diff options
author | Robert Relyea <rrelyea@redhat.com> | 2023-03-03 21:54:41 +0000 |
---|---|---|
committer | Robert Relyea <rrelyea@redhat.com> | 2023-03-03 21:54:41 +0000 |
commit | 2af96ef910c717d1ecb2d77f05c4306f660a0c4c (patch) | |
tree | a5875d9c8078279bc10c3af31a1e9752ea123883 /lib/cryptohi | |
parent | 9afee96e42bccaead43e7234b9e48f0cb58e7ff6 (diff) | |
download | nss-hg-2af96ef910c717d1ecb2d77f05c4306f660a0c4c.tar.gz |
Bug 1767883 - Need to add policy control to keys lengths for signatures. r=nss-reviewers
There are three changes in the patch which are related to key length processing:
Change RSA_MIN_MODULUS_BITS in blalpit.h from 128 to 1023. This necessitated changes to the following tests: testcrmf.c: up the generated key for the test from 512 to 1024. pk11_rsapkcs1_unittest.cc (in pk11_gtest): skip the min padding test if the MIN_RSA_MODULUS_BITS is more than 736 (The largest hash we support is 512, which fits in an RSA key less then 736. If we can't generate a key less than 736, we can't test minimum padding, but we can never get into that situation anyway now). tls_subcerts_unittest.cc: set our key size to at least RSA_MIN_MODULUS_BITS, and then make sure the policy had a higher minimum key length so we still trigger the 'weakKey' event. pk11kea.c: use 1024 bits for the transfer key now that smaller keysizes aren't supported by softoken.
Expand the add a new flag to meaning of NSS_XXX_MIN_KEY_SIZE beyond it's use in SSL (add the ability to limit signing and verification to this as well). This allows us to set strict FIPS 140-3 policies, where we can only sign with 2048, but can still verify 1024. This part includes: New utility functions in seckey.c: SECKEY_PrivateKeyStrengthInBits(): The private key equivalent to SECKEY_PublicKeyStrengthInBits(). This function could be exported globally, but isn't in this patch. seckey_EnforceKeySize(). Takes a key type and a length and makes sure that length falls into the range set by policy. secsign.c and secvfy.c: add policy length check where we check the other policy flags. nss.h, nssoptions.c: add NSS_KEY_SIZE_POLICY_FLAGS and define flags for SSL, VERIFY, and SIGN. SSL is set by default (to maintain the current behavior). pk11parse.c: add keywords for the new NSS_KEY_SIZE_POLICY_FLAGS. ssl3con.c: use the flags to decide if the policy lengths are active for SSL. policy.txt: Test that the new policy flags are parsed correctly sslpolicy.txt: Add tests to make sure the policy flags are functioning.
Update fips_algorithms.h to make sure the FIPS indicators are exactly compliant with FIPS 140-3 current guidance (RSA 2028 and above, any key size, Legacy verification allowed for 1024, 1280, 1536, and 1792 [1024-1792, step 256]).
The previous attempt to push failed because the pk11_rsapkcs1_unittest.cc
change was eaten in the merge.
Differential Revision: https://phabricator.services.mozilla.com/D146341
Diffstat (limited to 'lib/cryptohi')
-rw-r--r-- | lib/cryptohi/keyhi.h | 5 | ||||
-rw-r--r-- | lib/cryptohi/keyi.h | 4 | ||||
-rw-r--r-- | lib/cryptohi/seckey.c | 99 | ||||
-rw-r--r-- | lib/cryptohi/secsign.c | 23 | ||||
-rw-r--r-- | lib/cryptohi/secvfy.c | 13 |
5 files changed, 143 insertions, 1 deletions
diff --git a/lib/cryptohi/keyhi.h b/lib/cryptohi/keyhi.h index 180990049..173dbda90 100644 --- a/lib/cryptohi/keyhi.h +++ b/lib/cryptohi/keyhi.h @@ -53,6 +53,11 @@ extern unsigned SECKEY_PublicKeyStrength(const SECKEYPublicKey *pubk); extern unsigned SECKEY_PublicKeyStrengthInBits(const SECKEYPublicKey *pubk); /* +** Return the strength of the private key in bits +*/ +extern unsigned SECKEY_PrivateKeyStrengthInBits(const SECKEYPrivateKey *privk); + +/* ** Return the length of the signature in bytes */ extern unsigned SECKEY_SignatureLen(const SECKEYPublicKey *pubk); diff --git a/lib/cryptohi/keyi.h b/lib/cryptohi/keyi.h index 707e11ade..5683afbeb 100644 --- a/lib/cryptohi/keyi.h +++ b/lib/cryptohi/keyi.h @@ -4,6 +4,7 @@ #ifndef _KEYI_H_ #define _KEYI_H_ +#include "secerr.h" SEC_BEGIN_PROTOS /* NSS private functions */ @@ -36,6 +37,9 @@ SECStatus sec_DecodeRSAPSSParamsToMechanism(PLArenaPool *arena, const SECItem *params, CK_RSA_PKCS_PSS_PARAMS *mech); +/* make sure the key length matches the policy for keyType */ +SECStatus seckey_EnforceKeySize(KeyType keyType, unsigned keyLength, + SECErrorCodes error); SEC_END_PROTOS #endif /* _KEYHI_H_ */ diff --git a/lib/cryptohi/seckey.c b/lib/cryptohi/seckey.c index fb353fa14..656609e0d 100644 --- a/lib/cryptohi/seckey.c +++ b/lib/cryptohi/seckey.c @@ -14,6 +14,7 @@ #include "secdig.h" #include "prtime.h" #include "keyi.h" +#include "nss.h" SEC_ASN1_MKSUB(SECOID_AlgorithmIDTemplate) SEC_ASN1_MKSUB(SEC_IntegerTemplate) @@ -1040,6 +1041,59 @@ SECKEY_PublicKeyStrengthInBits(const SECKEYPublicKey *pubk) return bitSize; } +unsigned +SECKEY_PrivateKeyStrengthInBits(const SECKEYPrivateKey *privk) +{ + unsigned bitSize = 0; + SECItem params = { siBuffer, NULL, 0 }; + SECStatus rv; + + if (!privk) { + PORT_SetError(SEC_ERROR_INVALID_KEY); + return 0; + } + + /* interpret modulus length as key strength */ + switch (privk->keyType) { + case rsaKey: + case rsaPssKey: + case rsaOaepKey: + /* some tokens don't export CKA_MODULUS on the private key, + * PK11_SignatureLen works around this if necessary */ + bitSize = PK11_SignatureLen((SECKEYPrivateKey *)privk) * PR_BITS_PER_BYTE; + if (bitSize == -1) { + bitSize = 0; + } + return bitSize; + case dsaKey: + case fortezzaKey: + case dhKey: + case keaKey: + rv = PK11_ReadAttribute(privk->pkcs11Slot, privk->pkcs11ID, + CKA_PRIME, NULL, ¶ms); + if ((rv != SECSuccess) || (params.data == NULL)) { + PORT_SetError(SEC_ERROR_INVALID_KEY); + return 0; + } + bitSize = SECKEY_BigIntegerBitLength(¶ms); + PORT_Free(params.data); + return bitSize; + case ecKey: + rv = PK11_ReadAttribute(privk->pkcs11Slot, privk->pkcs11ID, + CKA_EC_PARAMS, NULL, ¶ms); + if ((rv != SECSuccess) || (params.data == NULL)) { + return 0; + } + bitSize = SECKEY_ECParamsToKeySize(¶ms); + PORT_Free(params.data); + return bitSize; + default: + break; + } + PORT_SetError(SEC_ERROR_INVALID_KEY); + return 0; +} + /* returns signature length in bytes (not bits) */ unsigned SECKEY_SignatureLen(const SECKEYPublicKey *pubk) @@ -1214,6 +1268,51 @@ SECKEY_CopyPublicKey(const SECKEYPublicKey *pubk) } /* + * Check that a given key meets the policy limits for the given key + * size. + */ +SECStatus +seckey_EnforceKeySize(KeyType keyType, unsigned keyLength, SECErrorCodes error) +{ + PRInt32 opt = -1; + PRInt32 optVal; + SECStatus rv; + + switch (keyType) { + case rsaKey: + case rsaPssKey: + case rsaOaepKey: + opt = NSS_RSA_MIN_KEY_SIZE; + break; + case dsaKey: + case fortezzaKey: + opt = NSS_DSA_MIN_KEY_SIZE; + break; + case dhKey: + case keaKey: + opt = NSS_DH_MIN_KEY_SIZE; + break; + case ecKey: + opt = NSS_ECC_MIN_KEY_SIZE; + break; + case nullKey: + default: + PORT_SetError(SEC_ERROR_INVALID_KEY); + return SECFailure; + } + PORT_Assert(opt != -1); + rv = NSS_OptionGet(opt, &optVal); + if (rv != SECSuccess) { + return rv; + } + if (optVal > keyLength) { + PORT_SetError(error); + return SECFailure; + } + return SECSuccess; +} + +/* * Use the private key to find a public key handle. The handle will be on * the same slot as the private key. */ diff --git a/lib/cryptohi/secsign.c b/lib/cryptohi/secsign.c index 13a6d6c5e..8779904d3 100644 --- a/lib/cryptohi/secsign.c +++ b/lib/cryptohi/secsign.c @@ -15,6 +15,7 @@ #include "pk11func.h" #include "secerr.h" #include "keyi.h" +#include "nss.h" struct SGNContextStr { SECOidTag signalg; @@ -32,6 +33,7 @@ sgn_NewContext(SECOidTag alg, SECItem *params, SECKEYPrivateKey *key) SECOidTag hashalg, signalg; KeyType keyType; PRUint32 policyFlags; + PRInt32 optFlags; SECStatus rv; /* OK, map a PKCS #7 hash and encrypt algorithm into @@ -56,6 +58,16 @@ sgn_NewContext(SECOidTag alg, SECItem *params, SECKEYPrivateKey *key) PORT_SetError(SEC_ERROR_INVALID_ALGORITHM); return NULL; } + if (NSS_OptionGet(NSS_KEY_SIZE_POLICY_FLAGS, &optFlags) != SECFailure) { + if (optFlags & NSS_KEY_SIZE_POLICY_SIGN_FLAG) { + rv = seckey_EnforceKeySize(key->keyType, + SECKEY_PrivateKeyStrengthInBits(key), + SEC_ERROR_SIGNATURE_ALGORITHM_DISABLED); + if (rv != SECSuccess) { + return NULL; + } + } + } /* check the policy on the hash algorithm */ if ((NSS_GetAlgorithmPolicy(hashalg, &policyFlags) == SECFailure) || !(policyFlags & NSS_USE_ALG_IN_ANY_SIGNATURE)) { @@ -465,9 +477,20 @@ SGN_Digest(SECKEYPrivateKey *privKey, SGNDigestInfo *di = 0; SECOidTag enctag; PRUint32 policyFlags; + PRInt32 optFlags; result->data = 0; + if (NSS_OptionGet(NSS_KEY_SIZE_POLICY_FLAGS, &optFlags) != SECFailure) { + if (optFlags & NSS_KEY_SIZE_POLICY_SIGN_FLAG) { + rv = seckey_EnforceKeySize(privKey->keyType, + SECKEY_PrivateKeyStrengthInBits(privKey), + SEC_ERROR_SIGNATURE_ALGORITHM_DISABLED); + if (rv != SECSuccess) { + return SECFailure; + } + } + } /* check the policy on the hash algorithm */ if ((NSS_GetAlgorithmPolicy(algtag, &policyFlags) == SECFailure) || !(policyFlags & NSS_USE_ALG_IN_ANY_SIGNATURE)) { diff --git a/lib/cryptohi/secvfy.c b/lib/cryptohi/secvfy.c index f6f5d72b8..8c9dc2d87 100644 --- a/lib/cryptohi/secvfy.c +++ b/lib/cryptohi/secvfy.c @@ -16,6 +16,7 @@ #include "secdig.h" #include "secerr.h" #include "keyi.h" +#include "nss.h" /* ** Recover the DigestInfo from an RSA PKCS#1 signature. @@ -466,6 +467,7 @@ vfy_CreateContext(const SECKEYPublicKey *key, const SECItem *sig, unsigned int sigLen; KeyType type; PRUint32 policyFlags; + PRInt32 optFlags; /* make sure the encryption algorithm matches the key type */ /* RSA-PSS algorithm can be used with both rsaKey and rsaPssKey */ @@ -475,7 +477,16 @@ vfy_CreateContext(const SECKEYPublicKey *key, const SECItem *sig, PORT_SetError(SEC_ERROR_PKCS7_KEYALG_MISMATCH); return NULL; } - + if (NSS_OptionGet(NSS_KEY_SIZE_POLICY_FLAGS, &optFlags) != SECFailure) { + if (optFlags & NSS_KEY_SIZE_POLICY_VERIFY_FLAG) { + rv = seckey_EnforceKeySize(key->keyType, + SECKEY_PublicKeyStrengthInBits(key), + SEC_ERROR_SIGNATURE_ALGORITHM_DISABLED); + if (rv != SECSuccess) { + return NULL; + } + } + } /* check the policy on the encryption algorithm */ if ((NSS_GetAlgorithmPolicy(encAlg, &policyFlags) == SECFailure) || !(policyFlags & NSS_USE_ALG_IN_ANY_SIGNATURE)) { |