Comments (2)
However, having this included in the signature preferences might be confusing to readers because the secp256r1 part of the signature is never validated.
Why is one of the possible solutions not to start enforcing the secp256rl part of the signature scheme?
Given only a single certificate and it's signature, you can't tell whether the signing key had an OID of rsaEncryption or rsassaPss, so we can't distinguish between s2n_rsa_pss_pss_sha512 and s2n_rsa_pss_rsae_sha512.
We have the full certificate chain though, don't we? Why can't we consider more than one certificate at a time?
from s2n-tls.
Why is one of the possible solutions not to start enforcing the secp256rl part of the signature scheme?
Given a goal of enforcing "key preferences", enforcing the key type in the IANA signature scheme would be necessary but not sufficient. IANA signature schemes are generally poorly suited to representing signature and key preferences because (nonexhaustively)
- They don't include size information about RSA keys certs
- They suffer from combinatoric qualities. For example there would be ~ 24 rsassaPss schemes.
|rsa sizes| * |rsa OID types| * |digest sizes|
We have the full certificate chain though, don't we?
We do have the full certificate chain, but only after validation, and all of its requisite expensive crypto operations have completed. If we are going to reject a cert, we should do that as early as possible to avoid throwing away work. Implementing path-aware validation before X509_verify has completed would mean that s2n-tls has to figure out the potential path. While this is solvable, it's complexity that I would prefer not to deal with.
from s2n-tls.
Related Issues (20)
- bug: s2n_handshake_type_set_tls12_flag causes TLS1.3 codepath to fail
- cleanup: Change tests to use new testlib function
- Support configurable s2n blinding delay HOT 2
- Investigate packing and alignment for internal/opaque structs
- Runtime instead of compile time support check for curves
- Unpin dependencies after bumping MSRV beyond 1.72
- Organize rust bindings dependency pins into single issue HOT 2
- Send zero-length TLS1.2 NewSessionTicket message if necessary
- Run tests on Ubuntu 24.04 in CI
- Migrate CI to Ubuntu 24 HOT 1
- Purge old priority labels HOT 2
- 6 tests failing with Error Message: 'Certificate is untrusted' when compiling on RHEL 9 HOT 8
- Avoid storing signature schemes in a separate buffer HOT 1
- Reuse MAC writing logic in s2n_record_read HOT 1
- add documentation for non-vendored rust bindings
- Add interoperability test for latest oqs-provider
- add "minimal test" option for binding generation
- add support for linking multiple copies of s2n-tls in an application HOT 2
- Nix: Amazon Corretto install on arm
- V2 Integration isssue on Arm/nix HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from s2n-tls.