Add NSS endpoints for ECH interop #25
Conversation
kjacobs-moz
force-pushed
the
add_nss_ech_interop
branch
2 times, most recently
from
6653be6
to
3d2d33a
Compare
|
Is this ready to review, @kjacobs-moz? |
Yes, the NSS change has landed. |
There was a problem hiding this comment.
This looks great! Just a few minor nits and one ask (see inline comments).
Also, a question: The ECH draft does not specify how to format secret keys. Would you endorse PKCS#8 as a format for our purposes here? In other words, should we modify util.go to output an ECHConfigs and, separately, an the corresponding PKCS#8-formatted key pair? (See #17.)
FWIW, cloudflare-go client -> nss server works correctly with the existing conversion script. |
There was a problem hiding this comment.
LGTM pending @cjpatton's suggestions for the key conversion script.
I'm happy to merge without the conversion and get back to it later. |
|
Yeah, same. I was referring to the documentation suggestions. But even those I'd be fine without. |
Thanks for the reviews. Unfortunately, I'm not going to have time in the immediate future to rewrite it in Go, but I would definitely support PKCS8-formatting the ECH/HPKE keypair rather than storing the raw private key, which some libraries may not be able to import easily. NSS is one such library, and doing it outside of NSS/selfserv avoids having to write a second ECHConfigs parser at the application level. With that change, we could remove the script entirely, but it might be worth waiting to see if other libraries have an opinion. Another option is to output two formats from util.go. |
kjacobs-moz
force-pushed
the
add_nss_ech_interop
branch
from
3d2d33a
to
619302d
Compare
Oops, scratch that. Commits look good. I'm merging now. |
This currently works for
ech-acceptbetween NSS and cloudflare-go.