Closed
Conversation
moz-v2v-gh
pushed a commit
that referenced
this pull request
Oct 26, 2017
…x suggested by Dan Veditz. Thanks to Hubert Kario for performance analysis. r=fkiefer
moz-v2v-gh
pushed a commit
that referenced
this pull request
Nov 22, 2017
moz-v2v-gh
pushed a commit
that referenced
this pull request
Mar 8, 2018
Summary: Previously, NSS dropped PKCS #8 PrivateKeyInfo when importing a private key from a PKCS #12 file. This patch attaches the corresponding CKA_PUBLIC_KEY_INFO attribute to a private key when unwrapping it (see PKCS #11 v2.40 4.9). When wrapping it again, the attribute is restored in the encrypted PrivateKeyInfo. Reviewers: rrelyea Reviewed By: rrelyea Bug #: 1413596 Differential Revision: https://phabricator.services.mozilla.com/D198
moz-v2v-gh
pushed a commit
that referenced
this pull request
Mar 23, 2018
Per Bug 1436873, Windows is limited on importing PKCS12 files of 600k rounds or less. So for compatibility's sake, let's limit there, too.
moz-v2v-gh
pushed a commit
that referenced
this pull request
Mar 26, 2018
Per Bug 1436873, Windows is limited on importing PKCS12 files of 600k rounds or less. So for compatibility's sake, let's limit there, too. --HG-- branch : NSS_3_36_BRANCH
moz-v2v-gh
pushed a commit
that referenced
this pull request
May 4, 2021
…ult r=mt Also fixes: Bug 452464 pk12util -o fails when -C option specifies AES or Camellia ciphers Related: Bug 1694689 Firefox should use modern algorithms in PKCS#12 files by default Bug 452471 pk12util -o fails when -c option specifies pkcs12v2 PBE ciphers The base of this fix is was a simple 3 line fix in pkcs12.c, changing the initial setting of cipher and cert cipher. Overview for why this patch is larger than just 3 lines: 1. First issue was found in trying to change the mac hashing value. a. While the decrypt side knew how to handle SHA2 hashes, the equivalent code was not updated on the encrypt side. I refactored that code and placed the common function in p12local.c. Now p12e.c and p12d.c share common code to find the required function to produce the mac key. b. The prf hmac was hard coded to SHA1. I changed the code to pass the hmac matching the hashing algorithm for the mac. This required changes to p12e.c to calculate and pass the new hmac as well and adding new PK11_ExportEncryptedPrivateKey and PK11_ExportEncryptedPrivKey to take the PKCS #5 v2 parameters. I also corrected an error which prevented pkcs12 encoding of ciphers other than AES. 2. Once I've made my changes, I realized we didn't have a way of testing them. While we had code that verified that particular sets of parameters for pkcs12 worked together and could be listed and imported, we didn't have a way to verify what algorithms were actually generated by our tools. a. pk12util -l doesn't list the encryption used for the certs, so I updated pp to take a pkcs12 option. In doing so I had to update pp to handle indefinite encoding when decoding blocks. I also factored that decoding out in it's own function so the change only needed to be placed once. Finally I renabled a function which prints the output of an EncryptedPrivate key. This function was disabled long ago when the Encrypted Private key info was made private for NSS. It has since been exported, so these functions could easily be enabled (archeological note: I verified that this disabling was not a recent think I found I had done it back when I still have a netscape email address;). b. I updated tools.sh to us the new pp -t pkcs12 feature to verify that the key encryption, cert encryption, and hash functions matched what we expected when we exported a new key. I also updated tools.sh to handle the new hash variable option to pk12util. c. I discovered several tests commented out with comments that the don't work. I enabled those tests and discovered that they can now encrypt, but the can't decrypt because of pkcs12 policy. I updated the policy code, but I updated it to use the new NSS system wide policy mechanism. This enabled all the ciphers to work. There is still policy work to do. The pk12 policy currently only prevents ciphers from use in decrypting the certificates, not decrypting the keys and not encrypting. I left that for future work. 3. New options for pp and pk12util were added to the man pages for these tools. --------------------------------------------------------------------------- With that in mind, here's a file by file description of the patch: automation/abi-check/expected-report-libnss3.so.txt -Add new exported functions. (see lib/nss/nss.def) cmd/lib/basicutil.h: -Removed the HAVE_EPV_TEMPLATE ifdefs (NSS has exported the Encrypted Private Key data structure for a while now. cmd/lib/secutil.c: global: Updated several functions to take a const char * m (message) rather than a char * m global: Made the various PrintPKCS7 return an error code. global: Added a state variable to be passed around the various PKCS7 Print functions. It gives the proper context to interpret PKCS7 Data Content. PKCS 12 used PKCS7 to package the various PKCS12 Safes and Bags. -Updated SECU_StripTagAndLength to handle indefinite encoding, and to set the Error code. -Added SECU_ExtractDERAndStep to grab the next DER Tag, Length, and Data. -Updated secu_PrintRawStringQuotesOptional to remove the inline DER parsing and use SECU_ExtractDERAndStep(). -Updated SECU_PrintEncodedObjectID to return the SECOidTag just like SECU_PrintObjectID. -Renable SECU_PrintPrivateKey -Added secu_PrintPKCS12Attributes to print out the Attributes tied to a PKCS #12 Bag -Added secu_PrintPKCS12Bag to print out a PKCS #12 Bag -Added secu_PrintPKCS7Data, which uses the state to determine what it was printing out. -Added secu_PrintDERPKCS7ContentInfo which is identical to the global function SECU_PrintPKCS7ContentInfo except it takes a state variable. The latter function now calls the former. -Added secu_PrintPKCS12DigestInfo to print the Hash information of the Mac. DigestInfo is the name in the PKCS 12 spec. -Added secu_PrintPKCS12MacData to print the Mac portion of the PKCS 12 file. -Added SECU_PrintPKCS12 to print otu the pkcs12 file. cmd/lib/secutil.h -Added string for pkc12 for the command line of pp reenabled SECU_PrintPrivateKey -Added SECU_PrintPKCS12 for export. cmd/pk12util/pk12util.c -Added the -M option to specify a hash algorithm for the mac. updated P12U_ExportPKCS12Object: pass the hash algorithm to the PasswordIntegrity handler. -Added PKCS12U_FindTagFromString: generalized string to SECOidTag which only filters based on the oid having a matching PKCS #11 mechanism. updated PKCS12U_MapCipherFromString to call use PKCS12U_FindTagFromString to get the candidate tag before doing it's post processing to decide if the tag is really an encryption algorithm. -Added PKCS12U_MapHashFromString with is like MapCipherFromString except it verifies the resulting tag is a hash object. -Updated main to 1) change the default cipher, change the default certCipher, and process the new hash argument. NOTE: in the old code we did not encrypt the certs in FIPS mode. That's because the certs were encrypted with RC4 in the default pkcs12 file, which wasn't a FIPS algorithm. Since AES is, we can use it independent on whether or not we are in FIPS mode. cmd/pp/pp.c -Added the pkcs12 option which calls SECU_PrintPKCS12 from secutil.c lib/nss/nss.def -Add exports to the new PK11_ExportEncryptedPrivKeyInfoV2 and PK11_ExportEncryptedPrivateKeyInfoV2 (V2 means PKCS 5 v2, not Version 2 of ExportEncrypted*Info). -Add export for the old HASH_GetHMACOidTagByHashOidTag which should have been exported long ago to avoid the proliferation of copies of this function in places like ssl. lib/pk11wrap/pk11akey.c -Add PK11_ExportEncryptedPrivKeyInfoV2 (which the old function now calls), which takes the 3 PKCS 5 v2 parameters. The underlying pkcs5 code can fill in missing tags if necessary, but supplying all three gives the caller full control of the underlying pkcs5 PBE used. -Add PK11_ExportEncryptedPrivateKeyInfoV2, same as the above function except it takes a cert which is used to look up the private key. It's the function that pkcs12 actually uses, but the former was exported for completeness. lib/pk11wrap/pk11pub.h -Added the new PK11_ExportEncryptedPriv*KeyInfoV2 functions. lib/pkcs12/p12d.c -Remove the switch statement and place it in p12local.c so that p12e.c can use the same function. lib/pkc12/p12e.c -Remove the unnecessary privAlg check so we can encode any mechanism we support. This only prevented encoding certificates in the pk12 file, not the keys. -add code to get the hmac used in the pbe prf from the integrity hash, which is under application control. -Do the same for key encryption, then use the new PK11_ExportEncryptedPrivateKeyInfo to pass that hash value. -Use the new sec_pkcs12_algtag_to_keygen_mech so there is only one switch statement to update rather than 2. -Update the hash data to old the length of the largest hash rather than the length of a SHA1 hash. lib/pkcs12/p12local.c - Add new function new sec_pkcs12_algtag_to_keygen_mech to factor out the common switch statement between p12e and p12d. lib/pkcs12/p12local.h -Export the new sec_pkcs12_algtag_to_keygen_mech lib/pkcs12/p12plcy.c -Map the old p12 policy functions to use the new NSS_GetAlgorithmPolicy. We keep the old table so that applications can change the policy with the old PKCS12 specific defines (so the old code keeps working). NOTE: policies now default to true rather than false. lib/util/secoidt.h -Add new NSS_USE_ALG_IN_PKCS12 used by pk11plcy.c NOTE: I have not updated the policy table in pk11wrap/pk11pars.c, so we can't yet control pkcs12 policy with the nss system policy table. That's a patch for another time. test/tools/tool.sh -global: Remove trailing spaces -global: DEFAULT is changed to 'default' -Update the PBE mechanism to exactly match the string in secoid.c. PKCS #12 does case independent compares, so case doesn't matter there, but now I'm comparing to the output of pp, and I didn't want to spend the time to figure out case independent compares in bash. -Add our defauts and shell variables at the top so there are easy to change in the future. export_with_*** have all been colapsed into a single export_p12_file which handles taking 'default' and turning off that argument. -Add for loops for the hash functions. -Restore the camellia ciphers back now that they work. -Restore the pkcs12V2pbe back now that they work. -Collect various pbe types into single variables and use those variables in loops -Reduce the number of tests ran in optimized mode (which takes 60x the time to do a pbe then than debug mode based on a larger iterator). -Add verify_p12 which dumps out the p12 file and makes sure the expected CERT_ENCRYPTION, KEY_ENCRYPTION, and HASH are used. doc/pp.xml -Add pkcs12 option doc/pk12util.xml -Add -M option -Update synopsis with options in the description but not in the synopsis Differential Revision: https://phabricator.services.mozilla.com/D113699
Collaborator
|
Already done. |
moz-v2v-gh
pushed a commit
that referenced
this pull request
May 24, 2024
…olicy r=kaie
This patch addes the following policy flags:
NSS_USE_ALG_IN_SMIME_ENCRYPT
NSS_USE_ALG_IN_SMIME_LEGACY
NSS_USE_ALG_IN_SMIME_KX_ENCRYPT
NSS_USE_ALG_IN_SMIME_KX_LEGACY
NSS_USE_ALG_IN_PKCS12_ENCRYPT
NSS_USE_ALG_IN_PKCS12_DECRYPT
The NSS_USE_ALG_IN_PKCS12_DECRYPT reuses the old NSS_USE_ALG_IN_PKCS12 flag. The latter is now a combination of NSS_USE_ALG_IN_PKCS12_DECRYPT and NSS_USE_ALG_IN_PKCS12_ENCRYPT. The _LEGACY and _DECRYPT flags handle cases where we are dealing with preexisting files we want to process. In these cases we want policy to be more lenient so we can still import keys and read old email. The corresponding _ENCRYPT flags are only meaningfull if the _LEGACY flags are set. Combo defines of NSS_USE_ALG_IN_SMIME, NSS_USE_ALG_IN_SMIME_KX, and NSS_USE_FLAGS_IN_PKCS12 represent this combination, and all the flags should be set.
In adding new S/MIME policy for encryption algorithms, we now clear those bits from all policy oids. This allows us to use the policy oids to figure out what algorithms are even possible. If no policies for S/MIME are turned on, then we will use the default S/MIME values, and those will be turned on implicitly. This also prevents us from turning on RC4 or other ciphers that would 'work' with S/MIME but should be enabled generally (someone could turn on RC4 manually, or explicity, but just adding enable=rc4 will only turn on SSL and not S/MIME (you'd have to say enable=rc4/smime to get smime explicity).
Like SSL, we can control the default enabled ciphers for S/MIME. This primarily controls what ciphers are included in our capabilities list we send to others. Even though a policy may be enabled for legacy, we only include it in the list if it is allowed for both legacy and encrypt. The theory here is we want to decrypt email sent by others in the past, or using an old S/MIME capabilities, but we want them to use the stronger ciphers in the future. If you dont' enable any S/MIME ciphers explicitly, then S/MIME will enable the existing default ciphers (which are allowed by policy). The whole enable intrastructure is replaced from a static array with bools, to a dynamic list that includes that enabled oid in preference order. If the oids are enabled through the policy system, then the system sorts the oids by key length and preferring older known ciphers to new ones.
Key length checks for key exchange have been added as well. Key length checks for signature already happens in the signature code.
While implementing and testing a few bugs were identified and fixed.
Detailed explanation of the patch:
cmd/pk12util/pk12util.c
- remove the explicit enable calls. All ciphers are already enabled by default, and we want pk12util to accept system policy changes. cmd/smimetools/cmsutil.c
- when we add certificates, also add the S/MIME profile to the database.
- fix reference and memory leak in the signerinfo if we fail before the signerinfo is added to the NSSCMSMessage.
- remove hard coded Hash identifiers and fetch the hash from the OID table and verify it with the HASH_ functions. lib/certhigh/certvfy.c
- check the KEY_SIZE_FLAGS for KEY_SIZE_VERIFY before applying the min key lengths. This allows us to test the S/MIME KEA KEY_SIZE_FLAGS by just setting the KEY_SIZE_SMIME flag explicitly in the test. I've updated the default flags to have all the flags on by default (not just SSL).
- (NOTE: I did not try to update the ECC side with ECC min lengths at this point). lib/cryptohi/keyhi.h lib/cryptohi/keyi.h lib/cryptohi/seckey.c lib/cryptohi/secsign.c lib/cryptohi/secvfy.c
- export SECKEY_EnforceKeySize for use in S/MIME lib/nss/nss.def automation/abi-check/expected-report-libnss3.so.tx
- export a bunch of new functions:
HASH_GetHashOidTagByHMACOidTag,SECKEY_EnforceKeySize, and SECKEY_PrivateKeyStrengthInBits are existing functions that S/MIME or the tools need to call
SEC_PKCS5GetCryptoFromAlgTag, SEC_PKCS5GetHashAlgorithm, and SEC_PKCS5GetHashFromAlgTag are new functions to extract algtags from PKCS5pbe oidtags and algorithm IDs so they can be checked against policy.
lib/nss/nss.h
- add NSS_KEY_SIZE_POLICY_SMIME
lib/nss/nssoptions.c
- update the key size default to have all the flags, not just ssl.
lib/pk11wrap/pk11nobj.c
- fix bug in pk11nobj.c where we weren't finding S/MIME profile objects in the database if the database was sql
lib/pk11wrap/pk11pars.c
- Add SMIME and PKCS12 identifiers and flags.
- fix bug in secmod_getPolicyOptValue so it succeeds when parsing key-size paramters.
- Enable/disable setting has been moved to a helper function, secmod_setDefault to handle the case that we now have separate ssl and s/mime enablement. (NOTE: remember enable implies allow)
lib/pk11wrap/pk11pbe.c
lib/pk11wrap/secpkcs5.h
- implement new functions to extract algtags from PKCS5pbe oidtags and algorithm IDs so they can be checked against policy.
lib/pk11wrap/pk11priv.h
lib/pk11wrap/pk11pub.h
- export PK11_GetMaxKeyLength lib/pkcs12/p12d.c lib/pkcs12/p12e.c lib/pkcs12/p12plcy.c lib/pkcs12/p12plcy.h
- add pkcs12 policy checks.
- p12plcy decomposes the PBE into encryption and hash algorithms and checks policy on both. It deals with the differences between pkcs5v1 pkcs12pbe and pkcs5v2
lib/smime/cmsdigest.c
lib/smime/cmsencdata.c
lib/smime/cmsrecinfo.c
lib/smime/cmssiginfo.c
- add smime policy checks
- NSS_CMSRecipientInfo_UnwrapBulkKey was reorded to collect the algid and encryption key then handling the actual operation in a new encalgtag switch.
lib/smime/smime.def
automation/abi-check/expected-report-libsmime3.so.txt
- export the new PKCS12 helpers to return policy (shouldn't we export the smime ones as well?)
lib/smime/smime.h
- export the new S/MIME utils to checking various s/MIME policies.
lib/smime/smimemessage.c
- Fix same signerinfo leak as in cmd/simetools/cmsutil.c
lib/smime/smimeutil.c
- This file has been pretty heavily rewritten. There used to be a static array which mapped the old SMIME algorithm value to and OID, a parameter, enabled/disabled, and allowed/disallowed (policy). The table has been repurposed to make and the old SMIME algorithm to an OID tag which reflects the policy and is now a CONST table. It also functions as the list of known old algorithms to default to if no algorithms are set by policy. NOTE that SEC_OID_RC2_XXX_CBC are 'fake' oids to allow mapping the policy with keysize explicitly. This matches all the other algorithms which encode the key length in the oid.
- smime_legacy_to_policy and smime_legacy_to_oid maps the old SMIME algorithm values to the modern oid value. This allows the old functions to still use the old values, but also work using an actual oid.
- smime_allowed_by_policy is a helper to check an algtag for a particular policy. All requested policy bits must match.
- smime_key_size_by_cipher is a helper to get the keysize from an algtag. The general case should be handle in pk11wrap, but we dont' have a function there to do that yet.
- SMIMEList and smime_algorithm_list is a simple array list, ordered by algorithm preference. This replaces the enable field of the old static algorithm table. smime_list_ are helper functions. NOTE: smime_list_index_find returns table_size if the element is not found. This means you need to know smime_list_length when this function is called, and you need to lock around references to prevent the table from changing while you work with it.
- smime_init_once handles initializing our policy and enable arrays based on existing policy and handling the default cases when no policy has been enabled.
- nss_SMIME_FindCipherForSMIMECap, smime_choose_cipher,NSS_SMIMEUtil_FindBulkAlgForRecipients,smime_create_capability have been rewritten to use the new policy system and enable list. RC2 was the only cipher that needed parameters, so the parameters are generated on the fly if necessary.
- NSS_SMIMEUtil_CreateSMIMECapabilities was well as being recoded to use the new lists, It's also been updated to include hash and key encipherment algorithms.
lib/ssl/sslinit.c
- add a shutdown function so that we reset the default algorithms and policy if NSS is initialized again after shutdown. (probably haven't ran into any issues because few applications of any complexity can actually successfully shut NSS down.
lib/util/nssutil.def
lib/util/secoid.c
lib/util/secoid.h
- add new helper functions to 1) return the number of recognized oid tags in the system (including dynamic oids), 2) Find all the oids which are approved for a particular policy (used by SMIME to determine what oids are valid and if we need to initialize policy from the default list, 3) set or clear a policy on all the oids (used to clear the S/MIME policy so getting all the S/MIME policy oids are meaningful).
- also add the RC2_XXX fake oids to the oid table (RC2_40 already exists).
- clear the SMIME policy from oids by default.
- allow legacy decrypt for PKCS #12 files decrypting old integrity or pbe hash values. Only allow reading, not generation.
lib/util/secoidt.h
- add the RC2_XXX fake oids to the oid table (RC2_40 already exists).
- add the new NSS_USE_ALG defines. make CMS_SIGNATURE an alias for SMIME_SIGNATURE and keep the same bit.
- NSS_USE_ALG_IN_PKCS12 becomes NSS_USE_ALG_IN_PKCS12_DECRYPT, and the new NSS_USE_ALG_IN_PKCS12 becomes NSS_USE_ALG_IN_PKCS12_DECRYPT|NSS_USE_ALG_IN_PKCS12_ENCRYPT
- Add more combo defines.
tests -------------------------------------------------
tests/common/init.sh
tests/policy/policy.sh
tests/ssl/ssl.sh
- move the generic policy setup code from ssl.sh to init.sh add generic save and restore functions.
- move the ignore_blank_lines macro from ssl.sh and policy.sh to init.sh
tests/policy/crypto-policy.txt
- add s/mime policy values to verify parsing validity
tests/smime/smime.sh
- add loop to test smime policy. Each tests uses two entities, a sender and a receiver. Each gets it's own policy.
The reciever first creates a signed s/mime message with capabilities.
The sender then receives the message, and if successful stores the cert and the capabilities.
The sender then encrypts a message. The chosen cipher is verified to be the expected cipher.
The receiver decrypts the message and verifies it.
The expected return values are checked for each operation, which may fail by policy. If the expected operation does not fail by policy when it should, it generates a test failure.
tests/smime/smimepolicy.txt
- new file with the list of policy tests used by the loop above. new tests can be added by simply adding them to this file.
tests/tools/tools.sh
- existing helpers were updated with new parameters which can vary in the policy case.
- add loop to test pkcs12 policy. Each test sets up two entities, an exporter and an import. Each gets it's own policy
The export exports a private key.
The importer imports the private key.
The expected return values are checked for each operation, which may fail by policy. If the expected operation does not fail by policy when it should, it generates a test failure. tests/tools/pkcs12policy.txt
- new file with the list of policy tests used by the loop above. new tests can be added by simply adding them to this file.
Differential Revision: https://phabricator.services.mozilla.com/D204145
moz-v2v-gh
pushed a commit
that referenced
this pull request
May 29, 2024
…olicy r=jschanck Fix tools test failures. Differential Revision: https://phabricator.services.mozilla.com/D212060 --HG-- extra : amend_source : c2f4584b097dba88a00b9f4a059012ea2b1ef940
moz-v2v-gh
pushed a commit
that referenced
this pull request
Jun 6, 2024
…olicy r=kaie
This patch addes the following policy flags:
NSS_USE_ALG_IN_SMIME_ENCRYPT
NSS_USE_ALG_IN_SMIME_LEGACY
NSS_USE_ALG_IN_SMIME_KX_ENCRYPT
NSS_USE_ALG_IN_SMIME_KX_LEGACY
NSS_USE_ALG_IN_PKCS12_ENCRYPT
NSS_USE_ALG_IN_PKCS12_DECRYPT
The NSS_USE_ALG_IN_PKCS12_DECRYPT reuses the old NSS_USE_ALG_IN_PKCS12 flag. The latter is now a combination of NSS_USE_ALG_IN_PKCS12_DECRYPT and NSS_USE_ALG_IN_PKCS12_ENCRYPT. The _LEGACY and _DECRYPT flags handle cases where we are dealing with preexisting files we want to process. In these cases we want policy to be more lenient so we can still import keys and read old email. The corresponding _ENCRYPT flags are only meaningfull if the _LEGACY flags are set. Combo defines of NSS_USE_ALG_IN_SMIME, NSS_USE_ALG_IN_SMIME_KX, and NSS_USE_FLAGS_IN_PKCS12 represent this combination, and all the flags should be set.
In adding new S/MIME policy for encryption algorithms, we now clear those bits from all policy oids. This allows us to use the policy oids to figure out what algorithms are even possible. If no policies for S/MIME are turned on, then we will use the default S/MIME values, and those will be turned on implicitly. This also prevents us from turning on RC4 or other ciphers that would 'work' with S/MIME but should be enabled generally (someone could turn on RC4 manually, or explicity, but just adding enable=rc4 will only turn on SSL and not S/MIME (you'd have to say enable=rc4/smime to get smime explicity).
Like SSL, we can control the default enabled ciphers for S/MIME. This primarily controls what ciphers are included in our capabilities list we send to others. Even though a policy may be enabled for legacy, we only include it in the list if it is allowed for both legacy and encrypt. The theory here is we want to decrypt email sent by others in the past, or using an old S/MIME capabilities, but we want them to use the stronger ciphers in the future. If you dont' enable any S/MIME ciphers explicitly, then S/MIME will enable the existing default ciphers (which are allowed by policy). The whole enable intrastructure is replaced from a static array with bools, to a dynamic list that includes that enabled oid in preference order. If the oids are enabled through the policy system, then the system sorts the oids by key length and preferring older known ciphers to new ones.
Key length checks for key exchange have been added as well. Key length checks for signature already happens in the signature code.
While implementing and testing a few bugs were identified and fixed.
Detailed explanation of the patch:
cmd/pk12util/pk12util.c
- remove the explicit enable calls. All ciphers are already enabled by default, and we want pk12util to accept system policy changes. cmd/smimetools/cmsutil.c
- when we add certificates, also add the S/MIME profile to the database.
- fix reference and memory leak in the signerinfo if we fail before the signerinfo is added to the NSSCMSMessage.
- remove hard coded Hash identifiers and fetch the hash from the OID table and verify it with the HASH_ functions. lib/certhigh/certvfy.c
- check the KEY_SIZE_FLAGS for KEY_SIZE_VERIFY before applying the min key lengths. This allows us to test the S/MIME KEA KEY_SIZE_FLAGS by just setting the KEY_SIZE_SMIME flag explicitly in the test. I've updated the default flags to have all the flags on by default (not just SSL).
- (NOTE: I did not try to update the ECC side with ECC min lengths at this point). lib/cryptohi/keyhi.h lib/cryptohi/keyi.h lib/cryptohi/seckey.c lib/cryptohi/secsign.c lib/cryptohi/secvfy.c
- export SECKEY_EnforceKeySize for use in S/MIME lib/nss/nss.def automation/abi-check/expected-report-libnss3.so.tx
- export a bunch of new functions:
HASH_GetHashOidTagByHMACOidTag,SECKEY_EnforceKeySize, and SECKEY_PrivateKeyStrengthInBits are existing functions that S/MIME or the tools need to call
SEC_PKCS5GetCryptoFromAlgTag, SEC_PKCS5GetHashAlgorithm, and SEC_PKCS5GetHashFromAlgTag are new functions to extract algtags from PKCS5pbe oidtags and algorithm IDs so they can be checked against policy.
lib/nss/nss.h
- add NSS_KEY_SIZE_POLICY_SMIME
lib/nss/nssoptions.c
- update the key size default to have all the flags, not just ssl.
lib/pk11wrap/pk11nobj.c
- fix bug in pk11nobj.c where we weren't finding S/MIME profile objects in the database if the database was sql
lib/pk11wrap/pk11pars.c
- Add SMIME and PKCS12 identifiers and flags.
- fix bug in secmod_getPolicyOptValue so it succeeds when parsing key-size paramters.
- Enable/disable setting has been moved to a helper function, secmod_setDefault to handle the case that we now have separate ssl and s/mime enablement. (NOTE: remember enable implies allow)
lib/pk11wrap/pk11pbe.c
lib/pk11wrap/secpkcs5.h
- implement new functions to extract algtags from PKCS5pbe oidtags and algorithm IDs so they can be checked against policy.
lib/pk11wrap/pk11priv.h
lib/pk11wrap/pk11pub.h
- export PK11_GetMaxKeyLength lib/pkcs12/p12d.c lib/pkcs12/p12e.c lib/pkcs12/p12plcy.c lib/pkcs12/p12plcy.h
- add pkcs12 policy checks.
- p12plcy decomposes the PBE into encryption and hash algorithms and checks policy on both. It deals with the differences between pkcs5v1 pkcs12pbe and pkcs5v2
lib/smime/cmsdigest.c
lib/smime/cmsencdata.c
lib/smime/cmsrecinfo.c
lib/smime/cmssiginfo.c
- add smime policy checks
- NSS_CMSRecipientInfo_UnwrapBulkKey was reorded to collect the algid and encryption key then handling the actual operation in a new encalgtag switch.
lib/smime/smime.def
automation/abi-check/expected-report-libsmime3.so.txt
- export the new PKCS12 helpers to return policy (shouldn't we export the smime ones as well?)
lib/smime/smime.h
- export the new S/MIME utils to checking various s/MIME policies.
lib/smime/smimemessage.c
- Fix same signerinfo leak as in cmd/simetools/cmsutil.c
lib/smime/smimeutil.c
- This file has been pretty heavily rewritten. There used to be a static array which mapped the old SMIME algorithm value to and OID, a parameter, enabled/disabled, and allowed/disallowed (policy). The table has been repurposed to make and the old SMIME algorithm to an OID tag which reflects the policy and is now a CONST table. It also functions as the list of known old algorithms to default to if no algorithms are set by policy. NOTE that SEC_OID_RC2_XXX_CBC are 'fake' oids to allow mapping the policy with keysize explicitly. This matches all the other algorithms which encode the key length in the oid.
- smime_legacy_to_policy and smime_legacy_to_oid maps the old SMIME algorithm values to the modern oid value. This allows the old functions to still use the old values, but also work using an actual oid.
- smime_allowed_by_policy is a helper to check an algtag for a particular policy. All requested policy bits must match.
- smime_key_size_by_cipher is a helper to get the keysize from an algtag. The general case should be handle in pk11wrap, but we dont' have a function there to do that yet.
- SMIMEList and smime_algorithm_list is a simple array list, ordered by algorithm preference. This replaces the enable field of the old static algorithm table. smime_list_ are helper functions. NOTE: smime_list_index_find returns table_size if the element is not found. This means you need to know smime_list_length when this function is called, and you need to lock around references to prevent the table from changing while you work with it.
- smime_init_once handles initializing our policy and enable arrays based on existing policy and handling the default cases when no policy has been enabled.
- nss_SMIME_FindCipherForSMIMECap, smime_choose_cipher,NSS_SMIMEUtil_FindBulkAlgForRecipients,smime_create_capability have been rewritten to use the new policy system and enable list. RC2 was the only cipher that needed parameters, so the parameters are generated on the fly if necessary.
- NSS_SMIMEUtil_CreateSMIMECapabilities was well as being recoded to use the new lists, It's also been updated to include hash and key encipherment algorithms.
lib/ssl/sslinit.c
- add a shutdown function so that we reset the default algorithms and policy if NSS is initialized again after shutdown. (probably haven't ran into any issues because few applications of any complexity can actually successfully shut NSS down.
lib/util/nssutil.def
lib/util/secoid.c
lib/util/secoid.h
- add new helper functions to 1) return the number of recognized oid tags in the system (including dynamic oids), 2) Find all the oids which are approved for a particular policy (used by SMIME to determine what oids are valid and if we need to initialize policy from the default list, 3) set or clear a policy on all the oids (used to clear the S/MIME policy so getting all the S/MIME policy oids are meaningful).
- also add the RC2_XXX fake oids to the oid table (RC2_40 already exists).
- clear the SMIME policy from oids by default.
- allow legacy decrypt for PKCS #12 files decrypting old integrity or pbe hash values. Only allow reading, not generation.
lib/util/secoidt.h
- add the RC2_XXX fake oids to the oid table (RC2_40 already exists).
- add the new NSS_USE_ALG defines. make CMS_SIGNATURE an alias for SMIME_SIGNATURE and keep the same bit.
- NSS_USE_ALG_IN_PKCS12 becomes NSS_USE_ALG_IN_PKCS12_DECRYPT, and the new NSS_USE_ALG_IN_PKCS12 becomes NSS_USE_ALG_IN_PKCS12_DECRYPT|NSS_USE_ALG_IN_PKCS12_ENCRYPT
- Add more combo defines.
tests -------------------------------------------------
tests/common/init.sh
tests/policy/policy.sh
tests/ssl/ssl.sh
- move the generic policy setup code from ssl.sh to init.sh add generic save and restore functions.
- move the ignore_blank_lines macro from ssl.sh and policy.sh to init.sh
tests/policy/crypto-policy.txt
- add s/mime policy values to verify parsing validity
tests/smime/smime.sh
- add loop to test smime policy. Each tests uses two entities, a sender and a receiver. Each gets it's own policy.
The reciever first creates a signed s/mime message with capabilities.
The sender then receives the message, and if successful stores the cert and the capabilities.
The sender then encrypts a message. The chosen cipher is verified to be the expected cipher.
The receiver decrypts the message and verifies it.
The expected return values are checked for each operation, which may fail by policy. If the expected operation does not fail by policy when it should, it generates a test failure.
tests/smime/smimepolicy.txt
- new file with the list of policy tests used by the loop above. new tests can be added by simply adding them to this file.
tests/tools/tools.sh
- existing helpers were updated with new parameters which can vary in the policy case.
- add loop to test pkcs12 policy. Each test sets up two entities, an exporter and an import. Each gets it's own policy
The export exports a private key.
The importer imports the private key.
The expected return values are checked for each operation, which may fail by policy. If the expected operation does not fail by policy when it should, it generates a test failure. tests/tools/pkcs12policy.txt
- new file with the list of policy tests used by the loop above. new tests can be added by simply adding them to this file.
Differential Revision: https://phabricator.services.mozilla.com/D204145
--HG--
branch : NSS_3_101_BRANCH
extra : source : 86e2a841f0cd7640ac3ba9002dc85066d9bb0362
moz-v2v-gh
pushed a commit
that referenced
this pull request
Jun 6, 2024
…olicy r=jschanck Fix tools test failures. Differential Revision: https://phabricator.services.mozilla.com/D212060 --HG-- branch : NSS_3_101_BRANCH extra : source : 0b81bedadd66746f529781ac56bda56bd74cdaa6
moz-v2v-gh
pushed a commit
that referenced
this pull request
Mar 31, 2026
Currently, NSS can only deal with ephemeral ml-kem kems. This is primarily because1 1) we currently only use ml-kem in ephemeral hybrid mode in TLS and IPSec. and 2) when we added the keys there were not oids or definitions for pkcs #12 transport of the keys. Now our Certificate Server team needs to start using ML-KEM as a key transport key, which requires storing and moving the keys. They eventually want to store the keys in a certificate (which is a prereq for CMS/Smime usage). This patch includes: 1) updates to pk11table to add the remaining pkcs #11 v3.2 attributes that were missing 2) Support for printing ML-KEM keys in secu_PrintSubjectPublicKeyInfo (so we can print certs with mlkem keys 3) add ml-kem to the pk11importtest.c 4) New internal functions to map OID, pkcs11, and internal version of ml-kem parameters. 5) add ml-kem oids 6) add missing kyberKey switches and ML-KEM-OID switches to seckey and pk11skey functions. 7) ml-kem-512 to the NSS parsing. This patch does not add ml-kem-512 to softoken, so we can handle ml-kem-512 objects in NSS space, but softoken can't do anything with them. 7) in softoken 7a) add support of unwrapping private keys. 7b) converting private keys to public keys. 7c) saving the seed from the key. 7d) regenerating a private key from the seed. 7e) converting lowprivatekey and lowpublic key objects to and from pkcs #11 objects. 8) add test cases (importing openssl generated ml-kem keys and certs) I did not update certutil to handle ml-kem CSRs because certutil can only handle signed CSRs and, of course, ml-kem can't sign anything. Differential Revision: https://phabricator.services.mozilla.com/D286907
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.