened 4 years ago Closed 4 years ago

osclientcerts: differentiate between keys that can/cannot do modern crypto

Categories

(Core :: Security: PSM, enhancement, P1)

Product:
Core
Component:
Security: PSM
Type:
enhancement

Tracking

()

Status:
RESOLVED FIXED
Milestone:
81 Branch
Tracking Flags:
Tracking Status
firefox81 --- fixed

People

(Reporter: keeler, Assigned: keeler)

References

(Blocks 1 open bug)

Details

(Whiteboard: [psm-assigned])

Attachments

(1 file)

Bug 1658042 - osclientcerts: differentiate between keys that can and cannot do modern crypto r?kjacobs!,rmf!
47 bytes, text/x-phabricator-request
Details | Review

Right now, osclientcerts has one slot that it claims can do RSA PKCS#1, ECDSA, and RSA-PSS. However, since the keys backing these operations may live on modules that cannot actually do these operations, we need to separate them into two slots: one that can only do RSA PKCS#1 and another that can do all of them.

The keys exposed by osclientcerts may be from tokens that cannot do modern
crypto (namely, ECDSA and RSA-PSS). This patch attempts to identify and
differentiate between these keys. Unfortunately, there is no good way of doing
this on macOS at this time, so the implementation assumes everything supports
modern crypto on that platform.

Pushed by dkeeler@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/a93095760b1f osclientcerts: differentiate between keys that can and cannot do modern crypto r=kjacobs,rmf

https://hg.mozilla.org/mozilla-central/rev/a93095760b1f

Status: NEW → RESOLVED
Closed: 4 years ago
status-firefox81: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 81 Branch

Backed out changeset a93095760b1f (Bug 1658042) for causing Bug 1658576 a=backout

Backout: https://hg.mozilla.org/mozilla-central/rev/7bd6cb8b76c078f5e687574decdde97f1e4affce

Status: RESOLVED → REOPENED
status-firefox81: fixed → ---
Resolution: FIXED → ---
Target Milestone: 81 Branch → ---
Pushed by dkeeler@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/7e5f806e44a8 osclientcerts: differentiate between keys that can and cannot do modern crypto r=kjacobs,rmf

https://hg.mozilla.org/mozilla-central/rev/7e5f806e44a8

Status: REOPENED → RESOLVED
Closed: 4 years ago4 years ago
status-firefox81: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 81 Branch

After this code has landed to nightly - I have issues with sites requiring SSL certificate for SignIn on Windows 10 - FF just freezes and never passes the SSL authentication. The it's only possible to kill it via task manager.

Dana's out this week, so I'm needinfoing her for this on her return.
ivivanov.bg - Can you open a new bug to track that regression, and maybe give us a bit more information about the client certificate/key you're using? Since this already landed in Beta, we'll need to track the hang separately. Please do cc me directly into it - jjones@mozilla.com. Thanks!

Flags: needinfo?(dkeeler)

Opened: Bug 1662636
Please let me know if you need any more info about the certificates.

Regressions: 1662636
Flags: needinfo?(dkeeler)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: