open-quantum-safe / oqs-demos

PARTIALLY SUPPORTED Instructions for enabling the use of quantum-safe cryptography in assorted software using the OQS suite. CONTRIBUTORS WANTED.
https://openquantumsafe.org/
133 stars 74 forks source link

Add OQS to libnss (enabling loading quantum safe certificate into Chromium) #92

Open tylerleblond opened 3 years ago

tylerleblond commented 3 years ago

Hello,

I am currently trying to use the quantum-safe Chromium (0.5.0) build as a client to connect to the OQS haproxy container using its default certificate generation settings (the default signature algorithm used is dilithium3 according to this page: https://github.com/open-quantum-safe/oqs-demos/tree/main/haproxy). I tried to load the CA certificate from the haproxy container into Chromium but got the following error:

Screen Shot 2021-07-09 at 12 51 02 PM

I have verified that I am able to use Curl with this certificate for authentication to access the haproxy, so it is not an issue with the certificate.

It appears that I obtain this error when I try to install certificates that use quantum-safe digital signature algorithms. For example, making use of the OQS fork of OpenSSL contained within the Curl container, I run the following command with = dilithium2, dilithium3, RSA, and falcon512:

docker run -v pwd:/opt/tmp -it openquantumsafe/curl openssl req -x509 -new -newkey -keyout /opt/tmp/CA.key -out /opt/tmp/CA.crt -nodes -subj "/CN=oqstest CA" -days 365

The certificates that used dilithium2, dilithium3, and falcon512 failed to load, but the certificate that used RSA loaded just fine.

Any help is appreciated!

Here is the certificate that I grabbed from within the haproxy container:

-----BEGIN CERTIFICATE----- MIIVejCCCIWgAwIBAgIUAepY4WbwHzFTZHk5LX1YZEhPzzcwDQYLKwYBBAECggsH BgUwFTETMBEGA1UEAwwKb3FzdGVzdCBDQTAeFw0yMTA2MjIxNjAxMDdaFw0yMjA2 MjIxNjAxMDdaMBUxEzARBgNVBAMMCm9xc3Rlc3QgQ0Ewgge0MA0GCysGAQQBAoIL BwYFA4IHoQBVwCWhM80rjUCbrPOId2aPoiV3mfNDQoNXvieqvCCCRAz8HQUNLfY5 jlLC74xCSXOTY802dlLx/B3d7yeddNTTCnyk8PDVBRRrcobru7xQ3DiEX1rlD6fU u8XD+YiHRcAVGkJ+O9TA4Tcshgj2J8DIUWNVFoiiAnkv0OnRAf+BmO0pVv11b0kK oszV8ldDSwKWyEFRZZ/eKGTx7j/DNLlCkk6j8ybHr1m5G9el0FhzmL0IZ9ShFZby ffEYgYNPRAo+HZb6S5y9cjP7Xj7VRhjQ5Y6+Y5zJaw/0x4dtCHSsOrftU+eaEHSi irqZjf5HJhwHz9srgcJe4kbKNrzlmY2Pvx5f1tVLLm3LfIv1i6uUkvI+SjbRPrIv UsTZQk0r40krWk7LJjhFuweyjbyrVQFitfZRmKOazm9em4Gvkxg1FUiuZW2MnVYD 8SohlUocrj7r34asbD8OLL+E35gasgUKdGZiCdVFjL8USuMRPekslbSLan7qs5yz fwoAZjT5mWVWLJtrwXD4gH0dSllUnAcxxsf2eEeot2wOeaSs7l5DWnBgts/blpXn mKZxx+GBFU/18zxfytl8n2qMD3BduEJRVVUrug1lNhjjMl3lkDuRHzkemkBCTFwg aCs7/NqVBPsL0g8HE+sokml84cRoHNFPzOEcnTo/5iLBRiLfhWEC6vS+01f3EC+L Ozi+TzZiiwiTIJzY1tJWgp7tM5WFXsWeIVfk9IPaDZbsfus9AwAiAOQJbkOan6Zx ePMwTdYo9NKYBuw9ckzcOk2sY4QfhFYx2c25kGxDZkVGVzRQ9VLfKZUANgBr0fGv GLpVlgSYMv+8hGB/iVJuQ6sEl7jI7AmSxKIDYrjbEEeVHP9tvew7EuMhJr2s4M5n yjVj+bRKFz/eyGphm1mDU3iuYE6s0LWH/Ayqdl7yZ/hLvu7yPRLGzgADRv7jZSYl mNzCCQM/HGh103wUOGbat8zSqYBKiC6i7clyLEmXQnmiFR0ZoFxnL6qteXjLLffj vReD8WWn1mC/2BheJfTpWg5UmzJhIPUHk8gXCRKS6SYo2MvrCxvQb0Y1SHbb3s1V n5nMjO+6Doz7yb0SdWNtR9p1I/fOyn/jD7ZLSZtsrMuPF/6l/kUGTwwXkPCuwyC8 fqC9AuakY1CwcFodFLOukzrdHAD3rhkk9CSgfHVoIgK5SYhZ8FoNri5V9W1rN/dG yYjrHJFHxcWc9L1dwzvbWhhf3EsFZ0/4urmwAJjNFsc/aTkyrEc1km6MZxLmgurA BU8sAL2qSlZDnQQ0VDdFzvz67wGNGJvLy71czsGWbR6HAq/E6bYmtDC0vwYvmPsS kc5tcQzFLdwW2jTGmRXKRwAoQhSFAc1DnAUsMO1N8oT5Azbaw98yXEBehslCXglN idrZs02U13xk/UkZbvebREuuY/fX6o5eXcENdy0di0tTEeNk3wgbaSSVtlGaOTOX 7i+8+n7rWGXVsPESkifmDyJPtHyQ/w5sZKRImKFdRw4HzyBkBQeJT8u7auVdm1Os BsXoasK704TE25zHYzX1yRmOac9Z7Lw7rXC0mXFqPaibow0zBtZsyCyutL9lYMw6 lFjY0VmKpy/2OMIDyR7mz6WN6dcPbSaRU4/qYJ3PwW0LTyeo7Kmmai2VddcPq6Mq 1/PJhD0EuT0+s3DmVNO1Lr5lTulefBAHX8OKaRXydP5YIQ/jkr4UqApQw1vBUYP2 D31FwPO0UjcuQ7+REmfO8amUiVhJSKLncusBNSraKVTdo3zZo3mk/JY6zu+nv0fb GXU3WSBOC4/wMs1hjVvfWLzvwgg9RM5f64SEFv7XGqjw06wNmTvua+moQi1eVNib RPsNRKbTSdC2czq4zDZQ6XjZMRBMLnQ7DtoLxVweRn9woE75JhaDXlkJxLzU2roK B8vlmxJ2B54VfVjo7q3LWttBb3dSovWJoIZ5MdktnV0hp2XSGHpzE41buydO4FpY ElK4ckYieDRqkbdthOKIEdYNlGZFlJ1WauHpQBQyFsoOiMom4m/WcmxYkqVst86i Jlbi8EuDXxSmpa/hTZj5PPhFLZuS5eSr1QInXY6SKMbD2/jDDdY5JBethv/kBZpP g1NPe4bgXeJFLykQQJCApJSIaHrQFxytQUZdRWQy0AUQD6nxJ/Efu3GE7/SXnj9h YzkHvqpCA9Biqs7qHCZhkTcTxKm9l8WQC4rEGcBPVzC1g5YIlGXa3N1SM0xNXYmP qvIDXHZjEleVK8JuaB5YOT0SrazEpMmKckz0Vge1bB+dB3Rk1aB0xuFzoFNJbTx7 gahzZm0zcDRDkzAvEoWY6i3y94iP3/ewtlRefNdQRUc5av7+6dXSjisEF0ViPFIL vTLTK9zhB7gRRa+yjDNP/xyUMfFOGTfzt6Td4JrW6KZnO3rm1tVD76SswsU/zPIA IdZKjXo9UF62hiMnKTMfBYrgHTWpcdigF4eeTba0Q77cI3y2xGJr6BgDz8Chi/d4 TFH3cYyWoWGuQBPQgf2ScXUSD18pdhayQzpNe83b4erO9VUZGll6K3n53cQ7u5E1 ZyhW9heZALys3oDy7x9qjh5cA+G9GXsznfVpaZ4bq99wXo0Pbvh8DqNTMFEwHQYD VR0OBBYEFOw5eLQtwcOYb/rCxX1quad/8ukdMB8GA1UdIwQYMBaAFOw5eLQtwcOY b/rCxX1quad/8ukdMA8GA1UdEwEB/wQFMAMBAf8wDQYLKwYBBAECggsHBgUDggze AAskMXI3a713Z6OrJMUd4OQd8g5RZ/oEnlgtOSpVhGVfPhfgEecFiCEiPQ2UZcHJ 4QK1/YtMbiFxPhXrZzsyUE3d/+dQhpu+jpgvlFwX3RCVSS9KMZeuA/ypVI6VetV+ MbDlUZib9NQBoUeO9H4Ni4WEOLFg0PZ8+dOcBWhk8NrUZI4I03NXTovHZNVkFhbw J3yq6R4QNxaHB8iSK+KZ4CtOdpC/vuwxsSQcw5izFF5qHg2M+aYMzMkZIybUIlzw Bbdg5aaVMlOsBd4k7nNLvPOyLTNKj/StDF+TnzCPaauIvnglfBqyUfLd0giJWwUL IZ8trHZDPIBYHzHfCBZXSRJNRrLJKCoWmmJs97SBolpIrYiHLEQqy2PqROt+uXyL fjSA95G71Inb1ULOBt6QvycN4rt/Lksg2CVF5SE2IhTYhpdytv9F6ZkMgHkfLdn/ lNtu81sMcaIe5gbIg53fqWwsmaDgAos+snXbocyuWzswE1BHQA9u7DeklIBh9JBT b+MHLnp1r5UT0xMM5pk44j/5ITOXC5CeD+XD50IygoWrwbwR4jSNj0QCji8U4mV/ 8qvdLhgFJPxuTWRwJCf1CrgWl8RBqAJtIAdCUiEvqGP77emuGeKoNV6qCv/uaegc z/I74E8G50ztx4+KhhpMNLIoh7uU3j3/PmC8ZqGidGz7QN+W2gz9UGLw68/fI+al c82iG0E4I6T0TqPT3oJ53WImCAK9hFyAQyd272+StbVLjcqRkADhUTbyYTqdHVau WfOiCqC1vHse4qQt4uEPA5A18gMrwbrYFsaaPjp0ws8KPu72z5cD96qDJkxxP5DB YDlb0352iElhsWRGoBlyT6QE9Nh+pGN6ynka6ExmRmXkv1M7DemKrEIO1inZalnG uiZ6wXME6xPj3teqZz4GePUlqrqNGtDl1AhJQNiPBXaZzxnEn2xCpp3RhWxDeFYq xurE6oPPMEZ2jltCv7lXvIxhewKVqguk6Htb6cPtyYfkDZWaZHX6VrRNiqxCFEkJ jkt/JmKFkijd0Zx0vlVKFNKLm7ptRzWyWPG+Mk9cOmKDdnP0Jkl78s/I5HflVCUG t/mPCbepsQLmHPzzSSaxTIIb6iEsIZxkuKonA00O7ZwuskBpVEFre6GeL2yULIEh vcJWgNWJwwUczKsByr5diI4vwn0rRkBx1MsNwJHJ+zAGhgtT6IsvkK7g6+lRPebJ XYWT9UkdD9Q8DvG20pkidFhL3VL5+JtITnOO8cKp41ZlpPP/7F0K5cf75AI9A/qy o2XLXp7jv4kmoHsNOBledlk8BHPajLn8XJB+jx9Y0dsRVPmqDOJbpi/jMuRGJxo5 ObG6SzTXAD9ulcqcueQ+5hzAi7zAflxIUQ9iZ02ODYuM9eBU067pFnkCiuQJfPm/ y5v4RB4BE+6Sjc5Ymoti+wGYLXOGUJe2ls1GKaNTZZJnlf5XhnJ1SXtV0B+339gC sxauyXeVlcBfc6Ug4kOuICZBkVqJux9FMAR8lEsMttmRNIA8UkBFtxnYAXnBKrgg nF3mdHvuHQmsO4bLg36Kqgzza77ZNxX0Ggq/w60Eq/fOET+jk258OtHEvIglRH9L qitOGA9QXJuJ5cm2XV9W+J+gjwMiRh2ZhjjqUHYZYUFI28n0J5Tdn3XLOVUxv5l1 Q6/T5XjDZEovqRr84+4GHBGN8HnXtMB/g6JuUwqLgsHiif6cLsMTDFtbxIhAL1j2 hKOTk9JfZ7lnJIA+LTEWrflHeSchICJUa4ZoY5jOnXVWBLq2ZlpgMVwiC4wJhcGq 2c0uAoxCKDiZIwcaWkEoVHP2CJFk1+vs19m2DVS60+mtG+2w+b+oqpBgtRcKT8wK 3BMOGJgkAau+XkCvJsK7gX57igBlM9xFRueCaedRWFBmNQ7LbesjDbUn825Whoy4 WRuBuPLgz6loKu1n96sog9kmZRjF3kmZyf5Y/zatpymvYaEIJgoob1AVwYnvmm4N YZi7dZKOY9BHHOPYC6dnw/i+73aodeLhMCdc4PANgmhx4PC+hfmBZSzgFgM4g3E9 vBjZ26lxCMmVFHvNkA40tWr/xvFH8sF0TE3aCJojaZdMnxslKAS0Squh+EXJLwS3 WEuK/k4L30/KwxiQXgoieXQfPOXPaj5KCK/bmlrHU/auap/n08UmdoIC6mLb/a3b Pj/+TMgiqTMf+IiFJPqAoJvFIq9TjlL1BwWRuR/mr81+xhlWcY5faNgPC8As9zlR dq1Z5XyBqgJ92ctiaP1CkeQvda6fA03bLh0noiXbLC6rKpjunGgMpyozeZIxFhgS WM6NWLYcfun5jbiFQWB/eCDXySZTq6uxed+Un9RdihNy7pTe50TUTBTBx6pNYVqA pk6iCT5MUCeHfKZInMKsVBEeIe5HCd89rJ7qQN6eh3grDYrg2sR4E4O2MeFUoJYw ID+zjqqtbi6yj5sKZSMtxvQuFgt6Ud/L654eaIFDUT/yPCliBDEhsia09osoS3wi ChQPgD7M/enTPxMQWd1mltmFswHA9zj8WInMXeJPK1G6Z5yTw4fTKDT0w5k4onqj h2n97K41pEUsXTxkghptyRcyWkr85rHEoK+HITmkwMD1CGXklw/ETrrnNU+/1xmt 5MKiU9qsCZfDTzVeBP/RooKpd4YrSYFMugbmrRfPFNM/gwNFwycD5xlKQ5NkEDsb Q86ImNXJdXdWqrHX3Ilb9eSSzkl1wSR2ollZLZ7BjDb4fUvuMHNt4tNK3YOCvERx yNw+NxPnP7KWBKVGrt/23Nq4GeXn1QbfMsq07GzgMTWMaSezcXHpq7gsME9oD9fy mc528pA8osHv5ug1hbUpohiEi/ynf2zZ7lZs3wCv5kHKnHsge+zP430/EwGiFhHe cV1xPdv5OgYi7QtJJkcp9gJ4ifa3dREN3XsDXhNFQFmBCO4xvFgM+96SLhpVztZN R1zWzPwTKJz4WXGNVhilmQALYXYyC+jGaL6ouJGM4xEN1/0WW9m7dREqOVFRzcbz Px/3nB5Y/XQLb+aWutmMiMPt60C3U2lfqdmPBMNa7Mmw9zOxO5Rbp5OBcHB82yTJ GH4yW77v7NXHmGn5zTzHjsATP6/opz/pHAc2i/uft7zN4AtQJ3ecik5/hEIM+2CD N4SpdcG3+ZGfHLXQhrW+bSR9hFm+3xSzDRFb9rEyHCKBC9eUZgtyzXL0/vJN5IvC 0Wv6vjIU0b3eO2/2uzlNwxSFxKwx5y49kphY1srVtyFDyhXRpi76U3p4e8CZ2rJZ kI3MtQpy51PHwx4Yv7emb4kHEAGOF/WGxu/2UGk1boSVFcmKe4lWR1xEGMQC16UD aYVM7E0iTxtqG0gqkpsNfVcxFjHP7ygQeYFF65coq+i4cbSUIcta0RCAWqNGiMdz BQuOe7mv8+byzFR0rltu5op7AViIRx5afWGEI3SBaOabLIm6B5VKke0ueqtkL2Ey dQ6Y/wb37o0CCPzKJRIHN74OCaA0VhvD89vHumQCaI3EgQZmw0MY/87wvMN+DqPn gLVDAXHGOdwq8uHtkyYdNvWCd6KOgrFoAAk4Z3NdcQRgKjuZ4iklaRHseHbI8b3D DiNWF7De1BnzRKXB4osrFvn2yjW1elMuu1MhUPqyUrLzIvk3nmTGGoCY/3GI0/vM vr8td39pa6Nw4A07wFAe9IlX3pcBbXy1nptx3fVwTnA+kq2MW4eLzUIZ4dIycNx5 PdGO6fCXvB8ifJ4Ng4GhznZYoWuYwrro3KhE4YGaTc0oIQbwqFFSJ/KIQ46IZhNy KCHYuXmj6pG3UulyrgME/cRTKWL+SVff8RguHXMTB2HU46lB6KbI/ZwyEaK7aD36 N21SW1hMjeBwErZZVC9v61tXeRDVVDrjA9OvgopwIkhkl13n7GC5HTNZzw+sM3Rr RthrYTCoST3XfQ/J/Wuagga5Gm+4g9VQS3IaCQen+3ETJn5HtiKYcWcwlc/Mf9rg u27Zg1SZ3F4Nq/3FN0LN8FMGbqODDQck4Z0rCeay3kj4pjW5J92AwfJU3/5Rlolm SyOwX3hQhV0jTVohC2lchILpb/ol6VlUeI1hhyQzCrshlKSJy7r2ntTLqtxKlB43 RuQ5l8lbNyH/XAfMC6xmV44VsWcZ52mP1ugIO7ifTU1UZyPtfhG9K380tG73Ymqi FqucW6G7j7VF5Mr7mq3bSPcYHAX2yQjEZbI31wH/31Lp9S/kRMgZqgrLr7vJg5Pd aK2T8E3ujsh/uO8MEuIs4tcf7EVhwZ7kIgrBMMMRGqx9fXKELyyHv5vwFGNSRjT1 n8jSJAfJ3ItBo1HX1N40yRIkMnGaorO33fMqhJTC2Py2wlJajJOY4LE0Pj/j7wAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACQ8RFxgd -----END CERTIFICATE-----

taylormadehdz commented 3 years ago

@baentsch do you have any guidance on this?

baentsch commented 3 years ago

When running oqs-Chrome from a terminal, this error message is emitted when loading the cert above:

[1949:1949:0710/102038.438671:ERROR:nsNSSCertificateDB.cpp(89)] PK11_ImportCert failed with error -8168

This in turn to me means that Chromium uses (NSS') PKCS#11 API (store?) for maintaining certificates -- and I'm not aware of anyone who has begun to OQS-enable NSS, so a rejection of an OQS-cert seems logical. @xvzcf, @dstebila, @jschanck : Does either of you know more about NSS (an OQS-enablement thereof)? Do we know anyone at Mozilla who might be interested in this? And if NSS P11 is not the problem (to be determined), does anyone know what's implementing that API for Chromium?

@tylerleblond @taylormadehdz : Can you share what's your use case for this? We always only intended Chromium to be a demonstration, not a full-feature OQS browser integration -- but if there is serious interest, someone might look into it.

baentsch commented 3 years ago

And if NSS P11 is not the problem (to be determined), does anyone know what's implementing that API for Chromium?

Answering my own question: Looks like it's really libnss(3) (failing to) provide that functionality.

So, indeed, it seems OQS-cert import won't work in Chromium until (lib)NSS is OQS-enabled. Nothing oqs-demos/chromium can do about (short of creating a new project: Volunteers welcome :)

taylormadehdz commented 3 years ago

Would there be a way to use a different lib for maintaining certificates?

Our use case is to migrate a chat app on one system to make it quantum safe for prototyping activities. @baentsch ... any other ideas for workarounds?

baentsch commented 3 years ago

Would there be a way to use a different lib for maintaining certificates?

(OQS-)OpenSSL handles QSC certs just fine -- but then again, chromium doesn't use OSSL by default for all I know -- although there seem to be historical traces of chromium being able to utilize OpenSSL...

Our use case is to migrate a chat app on one system to make it quantum safe for prototyping activities. @baentsch ... any other ideas for workarounds?

Loads -- but I'm constrained by not knowing whether you're free to chose the chat app to QSC-enable. If that were possible, why not look for one using openssl as transport? Next idea: Why not completely do away with application-integrated (QSC-)confidentiality and use (oqs-)SSH instead (obviously only works with a-priori known chat partners)? Third, if for some reason you are bound to chromium, changing the cert-storage to one based on OSSL may be an option -- but that may be convoluted: I never checked all chromium cert-interaction points in that regard. But then again, I don't understand why chromium uses PKCS#11 for server cert storage to begin with: Normally, one would only use that for client certs... Simple file-storage (with a validation layer) might have been sufficient....

taylormadehdz commented 3 years ago

Okay we're pretty set on using Chromium... Here is the sitch:

Quantum safe Chromium can connect to OQS test server using the quantum safe cert Quantum safe HA proxy can connect to OQS test server with curl want to connect HA proxy & chromium, chromium not accept

Would we be able to use the private server cert that Chromium does recognize when connecting to OQS test server on HA Proxy? I.e., is there a way for us to download that from y'all directly to upload to our HA proxy?

About cert-interaction points:

Alternatively when you said changing cert-interaction points, that would require us to build Chromium from scratch (following directions on repo), Correct? We have been using the binary

baentsch commented 3 years ago

Would we be able to use the private server cert that Chromium does recognize when connecting to OQS test server on HA Proxy? I.e., is there a way for us to download that from y'all directly to upload to our HA proxy?

I'm not sure I understand: The CA cert at the OQS test server is plain, boring classic crypto: You can create such cert (incl. private key) yourself (and subsequently import to HAproxy, Chromium, whatever). Also, you can create CA-signed private server certs (of any kind, incl. QSC) also yourself (e.g., using the oqs-curl docker image): Why would you thus need "our" server certs?

that would require us to build Chromium from scratch (following directions on repo), Correct?

Yes (after mod'ing the source suitably). Just takes a day -- or a good many-core machine :-)

taylormadehdz commented 3 years ago

On it :)

baentsch commented 3 years ago

@taylormadehdz : Any news on the above? I'd further suggest changing the title to "Add OQS to libnss" (tagged as future-work, help-wanted)

baentsch commented 2 years ago

Like https://github.com/open-quantum-safe/oqs-demos/issues/52 this issue is due to Chromium not using openssl but libnss for certificate management. Until there is wider or libnssupstream interest in this feature (any inside insight about this, @jschanck ?) close this issue pointing to oqs-epiphany if someone wants to use QSC certificates with a browser.

takao8 commented 1 year ago

Hello, I just wanted to reopen this issue since @taylormadehdz and I have plans to try and adjust NSS to accommodate for PQC certificates on Chromium. @baentsch, since last year have you heard of any developments to updates libnss for this feature? We've done some basic exploration of the libnss codebase, but I wanted to check with you to see if anybody has gotten anywhere so we don't replicate other efforts.

baentsch commented 1 year ago

No, I'm not aware of activities to add OQS code to libnss (but would be glad to see that happen --if only for selfish reasons of not having to add another column to the IETF PQ cert hackathon interop test matrix :). And obviously I much less know whether anyone is adding any (other) PQ cert code to libnss. In sum, by all means, let's reopen this. Thanks, @takao8 @taylormadehdz to suggest this.

xvzcf commented 1 year ago

For OQS in NSS, I'm aware of this.

baentsch commented 1 year ago

For OQS in NSS, I'm aware of this.

Thanks for the information, @xvzcf ! I'm not entirely sure how to read this: Is this an integration of the OQS APIs (that would enable PQ certs, too) or rather a Cloudflare-specific code integration supporting their x25519_kyber768 KEM (only)?

If the latter, it doesn't help this issue. If the former, would it be helpful/possible for @takao8 @taylormadehdz to contribute there to move things forward more quickly?

xvzcf commented 1 year ago

The PR indeed does not involve liboqs, but Robert Relyea in that comment stated that he's currently working on liboqs integration, which will give us all the NIST kyber variants [...] as well as the PQ signing algorithms, so it might be worthwhile contacting him.

baentsch commented 1 year ago

so it might be worthwhile contacting him

Absolutely. Do you know him/could touch base with him? Or do you know his github handle we could post here to get his input to this discussion?

xvzcf commented 1 year ago

Absolutely. Do you know him/could touch base with him? Or do you know his github handle we could post here to get his input to this discussion?

I emailed him.

Raytonne commented 1 year ago

Since Chromium is using its own root store, you may try to hard code your root CA into the Chromium source code

baentsch commented 1 year ago

Since Chromium is using its own root store, you may try to hard code your root CA into the Chromium source code

Thanks for the pointer. How would this solve the issue of quantum safe server certificates/chains not being verifiable in Chromium, though? Isn't libnss still providing the code for this logic? If this code is not PQ-enabled, shouldn't verification fail right away -- before even hitting the root cert?

Raytonne commented 1 year ago

Thanks for the pointer. How would this solve the issue of quantum safe server certificates/chains not being verifiable in Chromium, though? Isn't libnss still providing the code for this logic? If this code is not PQ-enabled, shouldn't verification fail right away -- before even hitting the root cert?

The webpage I linked above explicitly mentions

Historically, Chrome integrated certificate verification processes with
the platform on which it was running. This resulted in inconsistent user
experiences across platforms, while also making it difficult for
developers to understand Chrome's expected behavior. ... Once complete,
the launch of the Chrome Certificate Verifier will ensure users have a
consistent experience across platforms, that developers have a
consistent understanding of Chrome‘s behavior, and that Chrome better
protects the security and privacy of users’ connections to websites.

So I think if the root certificate is in Chrome Root Store, then libnss is not providing the code for this logic; instead, the Chrome Certificate Verifier will build and verify the certificate chain.

In PR #210 , we provided a way to make Chrome Certificate Verifier able to verify quantum safe server certificates/chains.

Raytonne commented 1 year ago

@xvzcf @baentsch Should we close this issue since Chrome is using Chrome Certificate Verifier and Chrome Root Store now? Especially Chrome dropped libnss https://github.com/chromium/chromium/commit/9942b74d18acb6c9a1d1cf85d0ad4db15357d2f6

nickforsythbarr commented 7 months ago

is there a new issue recently with acceptance of CA certs in Chrome 124.0.6367.91 Im getting the error: [29771:29771:0429/142921.004838:ERROR:nsNSSCertificateDB.cpp(95)] PK11_ImportCert failed with error -8168

Raytonne commented 6 months ago

is there a new issue recently with acceptance of CA certs in Chrome 124.0.6367.91 Im getting the error: [29771:29771:0429/142921.004838:ERROR:nsNSSCertificateDB.cpp(95)] PK11_ImportCert failed with error -8168

Are you importing a CA that uses quantum-safe algorithms? If yes, then this is expected.

nickforsythbarr commented 6 months ago

For those seeking a fix who find their way here. This appears to work allowing Chrome, and VsCode etc to respect the CA: (Ubuntu 24.04, Chrome 125.0.6422.76, Code 1.89.1)

# sudo chmod -R 766 /home/username/.pki/ # certutil -d sql:$HOME/.pki/nssdb -A -t "CT,c,c" -n "CertName" -i /usr/share/ca-certificates/your_ca.crt

Raytonne commented 6 months ago

# sudo chmod -R 766 /home/username/.pki/ # certutil -d sql:$HOME/.pki/nssdb -A -t "CT,c,c" -n "CertName" -i /usr/share/ca-certificates/your_ca.crt

Thank you for the update! Could you update oqs-demos/blob/main/chromium/USAGE.md and create a PR?