Bug 1767883 - Need to add policy control to keys lengths for signatures. r=nss-reviewers

There are three changes in the patch which are related to key length processing:

Change RSA_MIN_MODULUS_BITS in blalpit.h from 128 to 1023. This necessitated changes to the following tests: testcrmf.c: up the generated key for the test from 512 to 1024. pk11_rsapkcs1_unittest.cc (in pk11_gtest): skip the min padding test if the MIN_RSA_MODULUS_BITS is more than 736 (The largest hash we support is 512, which fits in an RSA key less then 736. If we can't generate a key less than 736, we can't test minimum padding, but we can never get into that situation anyway now). tls_subcerts_unittest.cc: set our key size to at least RSA_MIN_MODULUS_BITS, and then make sure the policy had a higher minimum key length so we still trigger the 'weakKey' event. pk11kea.c: use 1024 bits for the transfer key now that smaller keysizes aren't supported by softoken.

Expand the add a new flag to meaning of NSS_XXX_MIN_KEY_SIZE beyond it's use in SSL (add the ability to limit signing and verification to this as well). This allows us to set strict FIPS 140-3 policies, where we can only sign with 2048, but can still verify 1024. This part includes: New utility functions in seckey.c: SECKEY_PrivateKeyStrengthInBits(): The private key equivalent to SECKEY_PublicKeyStrengthInBits(). This function could be exported globally, but isn't in this patch. seckey_EnforceKeySize(). Takes a key type and a length and makes sure that length falls into the range set by policy. secsign.c and secvfy.c: add policy length check where we check the other policy flags. nss.h, nssoptions.c: add NSS_KEY_SIZE_POLICY_FLAGS and define flags for SSL, VERIFY, and SIGN. SSL is set by default (to maintain the current behavior). pk11parse.c: add keywords for the new NSS_KEY_SIZE_POLICY_FLAGS. ssl3con.c: use the flags to decide if the policy lengths are active for SSL. policy.txt: Test that the new policy flags are parsed correctly sslpolicy.txt: Add tests to make sure the policy flags are functioning.

Update fips_algorithms.h to make sure the FIPS indicators are exactly compliant with FIPS 140-3 current guidance (RSA 2028 and above, any key size, Legacy verification allowed for 1024, 1280, 1536, and 1792 [1024-1792, step 256]).

The previous attempt to push failed because the pk11_rsapkcs1_unittest.cc
change was eaten in the merge.

Differential Revision: https://phabricator.services.mozilla.com/D146341

5 files changed, 143 insertions, 1 deletions

diff --git a/lib/cryptohi/keyhi.h b/lib/cryptohi/keyhi.h
index 180990049..173dbda90 100644
--- a/lib/cryptohi/keyhi.h
+++ b/lib/cryptohi/keyhi.h
@@ -53,6 +53,11 @@ extern unsigned SECKEY_PublicKeyStrength(const SECKEYPublicKey *pubk);
 extern unsigned SECKEY_PublicKeyStrengthInBits(const SECKEYPublicKey *pubk);
 
 /*
+** Return the strength of the private key in bits
+*/
+extern unsigned SECKEY_PrivateKeyStrengthInBits(const SECKEYPrivateKey *privk);
+
+/*
 ** Return the length of the signature in bytes
 */
 extern unsigned SECKEY_SignatureLen(const SECKEYPublicKey *pubk);
diff --git a/lib/cryptohi/keyi.h b/lib/cryptohi/keyi.h
index 707e11ade..5683afbeb 100644
--- a/lib/cryptohi/keyi.h
+++ b/lib/cryptohi/keyi.h
@@ -4,6 +4,7 @@
 
 #ifndef _KEYI_H_
 #define _KEYI_H_
+#include "secerr.h"
 
 SEC_BEGIN_PROTOS
 /* NSS private functions */
@@ -36,6 +37,9 @@ SECStatus sec_DecodeRSAPSSParamsToMechanism(PLArenaPool *arena,
                                             const SECItem *params,
                                             CK_RSA_PKCS_PSS_PARAMS *mech);
 
+/* make sure the key length matches the policy for keyType */
+SECStatus seckey_EnforceKeySize(KeyType keyType, unsigned keyLength,
+                                SECErrorCodes error);
 SEC_END_PROTOS
 
 #endif /* _KEYHI_H_ */
diff --git a/lib/cryptohi/seckey.c b/lib/cryptohi/seckey.c
index fb353fa14..656609e0d 100644
--- a/lib/cryptohi/seckey.c
+++ b/lib/cryptohi/seckey.c
@@ -14,6 +14,7 @@
 #include "secdig.h"
 #include "prtime.h"
 #include "keyi.h"
+#include "nss.h"
 
 SEC_ASN1_MKSUB(SECOID_AlgorithmIDTemplate)
 SEC_ASN1_MKSUB(SEC_IntegerTemplate)
@@ -1040,6 +1041,59 @@ SECKEY_PublicKeyStrengthInBits(const SECKEYPublicKey *pubk)
     return bitSize;
 }
 
+unsigned
+SECKEY_PrivateKeyStrengthInBits(const SECKEYPrivateKey *privk)
+{
+    unsigned bitSize = 0;
+    SECItem params = { siBuffer, NULL, 0 };
+    SECStatus rv;
+
+    if (!privk) {
+        PORT_SetError(SEC_ERROR_INVALID_KEY);
+        return 0;
+    }
+
+    /* interpret modulus length as key strength */
+    switch (privk->keyType) {
+        case rsaKey:
+        case rsaPssKey:
+        case rsaOaepKey:
+            /* some tokens don't export CKA_MODULUS on the private key,
+             * PK11_SignatureLen works around this if necessary */
+            bitSize = PK11_SignatureLen((SECKEYPrivateKey *)privk) * PR_BITS_PER_BYTE;
+            if (bitSize == -1) {
+                bitSize = 0;
+            }
+            return bitSize;
+        case dsaKey:
+        case fortezzaKey:
+        case dhKey:
+        case keaKey:
+            rv = PK11_ReadAttribute(privk->pkcs11Slot, privk->pkcs11ID,
+                                    CKA_PRIME, NULL, &params);
+            if ((rv != SECSuccess) || (params.data == NULL)) {
+                PORT_SetError(SEC_ERROR_INVALID_KEY);
+                return 0;
+            }
+            bitSize = SECKEY_BigIntegerBitLength(&params);
+            PORT_Free(params.data);
+            return bitSize;
+        case ecKey:
+            rv = PK11_ReadAttribute(privk->pkcs11Slot, privk->pkcs11ID,
+                                    CKA_EC_PARAMS, NULL, &params);
+            if ((rv != SECSuccess) || (params.data == NULL)) {
+                return 0;
+            }
+            bitSize = SECKEY_ECParamsToKeySize(&params);
+            PORT_Free(params.data);
+            return bitSize;
+        default:
+            break;
+    }
+    PORT_SetError(SEC_ERROR_INVALID_KEY);
+    return 0;
+}
+
 /* returns signature length in bytes (not bits) */
 unsigned
 SECKEY_SignatureLen(const SECKEYPublicKey *pubk)
@@ -1214,6 +1268,51 @@ SECKEY_CopyPublicKey(const SECKEYPublicKey *pubk)
 }
 
 /*
+ * Check that a given key meets the policy limits for the given key
+ * size.
+ */
+SECStatus
+seckey_EnforceKeySize(KeyType keyType, unsigned keyLength, SECErrorCodes error)
+{
+    PRInt32 opt = -1;
+    PRInt32 optVal;
+    SECStatus rv;
+
+    switch (keyType) {
+        case rsaKey:
+        case rsaPssKey:
+        case rsaOaepKey:
+            opt = NSS_RSA_MIN_KEY_SIZE;
+            break;
+        case dsaKey:
+        case fortezzaKey:
+            opt = NSS_DSA_MIN_KEY_SIZE;
+            break;
+        case dhKey:
+        case keaKey:
+            opt = NSS_DH_MIN_KEY_SIZE;
+            break;
+        case ecKey:
+            opt = NSS_ECC_MIN_KEY_SIZE;
+            break;
+        case nullKey:
+        default:
+            PORT_SetError(SEC_ERROR_INVALID_KEY);
+            return SECFailure;
+    }
+    PORT_Assert(opt != -1);
+    rv = NSS_OptionGet(opt, &optVal);
+    if (rv != SECSuccess) {
+        return rv;
+    }
+    if (optVal > keyLength) {
+        PORT_SetError(error);
+        return SECFailure;
+    }
+    return SECSuccess;
+}
+
+/*
  * Use the private key to find a public key handle. The handle will be on
  * the same slot as the private key.
  */
diff --git a/lib/cryptohi/secsign.c b/lib/cryptohi/secsign.c
index 13a6d6c5e..8779904d3 100644
--- a/lib/cryptohi/secsign.c
+++ b/lib/cryptohi/secsign.c
@@ -15,6 +15,7 @@
 #include "pk11func.h"
 #include "secerr.h"
 #include "keyi.h"
+#include "nss.h"
 
 struct SGNContextStr {
     SECOidTag signalg;
@@ -32,6 +33,7 @@ sgn_NewContext(SECOidTag alg, SECItem *params, SECKEYPrivateKey *key)
     SECOidTag hashalg, signalg;
     KeyType keyType;
     PRUint32 policyFlags;
+    PRInt32 optFlags;
     SECStatus rv;
 
     /* OK, map a PKCS #7 hash and encrypt algorithm into
@@ -56,6 +58,16 @@ sgn_NewContext(SECOidTag alg, SECItem *params, SECKEYPrivateKey *key)
         PORT_SetError(SEC_ERROR_INVALID_ALGORITHM);
         return NULL;
     }
+    if (NSS_OptionGet(NSS_KEY_SIZE_POLICY_FLAGS, &optFlags) != SECFailure) {
+        if (optFlags & NSS_KEY_SIZE_POLICY_SIGN_FLAG) {
+            rv = seckey_EnforceKeySize(key->keyType,
+                                       SECKEY_PrivateKeyStrengthInBits(key),
+                                       SEC_ERROR_SIGNATURE_ALGORITHM_DISABLED);
+            if (rv != SECSuccess) {
+                return NULL;
+            }
+        }
+    }
     /* check the policy on the hash algorithm */
     if ((NSS_GetAlgorithmPolicy(hashalg, &policyFlags) == SECFailure) ||
         !(policyFlags & NSS_USE_ALG_IN_ANY_SIGNATURE)) {
@@ -465,9 +477,20 @@ SGN_Digest(SECKEYPrivateKey *privKey,
     SGNDigestInfo *di = 0;
     SECOidTag enctag;
     PRUint32 policyFlags;
+    PRInt32 optFlags;
 
     result->data = 0;
 
+    if (NSS_OptionGet(NSS_KEY_SIZE_POLICY_FLAGS, &optFlags) != SECFailure) {
+        if (optFlags & NSS_KEY_SIZE_POLICY_SIGN_FLAG) {
+            rv = seckey_EnforceKeySize(privKey->keyType,
+                                       SECKEY_PrivateKeyStrengthInBits(privKey),
+                                       SEC_ERROR_SIGNATURE_ALGORITHM_DISABLED);
+            if (rv != SECSuccess) {
+                return SECFailure;
+            }
+        }
+    }
     /* check the policy on the hash algorithm */
     if ((NSS_GetAlgorithmPolicy(algtag, &policyFlags) == SECFailure) ||
         !(policyFlags & NSS_USE_ALG_IN_ANY_SIGNATURE)) {
diff --git a/lib/cryptohi/secvfy.c b/lib/cryptohi/secvfy.c
index f6f5d72b8..8c9dc2d87 100644
--- a/lib/cryptohi/secvfy.c
+++ b/lib/cryptohi/secvfy.c
@@ -16,6 +16,7 @@
 #include "secdig.h"
 #include "secerr.h"
 #include "keyi.h"
+#include "nss.h"
 
 /*
 ** Recover the DigestInfo from an RSA PKCS#1 signature.
@@ -466,6 +467,7 @@ vfy_CreateContext(const SECKEYPublicKey *key, const SECItem *sig,
     unsigned int sigLen;
     KeyType type;
     PRUint32 policyFlags;
+    PRInt32 optFlags;
 
     /* make sure the encryption algorithm matches the key type */
     /* RSA-PSS algorithm can be used with both rsaKey and rsaPssKey */
@@ -475,7 +477,16 @@ vfy_CreateContext(const SECKEYPublicKey *key, const SECItem *sig,
         PORT_SetError(SEC_ERROR_PKCS7_KEYALG_MISMATCH);
         return NULL;
     }
-
+    if (NSS_OptionGet(NSS_KEY_SIZE_POLICY_FLAGS, &optFlags) != SECFailure) {
+        if (optFlags & NSS_KEY_SIZE_POLICY_VERIFY_FLAG) {
+            rv = seckey_EnforceKeySize(key->keyType,
+                                       SECKEY_PublicKeyStrengthInBits(key),
+                                       SEC_ERROR_SIGNATURE_ALGORITHM_DISABLED);
+            if (rv != SECSuccess) {
+                return NULL;
+            }
+        }
+    }
     /* check the policy on the encryption algorithm */
     if ((NSS_GetAlgorithmPolicy(encAlg, &policyFlags) == SECFailure) ||
         !(policyFlags & NSS_USE_ALG_IN_ANY_SIGNATURE)) {