std.crypto: enhance Certificate security #19759

clickingbuttons · 2024-04-24T19:24:25Z

Enhanced security:

Add and use more secure DER parser which prevents previously possible buffer overflows and OOB reads.
Fail on unknown critical extensions.
Verify key usage and extended key usage (closes std.crypto.Certificate.verify: additionally verify "key usage" #14175).
Verify policy (needs future work + validation).
Verify basic constraints.
Verify that Certificates loaded into bundles are indeed CAs.
Correctly handle certificate dates before 1970.

Enhanced compatibility:

Allow any SHA2 hash function with RSA and ECDSA public keys.

Added features:

RSA signature generation. This is required for add std.crypto.tls.Server #14171.

Enhanced security: - Add and use more secure DER parser which prevents previously possible buffer overflows and OOB reads. - Fail on unknown critical extensions. - Verify key usage and extended key usage (closes ziglang#14175). - Verify policy (needs future work + validation). - Verify basic constraints. - Verify that Certificates loaded into bundles are indeed CAs. - Correctly handle certificate dates before 1970. Enhanced compatibility: - Allow any SHA2 hash function with RSA and ECDSA public keys.

clickingbuttons · 2024-04-24T19:36:55Z

Putting this up for early feedback from @jedisct1 regarding crypto API changes. I feel rsa.zig is good enough to make public (still need keypair generation, happy to delay making public until that's been added) and I've made ecdsa.zig match.

Still need to:

Remove defer parser.seek(seq.slice.end) statements
Allow for bundles to contain certificates from same issuer but with different time validities.
Add a certificate verification test suite. Will require finding an existing one OR writing a DER formatter and creating one ourselves (I much prefer the former)
Add error sets

lib/std/crypto/testdata/wycheproof_gen.zig

lib/std/crypto/rsa.zig

lib/std/crypto/ecdsa.zig

lib/std/crypto/rsa.zig

jedisct1 · 2024-04-24T21:06:56Z

lib/std/crypto/rsa.zig

+                    // // check that d * e is one mod p-1 and mod q-1. Note d and e were bound
+                    // const de = secret.d.mul(public.e); // can't mul these :(


Divide de by (p-1) (and (q-1)) and check that the remainder is 1.

Not sure how to compute de when there's no FeUnit multiplication except under the modulus.

Also not sure how to divide since there's no div function in ff.zig.

Montgomery would be ashamed of me...

lib/std/crypto/rsa.zig

jedisct1 · 2024-04-24T21:13:19Z

This is great work, but it would be really better if you could split these changes into smaller, more scoped PRs, that would be way easier to review and discuss.

lib/std/crypto/rsa.zig

lib/std/crypto/ecdsa.zig

nektro · 2024-04-24T22:30:37Z

this feels like it should be split up into multiple independently reviewed PRs. being a 10k+ line diff in a single commit makes the effort to merge this exponentially higher than otherwise.

clickingbuttons · 2024-04-24T23:16:08Z

I spent 2 days thinking of how to split this up. I could only think of a dirty way, but I'll pursue that given the feedback.

being a 10k+ line diff in a single commit makes the effort to merge this exponentially higher than otherwise.

6K of it is test files, but 4k is indeed still large.

clickingbuttons · 2024-04-26T16:58:32Z

Closing in favor of #19771 and another Certificate PR after that. All RSA feedback has been addressed there except for how to check d * e is one mod p-1 and mod q-1, which is luckily not essential.

clickingbuttons commented Apr 24, 2024

View reviewed changes

lib/std/crypto/testdata/wycheproof_gen.zig Show resolved Hide resolved