Need to add policy control to keys lengths for signatures.
Categories
(NSS :: Libraries, enhancement)
Tracking
(Not tracked)
People
(Reporter: rrelyea, Assigned: rrelyea)
References
Details
Attachments
(1 file, 1 obsolete file)
Currently, NSS can limit the key lengths of various async algorithms used in SSL key exchange operations, but NSS has no way to limit accepted key lengths on signature or verification. In addition, NSS still allows very small RSA keys (128 bits!) which are totally insecure.
There are a couple of ways to handle the signature limits:
- create new NSS_Options to specify where the existing keylengths should be active. Make Signature and verification be new flags to that option.
- Create new NSS_Options to specify key strengths for verification and signature (which will use NSS internal key length to key strength mapping and apply the same key strength to all algorithms.
- Create new NSS_Options for key lengths restrictions for each algorithm for signature and verification.
Option 3 creates the most flexibility, but also proliferates the number of NSS_Options by the asymetric algorithms, making future maintanence more difficult.
Option 2 is easier to implement, but more difficult for policy code to use, since policy code usually already knows what key lengths restrictions of what algorithms it wants (and may not agree with our key strength mappings.
Option 1 maps best to existing policy engines.
Also, we should update the freebl RSA_MIN_MODULUS_BITS to something like 1023. This will require updates to pk11_kea.c as well.
|
Assignee | |
Updated•2 years ago
|
|
|
Assignee | |
Comment 1•2 years ago
|
||
There are three changes in the patch which are related to key length processing:
-
Change RSA_MIN_MODULUS_BITS in blalpit.h from 128 to 1023. This necessitated changes to the following tests:
testcrmf.c: up the generated key for the test from 512 to 1024.
pk11_rsapkcs1_unittest.cc (in pk11_gtest): skip the min padding test if the MIN_RSA_MODULUS_BITS is more than 736 (The largest hash we support is 512, which fits in an RSA key less then 736. If we can't generate a key less than 736, we can't test minimum padding, but we can never get into that situation anyway now).
tls_subcerts_unittest.cc: set our key size to at least RSA_MIN_MODULUS_BITS, and then make sure the policy had a higher minimum key length so we still trigger the 'weakKey' event.
pk11kea.c: use 1024 bits for the transfer key now that smaller keysizes aren't supported by softoken. -
Expand the add a new flag to meaning of NSS_XXX_MIN_KEY_SIZE beyond it's use in SSL (add the ability to limit signing and verification to this as well). This allows us to set strict FIPS 140-3 policies, where we can only sign with 2048, but can still verify 1024. This part includes:
New utility functions in seckey.c:
SECKEY_PrivateKeyStrengthInBits(): The private key equivalent to SECKEY_PublicKeyStrengthInBits(). This function could be exported globally, but isn't in this patch.
seckey_EnforceKeySize(). Takes a key type and a length and makes sure that length falls into the range set by policy.
secsign.c and secvfy.c: add policy length check where we check the other policy flags.
nss.h, nssoptions.c: add NSS_KEY_SIZE_POLICY_FLAGS and define flags for SSL, VERIFY, and SIGN. SSL is set by default (to maintain the current behavior).
pk11parse.c: add keywords for the new NSS_KEY_SIZE_POLICY_FLAGS.
ssl3con.c: use the flags to decide if the policy lengths are active for SSL.
policy.txt: Test that the new policy flags are parsed correctly
sslpolicy.txt: Add tests to make sure the policy flags are functioning. -
Update fips_algorithms.h to make sure the FIPS indicators are exactly compliant with FIPS 140-3 current guidance (RSA 2028 and above, any key size, Legacy verification allowed for 1024, 1280, 1536, and 1792 [1024-1792, step 256]).
|
||
Updated•2 years ago
|
| Comment hidden (off-topic) |
|
|
Assignee | |
Updated•2 years ago
|
|
|
Assignee | |
Updated•2 years ago
|
|
|
||
Updated•1 year ago
|
|
||
Comment 3•1 year ago
|
||
|
|
||
Comment 4•1 year ago
|
||
backed out for causing a segfault in the Pkcs1MinimumPadding gtest here.
backout: https://hg.mozilla.org/projects/nss/rev/e02d19f05de83ac9085aa05b5984aca1bfec1eca
test failure: https://treeherder.mozilla.org/jobs?repo=nss&selectedTaskRun=iq5qeZvyS0OSUmVI7Mieyw.0
|
|
Assignee | |
Comment 5•1 year ago
|
||
Thanks, The merge tools ate the Pkcs1MinimumPadding portion of the first patch. I've corrected the patch and ran it through try:
https://treeherder.mozilla.org/jobs?repo=nss-try&revision=13cc327d547bcda841df5ddeefee17f675d2f43c
I didn't repush because I saw you created the release tag and I didn't want to drop something in so close to a release (but now that I think about it, you've created a BETA1 tag, so we aren't still in release).
bob
|
|
||
Comment 6•1 year ago
|
||
I have to cut a BETA2 because of a compiler warning that was elevated to an error in M-C but not in NSS CI.
If you update the patch in phabricator I'll merge it for BETA2.
|
|
Assignee | |
Comment 7•1 year ago
|
||
There are three changes in the patch which are related to key length processing:
Change RSA_MIN_MODULUS_BITS in blalpit.h from 128 to 1023. This necessitated changes to the following tests: testcrmf.c: up the generated key for the test from 512 to 1024. pk11_rsapkcs1_unittest.cc (in pk11_gtest): skip the min padding test if the MIN_RSA_MODULUS_BITS is more than 736 (The largest hash we support is 512, which fits in an RSA key less then 736. If we can't generate a key less than 736, we can't test minimum padding, but we can never get into that situation anyway now). tls_subcerts_unittest.cc: set our key size to at least RSA_MIN_MODULUS_BITS, and then make sure the policy had a higher minimum key length so we still trigger the 'weakKey' event. pk11kea.c: use 1024 bits for the transfer key now that smaller keysizes aren't supported by softoken.
Expand the add a new flag to meaning of NSS_XXX_MIN_KEY_SIZE beyond it's use in SSL (add the ability to limit signing and verification to this as well). This allows us to set strict FIPS 140-3 policies, where we can only sign with 2048, but can still verify 1024. This part includes: New utility functions in seckey.c: SECKEY_PrivateKeyStrengthInBits(): The private key equivalent to SECKEY_PublicKeyStrengthInBits(). This function could be exported globally, but isn't in this patch. seckey_EnforceKeySize(). Takes a key type and a length and makes sure that length falls into the range set by policy. secsign.c and secvfy.c: add policy length check where we check the other policy flags. nss.h, nssoptions.c: add NSS_KEY_SIZE_POLICY_FLAGS and define flags for SSL, VERIFY, and SIGN. SSL is set by default (to maintain the current behavior). pk11parse.c: add keywords for the new NSS_KEY_SIZE_POLICY_FLAGS. ssl3con.c: use the flags to decide if the policy lengths are active for SSL. policy.txt: Test that the new policy flags are parsed correctly sslpolicy.txt: Add tests to make sure the policy flags are functioning.
Update fips_algorithms.h to make sure the FIPS indicators are exactly compliant with FIPS 140-3 current guidance (RSA 2028 and above, any key size, Legacy verification allowed for 1024, 1280, 1536, and 1792 [1024-1792, step 256]).
The previous attempt to push failed because the pk11_rsapkcs1_unittest.cc
change was eaten in the merge.
|
|
Assignee | |
Comment 8•1 year ago
|
||
updated. Thanks!
|
|
Assignee | |
Comment 9•1 year ago
|
||
Arg I lost the phabricator tag form the comments and it created a new one, let me try that again..
|
|
||
Updated•1 year ago
|
|
|
Assignee | |
Comment 10•1 year ago
|
||
OK, The correct one is updated, I'll close the new one.
|
|
||
Updated•1 year ago
|
|
|
||
Updated•1 year ago
|
|
|
||
Comment 11•1 year ago
|
||
Description
•