Upgrade to ring 0.17
#98
Conversation
| CertificateKeyPairMismatch => write!(f, "The provided certificate's signature \ | ||
| algorithm is incompatible with the given key pair")?, | ||
|
|
||
| Time => write!(f, "Time error")?, | ||
| RemoteKeyError => write!(f, "Remote key error")?, | ||
| #[cfg(feature = "pem")] | ||
| PemError(e) => write!(f, "PEM error: {}", e)?, | ||
| PemError(_) => write!(f, "PEM error")?, |
There was a problem hiding this comment.
error doesn't contain any useful info?
There was a problem hiding this comment.
It does! But generally, it is more useful if an error returns its source via source. If you use something like anyhow, that will concatenate the various error messages for you. If you also include them in the Display implementation, you end up duplicating the message.
There was a problem hiding this comment.
Happy to drop that commit in case people disagree!
There was a problem hiding this comment.
I share the concerns written by yaahc in that thread, I think we should not implement the source function (and print the error instead).
Thing's like logging or printing errors directly, or panicking with
Result's containingE: Errortypes that haven't been converted to aReporterwill fail to introduce the party that is responsible for iterating over the sources and printing all of the errors.
|
Thanks! I wonder a little when the ring 0.17.0 release will be, the last alpha for it was almost one year ago. |
briansmith/ring#1504 (comment) looks like it might be soon? 🤞 |
|
Oh, CI is not green. Investigating. |
When possible, we should always delegate to the source error and have other utilities on top generate chains of the `Display`s.
This avoids depending on the deprecated `description_` function.
thomaseizinger
force-pushed
the
upgrade-to-latest-ring
branch
from
66f753f to
b777521
Compare
Turns I didn't test with all features. Should be green now! |
Interesting. Let's see whether it turns out to happen. briansmith/ring#1416 (comment) |
thomaseizinger
force-pushed
the
upgrade-to-latest-ring
branch
from
b777521 to
5ded8eb
Compare
|
If a goal of I.e. don't add an additional required argument to get basic functionality; have an additional method instead to customize it. |
The very basic top-level function for generating a certificate still defaults to This PR only exposes
I disagree with that. In an ideal world, APIs are orthogonal to each other. That will lead to more utility with a smaller number of APIs and fewer layers of indirection. If your usecase always requires a certain combination of parameters, write yourself a small wrapper that passes constant parameters in. |
| @@ -1333,14 +1335,17 @@ fn write_general_subtrees(writer :DERWriter, tag :u64, general_subtrees :&[Gener | |||
|
|
|||
| impl Certificate { | |||
| /// Generates a new certificate from the given parameters | |||
| /// | |||
| /// This function will generate a random (using `ring`'s [`SystemRandom`]) [`KeyPair`] if none is provided in the [`CertificateParams`]. | |||
| /// If you need to control the [`KeyPair`], set it ahead of time before calling this function. | |||
There was a problem hiding this comment.
| /// If you need to control the [`KeyPair`], set it ahead of time before calling this function. | |
| /// If you want to control the [`KeyPair`], set it ahead of time before calling this function. |
|
@iamjpotts makes some good points. I've done some research why we need to add the secure random generator here as a parameter. It seems it was exposed about one year ago, and is part of a mechanism for nonce hardening, introduced in briansmith/ring#662 , to protect from bad PRNGs, as this comment lays out. One comment in the PR alludes to it having been added because BoringSSL has it. IMO if you assume in your security model that the RNG is faulty, then you are into a lot of trouble, and I'm not sure software like ring is really hardened towards that goal anyways. E.g. does the RSA component suffer from a similar issue? I have to do more research, but maybe it's not worth the additional API complexity it adds, even for ring... As for the API complexity, this is definitely a negative impact. There are use cases to have custom random number generators, but they are quite rare. I generally want to make it customizeable, but I agree with @iamjpotts that this is making the API too complex. Also, we are not exposing the RNG in the I think an RNG would pass the complexity threshold where a builder pattern would make sense. That is, ideally you'd have functions both with and without RNG params, but they would add 5 more loading functions to |
The underlying reason why ECDSA needs an RNG is because when ECDSA was devised, it needed to be different enough from Schnorr signatures to not infringe with the patent that was still valid back then. The unfortunate consequence of the different design is that it needs a random number for each signature. If the RNG used here is bad, you will end up leaking your private key, given the attacker has a way of getting you to make enough signatures.
Our usecase is deterministic certificates to avoid having to write them to disk but derive them from some higher-level secret via HKDFs. We need to control the RNG so we can seed it accordingly. I don't think this is particularly uncommon. In fact, certificate pinning is quite common these days. That requires certificates to either be persistent or generate them deterministically from some other persistent secret. For a library whose whole job it is to generate self-signed certificates, allowing them to be deterministic seems quite useful to me. It makes dev-ops much easier because there are less secrets the user needs to backup / take care of.
That was an oversight in my patch then!
If exposing the RNG is a non-goal, then that is a show-stopper for us. Unrelated to this, a recent discussion revealed that depending on rcgen is probably to risky for us anyway so we are likely to go with a different solution of generating the certificate. I can invest a bit more time into this PR if you don't expect many changes but I'd be grateful if someone would just take it over :) |
We need randomness for each signature, yes. That's why we pass in a
Exposing the RNG is definitely a goal. I just thought it was low-priority because I hadn't heard of users who actually want it, and the way this PR is doing it is sub-optimal. I now have heard of users who want to customize the RNG, so it's less low-priority now :).
That's unfortunate to hear. Note that you are asking a lot from me when you ask for deterministic output not just between runs of the same program, but also deterministic output wrt I also doubt that I think if you want to improve determinism further, you might try @thomaseizinger my criteria for merging this PR are:
If you want to use rcgen in your linked PR, I recommend you to implement |
Ah yeah, I mixed it up. For some reason I thought schnorr doesn't need randomess but of course there is a nonce there too.
Yeah fair enough. Hopefully
I tried using the
All valid points. The less moving parts the better though. I've now pinned the version of
Unfortunately, browsers don't necessarily need to support ed25519. See https://developer.mozilla.org/en-US/docs/Web/API/RTCPeerConnection/generateCertificate#standard_configurations.
Okay, I can remove those API changes. I'll default to
Yes that makes total sense. I opened it as a draft because of that, didn't expect it to get merged before it is actually released. |
Yeah, webrtc tries to serialize the key pair. The panic message you refer to comes from us and it is issued when someone tries to do such serialization with remote key pairs. remote key pairs were designed with the use case of HSMs etc in mind where you don't have the private key, so trying to serialize it doesn't make much sense. This is I guess therefore more an issue in |
|
ring 0.17 is out: briansmith/ring@d34858a, it's time to revive this pr. |
|
@jiegec that's great news! I'd love to hear from @thomaseizinger if they still want to work on this PR or if we should look into updating ring on our own. There have been a bunch of refactorings since that made this PR get out of sync. From my understanding @thomaseizinger might not need the 0.17.0 update themselves any more? Let's give them until wednesday to respond if they want to work on this. |
|
Thanks for the ping! I was planning on booting this back up! My usecase is deterministic certificate generation which we still want. I'll check whether that is possible using the latest |
|
@thomaseizinger thanks for the confirmation ❤️ ! Looking forward to seeing ring 0.17 being supported :). |
|
Closing in favor of #166. |
This PR prepares the library for the next ring release. Most prominently,
ringnow exposes its randomness source properly forECDSAkeypairs. In a bigger context, this now allows for deterministic certificates!See melekes/rust-libp2p#12.