diff options
author | Robert Relyea <rrelyea@redhat.com> | 2022-12-19 09:40:20 -0800 |
---|---|---|
committer | Robert Relyea <rrelyea@redhat.com> | 2022-12-19 09:40:20 -0800 |
commit | 2b1b89ec6cee1233e6d9d5188104db0f1df9a437 (patch) | |
tree | 4c34525baa0726b15fb3337934c1310f8bb9e493 /gtests | |
parent | 82499a0afb060dbdd535f9fa303ea6510263db02 (diff) | |
download | nss-hg-2b1b89ec6cee1233e6d9d5188104db0f1df9a437.tar.gz |
Bug 1767883 Need to add policy control to keys lengths for signatures.
There are three changes in the patch which are related to key length processing:
Change RSA_MIN_MODULUS_BITS in blalpit.h from 128 to 1023. This necessitated changes to the following tests: testcrmf.c: up the generated key for the test from 512 to 1024. pk11_rsapkcs1_unittest.cc (in pk11_gtest): skip the min padding test if the MIN_RSA_MODULUS_BITS is more than 736 (The largest hash we support is 512, which fits in an RSA key less then 736. If we can't generate a key less than 736, we can't test minimum padding, but we can never get into that situation anyway now). tls_subcerts_unittest.cc: set our key size to at least RSA_MIN_MODULUS_BITS, and then make sure the policy had a higher minimum key length so we still trigger the 'weakKey' event. pk11kea.c: use 1024 bits for the transfer key now that smaller keysizes aren't supported by softoken.
Expand the add a new flag to meaning of NSS_XXX_MIN_KEY_SIZE beyond it's use in SSL (add the ability to limit signing and verification to this as well). This allows us to set strict FIPS 140-3 policies, where we can only sign with 2048, but can still verify 1024. This part includes: New utility functions in seckey.c: SECKEY_PrivateKeyStrengthInBits(): The private key equivalent to SECKEY_PublicKeyStrengthInBits(). This function could be exported globally, but isn't in this patch. seckey_EnforceKeySize(). Takes a key type and a length and makes sure that length falls into the range set by policy. secsign.c and secvfy.c: add policy length check where we check the other policy flags. nss.h, nssoptions.c: add NSS_KEY_SIZE_POLICY_FLAGS and define flags for SSL, VERIFY, and SIGN. SSL is set by default (to maintain the current behavior). pk11parse.c: add keywords for the new NSS_KEY_SIZE_POLICY_FLAGS. ssl3con.c: use the flags to decide if the policy lengths are active for SSL. policy.txt: Test that the new policy flags are parsed correctly sslpolicy.txt: Add tests to make sure the policy flags are functioning.
Update fips_algorithms.h to make sure the FIPS indicators are exactly compliant with FIPS 140-3 current guidance (RSA 2028 and above, any key size, Legacy verification allowed for 1024, 1280, 1536, and 1792 [1024-1792, step 256]).
Differential Revision: https://phabricator.services.mozilla.com/D146341
Diffstat (limited to 'gtests')
-rw-r--r-- | gtests/ssl_gtest/tls_subcerts_unittest.cc | 26 |
1 files changed, 24 insertions, 2 deletions
diff --git a/gtests/ssl_gtest/tls_subcerts_unittest.cc b/gtests/ssl_gtest/tls_subcerts_unittest.cc index 77bb41a0b..a1f7cac0a 100644 --- a/gtests/ssl_gtest/tls_subcerts_unittest.cc +++ b/gtests/ssl_gtest/tls_subcerts_unittest.cc @@ -9,6 +9,8 @@ #include "prtime.h" #include "secerr.h" #include "ssl.h" +#include "nss.h" +#include "blapit.h" #include "gtest_utils.h" #include "tls_agent.h" @@ -348,9 +350,14 @@ static void GenerateWeakRsaKey(ScopedSECKEYPrivateKey& priv, ScopedPK11SlotInfo slot(PK11_GetInternalSlot()); ASSERT_TRUE(slot); PK11RSAGenParams rsaparams; - // The absolute minimum size of RSA key that we can use with SHA-256 is - // 256bit (hash) + 256bit (salt) + 8 (start byte) + 8 (end byte) = 528. +// The absolute minimum size of RSA key that we can use with SHA-256 is +// 256bit (hash) + 256bit (salt) + 8 (start byte) + 8 (end byte) = 528. +#define RSA_WEAK_KEY 528 +#if RSA_MIN_MODULUS_BITS < RSA_WEAK_KEY rsaparams.keySizeInBits = 528; +#else + rsaparams.keySizeInBits = RSA_MIN_MODULUS_BITS + 1; +#endif rsaparams.pe = 65537; // Bug 1012786: PK11_GenerateKeyPair can fail if there is insufficient @@ -390,6 +397,18 @@ TEST_P(TlsConnectTls13, DCWeakKey) { ssl_sig_rsa_pss_pss_sha256}; client_->SetSignatureSchemes(kSchemes, PR_ARRAY_SIZE(kSchemes)); server_->SetSignatureSchemes(kSchemes, PR_ARRAY_SIZE(kSchemes)); +#if RSA_MIN_MODULUS_BITS > RSA_WEAK_KEY + // save the MIN POLICY length. + PRInt32 minRsa; + + ASSERT_EQ(SECSuccess, NSS_OptionGet(NSS_RSA_MIN_KEY_SIZE, &minRsa)); +#if RSA_MIN_MODULUS_BITS >= 2048 + ASSERT_EQ(SECSuccess, + NSS_OptionSet(NSS_RSA_MIN_KEY_SIZE, RSA_MIN_MODULUS_BITS + 1024)); +#else + ASSERT_EQ(SECSuccess, NSS_OptionSet(NSS_RSA_MIN_KEY_SIZE, 2048)); +#endif +#endif ScopedSECKEYPrivateKey dc_priv; ScopedSECKEYPublicKey dc_pub; @@ -412,6 +431,9 @@ TEST_P(TlsConnectTls13, DCWeakKey) { auto cfilter = MakeTlsFilter<TlsExtensionCapture>( client_, ssl_delegated_credentials_xtn); ConnectExpectAlert(client_, kTlsAlertInsufficientSecurity); +#if RSA_MIN_MODULUS_BITS > RSA_WEAK_KEY + ASSERT_EQ(SECSuccess, NSS_OptionSet(NSS_RSA_MIN_KEY_SIZE, minRsa)); +#endif } class ReplaceDCSigScheme : public TlsHandshakeFilter { |