Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Core: SecurityUtils.createMtlsKeyStore should use a fixed algorithm for creating the PrivateKey #1675

Open
Capstan opened this issue Jun 19, 2022 · 2 comments
Open

Core: SecurityUtils.createMtlsKeyStore should use a fixed algorithm for creating the PrivateKey #1675

Capstan opened this issue Jun 19, 2022 · 2 comments
Labels
priority: p3 Desirable enhancement or fix. May not be included in next release.

Comments

@Capstan
Copy link
Contributor

Capstan commented Jun 19, 2022
edited

Callers of SecurityUtils.createMtlsKeyStore can direct the use of insecure algorithms in the construction of the mTLS connection. In general, we attempt to affix the algorithm used to inhibit use of algorithms with known vulnerabilities.

Personally, I would be fine with denying provided certs whose cert.getPublicKey().getAlgorithm() was DH or DSA, but in lieu of blocklisting known bad algorithms, perhaps it'd be more security affirmative to allowlist currently-OK algorithms, so we only ever use good versions, and suffer toil later if we have to retrofit additional entries.

My suggestion is to create a case statement just below where the method currently throws IllegalArgumentException for various cases, and add the set of known good algorithms, and throw an InvalidAlgorithmParameterException if it is not one of those. In addition, special case DH and DSA to give references to their vulnerabilities as described in InsecureCypherMode.identifyDiffieHellmanAndDsaVulnerabilities.

/cc @sophieschmieg, as her guidance/requirements will be canonical for importing whatever changes are made here into the monorepo.

Environment details

  1. API: Core
  2. OS type and version: 5.17.6-1rodete1-amd64
  3. Java version: OpenJDK Runtime Environment (build 11.0.13+8-google-release-451398016) OpenJDK 64-Bit Server VM (build 11.0.13+8-google-release-451398016, mixed mode, sharing)
  4. version(s): ~head (with local patches)

Steps to reproduce

  1. Add errorprone warnings to the build
  2. Build.

SecurityUtils.createMtlsKeyStore will generate an InsecureCipherMode warning.

Code example

    PrivateKey key =
        KeyFactory.getInstance(cert.getPublicKey().getAlgorithm()).generatePrivate(keySpecPKCS8);
Capstan referenced this issue Jun 19, 2022
@arithmetic1728 @chingor13
feat: add mtls support for NetHttpTransport (#1147)
51762f2 
* feat: support keystore in transport for mtls

* fix format

* update code

* add tests

* update test and doc

* update names

* create keystore from cert and key string

* change certAndKey from string to inputstream

* add mtls file

* Update google-http-client/src/main/java/com/google/api/client/http/javanet/NetHttpTransport.java

Co-authored-by: Jeff Ching <chingor@google.com>

* Update google-http-client/src/main/java/com/google/api/client/http/javanet/NetHttpTransport.java

Co-authored-by: Jeff Ching <chingor@google.com>

* Update google-http-client/src/main/java/com/google/api/client/util/SslUtils.java

Co-authored-by: Jeff Ching <chingor@google.com>

* Update google-http-client/src/main/java/com/google/api/client/util/SslUtils.java

Co-authored-by: Jeff Ching <chingor@google.com>

* Update google-http-client/src/test/java/com/google/api/client/util/SecurityUtilsTest.java

Co-authored-by: Jeff Ching <chingor@google.com>

* Update google-http-client/src/main/java/com/google/api/client/util/SslUtils.java

Co-authored-by: Jeff Ching <chingor@google.com>

* update the code

* fix name

Co-authored-by: Jeff Ching <chingor@google.com>
@yoshi-automation yoshi-automation added the triage me I really want to be triaged. label Jun 20, 2022
@meltsufin
Copy link
Member

@TimurSadykov Is this something you can look at? Thanks!

@meltsufin meltsufin added priority: p3 Desirable enhancement or fix. May not be included in next release. and removed triage me I really want to be triaged. labels Jun 22, 2022
@TimurSadykov
Copy link
Member

ack, will take a look and update

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
priority: p3 Desirable enhancement or fix. May not be included in next release.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@Capstan @TimurSadykov @meltsufin @yoshi-automation and others