-
Notifications
You must be signed in to change notification settings - Fork 13
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add NSS endpoints for ECH interop #25
Conversation
6653be6
to
3d2d33a
Compare
Is this ready to review, @kjacobs-moz? |
Yes, the NSS change has landed. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This looks great! Just a few minor nits and one ask (see inline comments).
Also, a question: The ECH draft does not specify how to format secret keys. Would you endorse PKCS#8 as a format for our purposes here? In other words, should we modify util.go
to output an ECHConfigs and, separately, an the corresponding PKCS#8-formatted key pair? (See #17.)
FWIW, cloudflare-go client -> nss server works correctly with the existing conversion script. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM pending @cjpatton's suggestions for the key conversion script.
I'm happy to merge without the conversion and get back to it later. |
Yeah, same. I was referring to the documentation suggestions. But even those I'd be fine without. |
Thanks for the reviews. Unfortunately, I'm not going to have time in the immediate future to rewrite it in Go, but I would definitely support PKCS8-formatting the ECH/HPKE keypair rather than storing the raw private key, which some libraries may not be able to import easily. NSS is one such library, and doing it outside of NSS/selfserv avoids having to write a second ECHConfigs parser at the application level. With that change, we could remove the script entirely, but it might be worth waiting to see if other libraries have an opinion. Another option is to output two formats from util.go. |
3d2d33a
to
619302d
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM. Pleas squash the last commit before merging.
Oops, scratch that. Commits look good. I'm merging now. |
This currently works for
ech-accept
between NSS and cloudflare-go.