Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Decide how much of explicit curve support to drop #4684

Open
Tracked by #4666
randombit opened this issue Feb 14, 2025 · 1 comment
Open
Tracked by #4666

Decide how much of explicit curve support to drop #4684

randombit opened this issue Feb 14, 2025 · 1 comment

Comments

@randombit
Copy link
Owner

randombit commented Feb 14, 2025
edited
Loading

Ideally we would just no longer decode the explicit curve parameters block at all.

However this may be problematic

  • Botan until 2.2.0 (2017) used explicit curve encodings by default
  • BoringSSL still maintains support for explicit curves, with a comment that OpenSSL sometimes generates keys using it
  • Explicit curves have been prohibited in certs since forever, but certs also live a long time.

It's pretty likely that some non-zero number of live keys/certs exist which would no longer be parseable if support for explicit curves was completely removed.

Alternate plan

  • All support for encoding with explicit curves is still removed.
  • Continue to decode the parameters block but only accept it if it matches an existing group; you cannot create a new group implicitly by reading it. This also lets us skip all the expensive validation, since we only accept curves that are either builtin or that an application explicitly opted into. BoringSSL basically does this.
  • Require the generator to be uncompressed; this avoids having to do a modular square root prior to checking the parameters. Botan has never encoded explicit curve params using compressed points. It looks like OpenSSL might use compressed points in some circumstances, but the code is such a tangle it's hard to say. BoringSSL has rejected compressed points for the curve generator since 2016, so this seems safe enough to me.
@randombit randombit mentioned this issue Feb 14, 2025
Open
34 tasks
@randombit randombit changed the title Remove support for explicit curves Decide how much of explicit curve support to drop Feb 14, 2025
@davidben
Copy link

davidben commented Feb 14, 2025
edited
Loading

BoringSSL still maintains support for explicit curves, with a comment that OpenSSL sometimes generates keys using it

Small drive-by footnote: BoringSSL supports it when parsing private keys, but not public keys, so there's a data point that it may not be needed on the certificate, etc., side. TBH, we may even not be need it on the private key side by now, but I haven't tried. (Though I know I at least have to update some downstream unit tests to get rid of them.)

Our behavior was mostly because, at the time, I was able to check certificate transparency, etc., to get a sense of whether it existed in public keys, but I didn't have much visibility into whatever random keys we had stored in various places that may have been generated by a non-compliant version of OpenSSL.

Dunno how much you all can drop, but explicit curves are horrible, and any amount of support dropped helps get this stuff out of the ecosystem!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@davidben @randombit