andrewbaxter
commented
8 months ago So if I understood that correctly, to summarize
- There are multiple combinations of parameters (curve + algorithm), some of which are safe and some of which aren't
- Right now the safe combinations are enumerated as ECDSA_* etc, along with usage method (fixed, asn1)
- Private keys only contain part of the parameters (curve) so the additional information is required to be supplied when deserializing (in this case the full set of parameters)
- The full parameters and private key data are stored together in the keypair so there's no chance of mix ups
So far that sounds reasonable to me.
The issues caused by pairing up the curve + algorithm are:
- The same key may be used with multiple algorithms which currently isn't straightforwardly possible due to the pairing
- Responsibilities are often split where the user loads the key and passes it to a library that uses the key, but in order to load the key the user needs to know what algorithm the library expects to use.
The idea proposed here is (roughly)
- Keep the enumerated combinations
- When parsing, the user presents a set of combinations. This could, for instance, be a default set like
default_signing()or something? - Based on the curve in the key, the subset of presented combinations are stored with the key
- When the key is used, an algorithm is presented, and that's checked against the stored list of combinations
You also mentioned splitting them, I assume like:
- When parsing, no extra input. Curve is read and stored in key
- When signing, the algorithm is presented and checked to see if it could be safely used with the curve
The disadvantage to this approach is that it's implicit in accepting combinations, there's no difference between using a FIPS compliant combination vs a non-compliant legacy combination, but the latter must still be supported due to existing uses.
The proposed solution seems smart to me (from my very outside view). My only concern is I wonder how much information a user needs in order to deserialize key pairs. If a default algorithm set could be used that's fine, but if they need to know more about how the key will be eventually used by a library in order to deserialize it it leaks library implementation details.
I think the pattern of "user gets pem, needs to deserialize it, then pass it to a library" is common. Right now rustls gets around it by just taking a pem (string?) and doing the deserialization itself, but if the cert needs to be reused it presents a less type safe interface since it pushes you to pass around untyped bytes (are those bytes from a pem? der? pcks8? sec1? etc).
Another option might be to have sign reject less secure combinations and a sign_allow_legacy or sign_dangerous for if you need those? It would shift responsibility to the library, but I'm not sure if that's reasonable in the typical contexts for needing legacy combinations.
briansmith
First, in general people find the API confusing. We have not done a good job providing insight into the design of the API, and also the API is admittedly needs to be improved.
It is common for a user to want to support multiple curves and multiple digest algorithms when parsing a PKCS#8 document. The current API only allows the user to specify a single curve and a single digest algorithm when asking ring to parse a PKCS#8 document.
Another issue: To support multiple digest algorithms, some users, Rustls most notably, have resorted to awkward ways of using
EcdsaKeyPairso that a single key pair can be used with multiple digest algorithms. They should be able to parse anEcdsaSigningKeyonce and then use it with multiple digest algorithms (but see below).Accordingly, instead of only allowing the user to provide a single
EcdsaSigningAlgorithmto indicate which algorithm combination is to be supported, we should let them provide multipleEcdsaSigningAlgorithms. And instead of Fixed vs. ASN1 inEcdsaSigningAlgorithm, we should instead allow the user to choose the format at signing time.Further, when multiple provided
EcdsaSigningAlgorithms have the same curve identifier, but different digest algorithms, a singleEcdsaKeyPairshould be returned, and thatEcdsaKeyPairshould store all the digest algorithms that are allowed to be used. I suggest we add a field toEcdsaKeyPairthat is a bitmap, where nth bit is set iff theAlgorithmIDof the digest algorithm has value n. At signing time, the user will pass in a digest algorithm (and the format Fixed vs ASN1) and theEcdsaKeyPairwill refuse to sign with the given digest algorithm if it wasn't whitelisted at the time theEcdsaKeyPairwas constructed.As to the question of why
EcdsaSigningAlgorithmshould continue to identify both the curve and the digest algorithm, instead of having separateCurveanddigest::Algorithmparameters: We need to be able to enforce the requirement "A hash function that provides a lower security strength than is associated with the bit length of n shall not be used" from FIPS-186-5. Note that ring may provide combinations of algorithms that do not meet FIPS/NIST requirements like this one, for compatibility with existing systems; these combinations should ideally be clearly-named as legacy-only.For example, we need a way for the user to "I want to use P-256 with SHA-256, SHA-384, or SHA-512/256, and I want to use P-384 with SHA-384 but not SHA-256, but no other combinations." If the PKCS#8 document contains a P-256 key then the resulting
EcdasKeyPairwould allowsign()to be called with&digest::SHA256or&digest::SHA384, but if the PKCS#8 document contains a P-384 key then callingsignwith&digest::SHA256should fail with an error.In summary, we should:
ECDSA_{x}_{y}_FIXED_SIGNINGwithECDSA_{x}_{y}_SIGNING, removing the signature format (Fixed VS ASN1). This is a breaking change.EcdsaKeyPair::signthat takes the digest algorithm and signature format as parameters. This one variant should verify that the digest algorithm was allowed at the time the key was constructed.EcdsaSigningAlgorithms to be provided as explained above.This is a Semver-breaking change.