Add support for ECDH #998
Comments
You just have bad timing - I'm in the process of moving the website from Azure to GitHub and unfortunately, things are not going smoothly for me 😦 That said, you can still use the .com and .org website URLs to get to the old Azure site: http://www.mimekit.org/docs Now on to your actual question...
Where exactly are you getting this exception? I have a sneaking suspicion (though I could be wrong) that you are trying to convert between System.Security certificates/keys and BouncyCastle certificates/keys. If so, then you are correct, there is no code that can handle ECC private key conversion from System.Security to BouncyCastle. Conversion between the 2 APIs has not been fun, even with better supported algorithms in System.Security such as RSA and DSA. If you stick strictly with System.Security or BouncyCastle, things are more likely to work but there could be issues (I'm not 100% positive) - this is why I am asking for the location in the code that threw the exception. |
|
Oh thank god! The documentation is back and there is a chance of getting some information <3 Well - let's start:
I tracked it down to CryptServices.Generate(KeyParameter, SecureRandom) where the call to "GenerateWrappedKey" fails with that error. Within that function the CrypServices tries to call "CreateWrapper" with the keyEncryptionAlgorithm ::= 1.2.840.10045.2.1 (+params). Since I need to create the certificates myself I wrote an certificate generator that may be faulty. Thanks for your help! |
|
I was hoping for a StackTrace that showed a MimeKit stack frame to provide me with some context. Based on the stack you provided, though, it appears it's not anything to do with key conversion between the 2 platforms and looks like it's an issue with BouncyCastle itself? I'm not very knowledgeable about the internals of BouncyCastle, so I'm not sure I'm going to be much help in understanding that code or why things are failing there. The OID that BouncyCastle is using seems right to me? https://oidref.com/1.2.840.10045.2.1 I would probably recommend asking for help at https://github.com/bcgit/bc-csharp - specifically, Peter Dettman is the maintainer and is very knowledgeable about both BouncyCastle as well as cryptography and would definitely be able to help you. |
|
Oh, and for what it's worth, if you open an issue in the bc-csharp repo that I linked to, if you link back to this issue in MimeKit, it'll link the 2 issues making it easier to track. |
|
Thanks for the recommendation. I'll follow that hint and will link the issues. Maybe there is a need for another exception for ECC as there is one for RSA implemented in MimeKits "CreateWrapper" function. But I'll come back to that after getting some insight from the bc guys. |
|
Oh, I see what you are saying... the issue could be that BouncyCastleSecureMimeContext.CmsRecipientGenererator.CreateWrapper() might not be passing the correct |
|
Let's see, what the bc gurus think about it: bcgit/bc-csharp#516 |
|
Without knowing if I'm right or dumb I'd think, BC would like to have passed "ECIES" as "algorithm" to provide the ECDHBasicAgreement that maybe should be fed with the ECC params from the cert in order to use the correct curve and curve params ... But thats just a wild guess. |
|
That probably makes sense, but lets see what Peter Dettman says. I'm currently busy with my day job, but what does CollectionUtilities.GetValueOrKey() do with the algorithm string? My guess is that it tries to look up whatever algorithm string we feed it to get back a "canonical" name, but since (as you discovered), it is sending "1.2.840.10045.2.1", the lookup table probably doesn't have a match for that. |
|
Exactly - that one tries to lookup a friendly name and maybe that one should return the value "ECIES" instead of keeping the OID. Looking into that dictionary I doubt that one since this seems to lookup only the AES derivates and the other common symmetrical cryptography algorithms such as DES, TrippleDES, ARIA, RC4, ...
|
|
I wonder if the MimeKit code to get the wrapper is just going about things entirely the wrong way? As in, it seems pointless to call WrapperUtilities.GetWrapper() if none of the algorithms that MimeKit is likely to pass in are ever expected to match. Might be worth going straight to calling CipherUtilities.GetCipher() and then creating a wrapper around that (just like WrapperUtilities.GetWrapper() does if the algorithm doesn't match any of the handled enum values). |
|
I get your point, and it feels correct as you explain it. But from here I'm lost for now. I need to look deeper into your code in order to really understand the impact of the change, since for now the code works as intended when using RSA certificates ... |
|
Ugh, we can't call CipherUtilities(DerObjectIdentifier) directly because we'd lose out on the handy BufferedCipherWrapper class that is a nested class within WrapperUtilities. And I guess it wouldn't really gain us anything in that case (other than perhaps a slight optimization). Oh well, that was just a quick idea that turned out to be a dead end. I need to get back to my day job haha, but this is more interesting. |
|
@myst3rium are you generating your own EC keys? If so, which elliptic curve? I'm working on trying to add some unit tests for this. |
|
Hi @jstedfast, [Short version] - secp256r1 (P-256), secp384r1 (P-384) and secp521r1 (P-521) [ellaborate version] In my research I found another article [2] from March 2015 (sorry - its german) that came to the same conclusion: Most browsers only support these three curves. The last reference I can provide is a question on security stackexchange [3]. The answer refers to NSA Suite B that contains curves P-256 and P-384. So chrome seems to stick to this suite and removed secp521r1 for no known reason. P-521 may be used as well since it's not less secure but less efficient than P-256. So if most browsers refer to these curves, they seem to be some kind of "silent" standard that should work properly. [references] |
|
Addendum: [references] |
|
I would love if you could give these changes a spin and make sure everything works as expected. Hoping to make a new release in a week or so if I can. I tried adding unit tests for DSA but those didn't work (DSA seems obsolete at this point anyway). Then there's DiffieHellman and Edwards Curve private keys that probably need to be handled at some point? Tried testing EC keys with the WindowsSecureMimeContext but it seems the Microsoft CMS implementation does not currently support that. |
|
Hi @jstedfast,
Having just finished a big chunk at work, I was finally able to test your implementation and it works. I am very happy that I am now able to encrypt and decrypt using the "new" standards and I am very grateful for the work you have put into it! I've tried to look through the latest commits, but I need a little more time to really understand what's going on. I am amazed at how quickly you were able to make such complex changes. About my testing scenario: |
|
Awesome, thanks so much for verifying that things work for your needs! |
|
That's the least I could contribute. For all the work you've done, I owe it to you to at least test the changes in my setup properly. |
RSA is getting older and older and, in view of the massive increase in computing power, it is becoming increasingly vulnerable. On the other hand, there are the "new" elliptic curves, which offer secure encryption with significantly less effort.
I tried using MimeKit with certificates with ECC instead of RSA and dug deep into the library to see that the library doesn't seem to support ECC certificates; everything seems to be designed for RSA. So I keep getting the error "unkown cipher" when using an ECC certificate.
Maybe I just missed anything anywhere but the fact that the official API documentation (http://jstedfast.github.io/MimeKit/docs) is unreachable, too, doesn't make it easier to find a solution.
I would therefore be very grateful for at least some help and information in this area.
The text was updated successfully, but these errors were encountered: