Open
Bug 1245244
Opened 10 years ago
Updated 3 years ago
Expose EC_ValidatePublicKey() to PKCS#11
Categories
(NSS :: Libraries, defect, P3)
NSS
Libraries
Tracking
(Not tracked)
NEW
People
(Reporter: ttaubert, Unassigned)
References
(Blocks 1 open bug)
Details
Attachments
(1 file)
|
5.41 KB,
patch
|
rrelyea
:
review-
|
Details | Diff | Splinter Review |
We need to validate curve points when importing keys with the WebCrypto API. Currently, we import a public key and assume that the point is valid if that succeeds. It would be great to have a method that only validates a given point and takes SECItems so that we don't have to construct a public key.
|
Reporter | |
Updated•10 years ago
|
status-firefox47:
affected → ---
|
|
Reporter | |
Updated•10 years ago
|
Assignee: nobody → ttaubert
Status: NEW → ASSIGNED
|
|
Reporter | |
Comment 1•10 years ago
|
||
Patch at: https://codereview.appspot.com/281660043
Martin, can you please take a look at this? Who would be a good second reviewer?
Flags: needinfo?(martin.thomson)
|
|
Reporter | |
Comment 3•10 years ago
|
||
Attachment #8715287 -
Flags: review?(rrelyea)
|
||
Comment 4•10 years ago
|
||
Comment on attachment 8715287 [details] [diff] [review]
0001-Bug-1245244-Expose-EC_ValidatePublicKey-to-PKCS-11.patch
Review of attachment 8715287 [details] [diff] [review]:
-----------------------------------------------------------------
I'm OK with exporting a 'Validate ECC curve' out of NSS, but we can't just create a new PKCS #11 function call or we'll screw our selves when PKCS #11 adds new functions (not to meantion we'll crash if we call this on a token that knows nothing about the new function.
I've made some suggestings below:
::: lib/pk11wrap/pk11akey.c
@@ +2401,5 @@
> +
> + PK11_EnterSlotMonitor(slot);
> + crv = PK11_GETTAB(slot)->C_ValidateCurvePoint(params->data,
> + params->len,
> + publicValue->data,
Unfortunately we can't arbitrarily add a new PKCS #11 method.
There are a couple of ways to handle this.
1) Write up a spec for a new PKCS #11 method to handle validation like this. The oasis working group website is here: https://www.oasis-open.org/apps/org/workgroup/pkcs11/index.php > I can say writhe now a new ECC specific method is unlikely to fly, though a more generic "validate public key" or "validate exchange parameter" might.
2) More define a PKCS #11 object like "a validated ECC key". We can do that as part of a private object.
3) propose the validated object to the OASIS PKCS #11 group.
Attachment #8715287 -
Flags: review?(rrelyea) → review-
|
|
||
Comment 5•10 years ago
|
||
Actually, thinking about it, We could at least make sure softoken validated the public curve point on input. We do that for DSA PQG parameters (see PQGVerify). We could do something similiar for ECC public keys.
bob
Flags: needinfo?(rrelyea)
|
|
Reporter | |
Updated•9 years ago
|
Assignee: ttaubert → nobody
Status: ASSIGNED → NEW
|
|
Reporter | |
Updated•8 years ago
|
Priority: -- → P3
|
||
Updated•3 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•