Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Restrict ECDSA/NIST P-Curve hash function sizes for cert signing #12872

Merged
merged 7 commits into from Nov 12, 2021
Merged

Restrict ECDSA/NIST P-Curve hash function sizes for cert signing #12872

merged 7 commits into from Nov 12, 2021

Conversation

cipherboy
Copy link
Contributor

@cipherboy cipherboy commented Oct 19, 2021
edited

In #11006, it was mentioned that #11245 updated this behavior but didn't apply the size restrictions. We make the following changes (along side #11216, which I believe is still relevant):

  • Default to 0 signature bits, to perform auto detection if not otherwise specified. Presently this only does auto detection for ECDSA keys and leaves the default 256-bit hash function for all RSA key sizes. In the future, we could consider following NIST guidelines (and using 2048->256, 3072->384, 4096->512).
  • Introduce ValidateKeyTypeSignatureLength for cross Key/Signature validations (and which handles the actual autodetection)

Since #11216 lacks a changelog entry, we should likely update #11245's changelog entry to match the new behavior and provide a unified changelog entry for the combined change (as it appears 11245 hasn't yet landed in a release yet).

Edit: Added a changelog entry.

@vercel vercel bot temporarily deployed to Preview – vault October 19, 2021 20:07 Inactive
@vercel vercel bot temporarily deployed to Preview – vault-storybook October 19, 2021 20:07 Inactive
@vercel vercel bot temporarily deployed to Preview – vault October 19, 2021 20:10 Inactive
@vercel vercel bot temporarily deployed to Preview – vault-storybook October 19, 2021 20:10 Inactive
ivana-mcconnell
ivana-mcconnell approved these changes Oct 20, 2021
View reviewed changes
Copy link

@ivana-mcconnell ivana-mcconnell left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For right now, no UI changes are required to let this go forward. We will, however, create a ticket to update the UI to make this more user-friendly when it comes to the interdependent fields of key type, key bits, and signature bits.

@vercel vercel bot temporarily deployed to Preview – vault-storybook November 2, 2021 13:49 Inactive
@vercel vercel bot temporarily deployed to Preview – vault November 2, 2021 13:49 Inactive
@vercel vercel bot temporarily deployed to Preview – vault November 8, 2021 14:49 Inactive
@vercel vercel bot temporarily deployed to Preview – vault-storybook November 8, 2021 14:49 Inactive
@cipherboy cipherboy mentioned this pull request Nov 8, 2021
Merged
@vercel vercel bot temporarily deployed to Preview – vault November 8, 2021 17:17 Inactive
@vercel vercel bot temporarily deployed to Preview – vault-storybook November 8, 2021 17:17 Inactive
@cipherboy
Restrict ECDSA signatures with NIST P-Curve hashes
7ca3053 
When using an ECDSA signature with a NIST P-Curve, we should follow
recommendations from BIS (Section 4.2) and Mozilla's root store policy
(section 5.1.2) to ensure that arbitrary selection of signature_bits
does not exceed what the curve is capable of signing.

Related: hashicorp#11245

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
@cipherboy
Switch to certutil.ValidateKeyTypeSignatureLength(...)
46278e1 
Replaces previous calls to certutil.ValidateKeyTypeLength(...) and
certutil.ValidateSignatureLength(...) with a single call, allowing for
curve<->hash validation.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
@cipherboy
Switch to autodetection of signature_bits
e0913cc 
This enables detection of whether the caller manually specified a value
for signature_bits or not; when not manually specified, we can provision
a value that complies with new NIST P-Curve policy.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
@cipherboy
Select hash function length automatically
838caa9 
Due to our change in behavior (to default to -1 as the value to
signature_bits to allow for automatic hash selection), switch
ValidateKeyTypeSignatureLength(...) to accept a pointer to hashBits and
provision it with valid default values.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
@cipherboy
Prevent invalid Curve size lookups
95f1530 
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
@cipherboy
Switch from -1 to 0 as default SignatureBits
2d8cf91 
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
@cipherboy
Add changelog entry
8686b03 
Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
@vercel vercel bot temporarily deployed to Preview – vault November 12, 2021 15:10 Inactive
@vercel vercel bot temporarily deployed to Preview – vault-storybook November 12, 2021 15:10 Inactive
@cipherboy
Copy link
Contributor Author

Since the race test appears to have been broken in main, and the race in question appears to be unrelated to the present changes, going ahead and merging. Thanks all!

@cipherboy cipherboy merged commit c36f611 into hashicorp:main Nov 12, 2021
qk4l pushed a commit to qk4l/vault that referenced this pull request Feb 4, 2022
@cipherboy
Restrict ECDSA/NIST P-Curve hash function sizes for cert signing (has…
5e2c905 
…hicorp#12872)

* Restrict ECDSA signatures with NIST P-Curve hashes

When using an ECDSA signature with a NIST P-Curve, we should follow
recommendations from BIS (Section 4.2) and Mozilla's root store policy
(section 5.1.2) to ensure that arbitrary selection of signature_bits
does not exceed what the curve is capable of signing.

Related: hashicorp#11245

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Switch to certutil.ValidateKeyTypeSignatureLength(...)

Replaces previous calls to certutil.ValidateKeyTypeLength(...) and
certutil.ValidateSignatureLength(...) with a single call, allowing for
curve<->hash validation.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Switch to autodetection of signature_bits

This enables detection of whether the caller manually specified a value
for signature_bits or not; when not manually specified, we can provision
a value that complies with new NIST P-Curve policy.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Select hash function length automatically

Due to our change in behavior (to default to -1 as the value to
signature_bits to allow for automatic hash selection), switch
ValidateKeyTypeSignatureLength(...) to accept a pointer to hashBits and
provision it with valid default values.

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Prevent invalid Curve size lookups

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Switch from -1 to 0 as default SignatureBits

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>

* Add changelog entry

Signed-off-by: Alexander Scheel <alex.scheel@hashicorp.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sgmiller sgmiller sgmiller approved these changes

@ivana-mcconnell ivana-mcconnell ivana-mcconnell approved these changes

@divyapola5 divyapola5 Awaiting requested review from divyapola5

@rculpepper rculpepper Awaiting requested review from rculpepper

@stevendpclark stevendpclark Awaiting requested review from stevendpclark

@victorr victorr Awaiting requested review from victorr

@schultz-is schultz-is Awaiting requested review from schultz-is

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@cipherboy @sgmiller @ivana-mcconnell