nss: add ECDSA-SHA256 support #83

Merged
merged 1 commit into from Feb 25, 2017

Conversation

Projects
None yet
2 participants
@vmiklos
Contributor

vmiklos commented Feb 17, 2017

make check-crypto-nss XMLSEC_TEST_NAME="aleksey-xmldsig-01/enveloping-sha256-ecdsa-sha256"

now passes after these changes. Other notes:

  • the NSS representation of ECDSA keys is ecKey

  • the NSS identifier for ECDSA-SHA256 is
    SEC_OID_ANSIX962_ECDSA_SHA256_SIGNATURE

  • ECDSA has no fixed signature size, as it depends on the curve
    parameters. This means the size has to be always told explicitly to
    NSS, so DSAU_DecodeDerSig() -> DSAU_DecodeDerSigToLen(),
    DSAU_EncodeDerSig() -> DSAU_EncodeDerSigWithLen().

  • the full list of supported ECDSA parameters is at e.g. NSS ecdecode.c,
    EC_FillParams():
    https://dxr.mozilla.org/nss/source/nss/lib/freebl/ecdecode.c#214

@lsh123

Which version of NSS does support ECDSA? Should the configure.in be changed appropriately?

src/nss/signatures.c
- xmlSecTransformGetName(transform));
- return(-1);
+ if(ctx->alg == SEC_OID_ANSIX9_DSA_SIGNATURE_WITH_SHA1_DIGEST) {
+ statusDer = DSAU_EncodeDerSig(&signatureDer, &signature);

This comment has been minimized.

@lsh123

lsh123 Feb 18, 2017

Owner

Is it possible to use DSAU_EncodeDerSigWithLen() for SHA1 too?

@lsh123

lsh123 Feb 18, 2017

Owner

Is it possible to use DSAU_EncodeDerSigWithLen() for SHA1 too?

This comment has been minimized.

@vmiklos

vmiklos Feb 18, 2017

Contributor

Indeed, the difference between the two is just an assert before they call a shared internal function, so using DSAU_EncodeDerSigWithLen() for both makes sense.

@vmiklos

vmiklos Feb 18, 2017

Contributor

Indeed, the difference between the two is just an assert before they call a shared internal function, so using DSAU_EncodeDerSigWithLen() for both makes sense.

nss: add ECDSA-SHA256 support
make check-crypto-nss XMLSEC_TEST_NAME="aleksey-xmldsig-01/enveloping-sha256-ecdsa-sha256"

now passes after these changes. Other notes:

- the NSS representation of ECDSA keys is ecKey

- the NSS identifier for ECDSA-SHA256 is
  SEC_OID_ANSIX962_ECDSA_SHA256_SIGNATURE

- ECDSA has no fixed signature size, as it depends on the curve
  parameters. This means the size has to be always told explicitly to
  NSS, so DSAU_DecodeDerSig() -> DSAU_DecodeDerSigToLen(),
  DSAU_EncodeDerSig() -> DSAU_EncodeDerSigWithLen().

- the full list of supported ECDSA parameters is at e.g. NSS ecdecode.c,
  EC_FillParams():
  https://dxr.mozilla.org/nss/source/nss/lib/freebl/ecdecode.c#214

- ECDSA support is available in 3.11.1 according to
  <https://wiki.mozilla.org/NSS:Roadmap:Archive#Elliptic_Curve_Cryptography>,
  so upgrade the minimal version requirement accordingly.
@vmiklos

This comment has been minimized.

Show comment
Hide comment
@vmiklos

vmiklos Feb 18, 2017

Contributor

https://wiki.mozilla.org/NSS:Roadmap:Archive#Elliptic_Curve_Cryptography says 3.11.1 should be the new requirement, hopefully that's not really problematic, I have 3.28 e.g. here.

Contributor

vmiklos commented Feb 18, 2017

https://wiki.mozilla.org/NSS:Roadmap:Archive#Elliptic_Curve_Cryptography says 3.11.1 should be the new requirement, hopefully that's not really problematic, I have 3.28 e.g. here.

@vmiklos

This comment has been minimized.

Show comment
Hide comment
@vmiklos

vmiklos Feb 24, 2017

Contributor

Hi,

Can I help anything to get this reviewed? :-)

Thanks,

Miklos

Contributor

vmiklos commented Feb 24, 2017

Hi,

Can I help anything to get this reviewed? :-)

Thanks,

Miklos

@lsh123

This comment has been minimized.

Show comment
Hide comment
@lsh123

lsh123 Feb 25, 2017

Owner

Apologies, I thought I already merged it :)

Owner

lsh123 commented Feb 25, 2017

Apologies, I thought I already merged it :)

@lsh123 lsh123 merged commit bf68612 into lsh123:master Feb 25, 2017

@vmiklos vmiklos deleted the vmiklos:nss-ecdsa-sha256 branch Feb 25, 2017

vmiklos added a commit to vmiklos/xmlsec that referenced this pull request Mar 6, 2017

nss: add ECDSA-SHA256 support (#83)
Conflicts:
	configure.ac
	src/nss/signatures.c

vmiklos added a commit to vmiklos/xmlsec that referenced this pull request Apr 20, 2017

nss: add ECDSA-SHA256 support (#83)
Conflicts:
	configure.ac
	src/nss/signatures.c
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment