-
-
Notifications
You must be signed in to change notification settings - Fork 204
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add implementation for mbedtls #261
base: master
Are you sure you want to change the base?
Conversation
Co-authored-by: Scott Mabin <[email protected]>
612f281
to
ecc5b15
Compare
ecc5b15
to
045578a
Compare
5bc8555
to
50445dd
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Let's investigate if MbedTLS can have more things Sync.
50445dd
to
9b22720
Compare
fn pkcs12_decode_key_bag<B: AsRef<[u8]>>( | ||
key_bag: &p12::EncryptedPrivateKeyInfo, | ||
pass: B, | ||
) -> Result<Vec<u8>, Error> { | ||
// try to decrypt the key with algorithms supported by p12 crate | ||
if let Some(decrypted) = key_bag.decrypt(pass.as_ref()) { | ||
Ok(decrypted) | ||
// try to decrypt the key with algorithms supported by pkcs5 standard | ||
} else if let p12::AlgorithmIdentifier::OtherAlg(_) = key_bag.encryption_algorithm { | ||
// write the algorithm identifier back to DER format | ||
let algorithm_der = | ||
yasna::construct_der(|writer| key_bag.encryption_algorithm.write(writer)); | ||
// and construct pkcs5 decoder from it | ||
let scheme = pkcs5::EncryptionScheme::try_from(&algorithm_der[..])?; | ||
|
||
Ok(scheme.decrypt(pass.as_ref(), &key_bag.encrypted_data)?) | ||
} else { | ||
Err(Error::Custom( | ||
"Unsupported key encryption algorithm".to_owned(), | ||
)) | ||
} | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Custom pkcs12 treatment is there only because rust-mbedtls
implementation doesn't support pbes2 encrypted keys (which is openssl's default). I'll try to provide support for it directly in mbedtls instead
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@sfackler @jethrogb
I've checked and we could add an implementation of pbes2 to rust-mbedtls, however from encryption schemes defined by pkcs5 rfc, MbedTls has support only for des-cbc and des-ede3-cbc.
rc2-cbc, rc5-cbc and aes-cbc are missing and aes-cbc is openssl's default when running openssl pkcs12 -export
.
rc2 and rc5 are also missing in pkcs5
crate, so it seems to be all about AES.
Moreover, des-cbc is considered insecure: 'Although its short key length of 56 bits makes it too insecure for modern applications' wiki
Here are the options:
- Add native (MbedTls) support for pbes2 in
rust-mbedtls
and use it there, only allowing des-cbc and des-ede3-cbc encryption schemes and providing compatible.p12
forrust-native-tls
tests - Add non-native (using pkcs5 crate) suppert for pbes2 in
rust-mbedtls
and maybe hide it behind feature flag, allowing also aes-cbc - Keep this implementation and don't use
rust-mbedtls
for pbes2 (however if I'll have some spare time I'll likely issue a PR forrust-mbedtls
anyway as I've already written most of the implementation)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Mbed-TLS/mbedtls#7024
Mbed-TLS/mbedtls#7038
It's possible AES will get support in MbedTls at some point, but it'll probably require rust-mbedtls to update to 3.x then, which can be major effort
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
it'll probably require rust-mbedtls to update to 3.x
This is actually ongoing
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The preferred way of solving this would be to add support for AES in MbedTls
: Mbed-TLS/mbedtls#7604
then pull it into rust-mbedtls
and use it directly here
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
9b22720
to
3dce867
Compare
@sfackler you wrote
Can we deprecate the p12 API and not require it for new platform implementations? |
Yo,
this is my attempt to resolve #211. The implementation is based on the initial work done by @MabezDev.
There are a few things worth mentioning, where I'd like to use some guidance:
this breaks api compatibility. I've changedfn get_ref(&self) -> &S
andfn get_mut(&mut self) -> &mut S
tofn get_ref(&self) -> impl Deref<Target = S>
andfn get_mut(&mut self) -> impl DerefMut<Target = S>
. I'm not sure if that's required, I started with a bit different implementation, but it's the non-unsafe way to haveTlsStream
implSync
. I've checked 3 top dependant crates:Reqwest
,hyper-tls
andtokio-native-tls
and only the last one failed, on tests ofsmoke.rs
. If we decide to go this way I'm happy to run tests on all dependant crates and create the issues that'll warn about bumping this. If not, I can try the other ways. The other possible solutions would be to make this change only on mbedtls targets (but not uniform api is a painpoint) / try to implement this differently (but likely with unsafe).mbedtls
.A disclaimer, I'm not really familiar with HTTPS/TLS/SSL spec and implementations and also with networking in general 😅 so I'll be thankful for a careful review