crypto: modernize DH/ECDH/ECDH-ES#31178
Closed
tniessen wants to merge 5 commits intonodejs:masterfrom
Closed
Conversation
tniessen
added
wip
nodejs-github-bot
added
the
lib / src
BridgeAR
reviewed
Jan 3, 2020
tniessen
force-pushed
the
crypto-modernize-dh
branch
from
e394dd5 to
6261781
Compare
sam-github
reviewed
Jan 3, 2020
Contributor
sam-github
left a comment
sam-github
left a comment
There was a problem hiding this comment.
LGTM in principle, some comments on the WIP.
Member
|
I can confirm the missing ECDH-ES JWA algorithm support for x25519 and x448 keys is solved with this (closes #26626). @tniessen would it be possible to split the change to
Reason I ask is i'd like to see 1) backported to lts/erbium and in order to do that It would likely be easier if the change was as simple as possible. |
Contributor
|
@panva Since either the whole PR, or a subset, are semver-minor, there isn't anything blocking backporting to LTS. |
Member
|
Great. |
bnoordhuis
reviewed
Jan 4, 2020
Member
bnoordhuis
left a comment
bnoordhuis
left a comment
There was a problem hiding this comment.
Overall direction seems okay to me.
tniessen
force-pushed
the
crypto-modernize-dh
branch
from
6261781 to
0dfa9c5
Compare
Member
Author
|
Thank you for the initial round of reviews, I'll try to finish up within the next few days.
I would happily accept alternative directions! This is the best I came up with so far :) |
addaleax
reviewed
Jan 4, 2020
tniessen
force-pushed
the
crypto-modernize-dh
branch
4 times, most recently
from
27d73df to
78043cc
Compare
lundibundi
reviewed
Jan 5, 2020
Member
lundibundi
left a comment
lundibundi
left a comment
There was a problem hiding this comment.
Few nits regarding error handling.
tniessen
force-pushed
the
crypto-modernize-dh
branch
from
78043cc to
eb347a5
Compare
16 tasks
tniessen
force-pushed
the
crypto-modernize-dh
branch
from
eb347a5 to
bc309fb
Compare
tniessen
force-pushed
the
crypto-modernize-dh
branch
from
e98c950 to
4378c9d
Compare
Member
Author
|
@nodejs/crypto PTAL. |
tniessen
force-pushed
the
crypto-modernize-dh
branch
from
4378c9d to
70dc715
Compare
tniessen
force-pushed
the
crypto-modernize-dh
branch
2 times, most recently
from
62197f1 to
a962a3d
Compare
addaleax
pushed a commit
that referenced
this pull request
Mar 11, 2020
Refs: #31178 Refs: #31445 PR-URL: #31873 Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: David Carlier <devnexen@gmail.com> Reviewed-By: Luigi Pinca <luigipinca@gmail.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Ruben Bridgewater <ruben@bridgewater.de>
2 tasks
targos
pushed a commit
to targos/node
that referenced
this pull request
Apr 25, 2020
The new key type 'dh' corresponds to EVP_PKEY_DH. PR-URL: nodejs#31178 Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
targos
pushed a commit
to targos/node
that referenced
this pull request
Apr 25, 2020
PR-URL: nodejs#31178 Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
targos
pushed a commit
to targos/node
that referenced
this pull request
Apr 25, 2020
This allows using the generateKeyPair API for DH instead of the old stateful DH APIs. PR-URL: nodejs#31178 Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
targos
pushed a commit
to targos/node
that referenced
this pull request
Apr 25, 2020
Currently, Node.js has separate (stateful) APIs for DH/ECDH, and no support for ECDH-ES. This commit adds a single stateless function to compute the DH/ECDH/ECDH-ES secret based on two KeyObjects. PR-URL: nodejs#31178 Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
targos
pushed a commit
to targos/node
that referenced
this pull request
Apr 25, 2020
test-crypto-keygen and test-crypto-dh-stateless are currently flaky on ARM CI systems due to their slow CPUs. PR-URL: nodejs#31178 Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
targos
pushed a commit
that referenced
this pull request
Apr 28, 2020
The new key type 'dh' corresponds to EVP_PKEY_DH. PR-URL: #31178 Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
targos
pushed a commit
that referenced
this pull request
Apr 28, 2020
PR-URL: #31178 Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
targos
pushed a commit
that referenced
this pull request
Apr 28, 2020
This allows using the generateKeyPair API for DH instead of the old stateful DH APIs. PR-URL: #31178 Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
targos
pushed a commit
that referenced
this pull request
Apr 28, 2020
Currently, Node.js has separate (stateful) APIs for DH/ECDH, and no support for ECDH-ES. This commit adds a single stateless function to compute the DH/ECDH/ECDH-ES secret based on two KeyObjects. PR-URL: #31178 Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
targos
pushed a commit
that referenced
this pull request
Apr 28, 2020
test-crypto-keygen and test-crypto-dh-stateless are currently flaky on ARM CI systems due to their slow CPUs. PR-URL: #31178 Reviewed-By: Sam Roberts <vieuxtech@gmail.com>
8 tasks
Member
|
@tniessen I noticed some test excludes in the parallel tests: Since this PR is closed I'm wondering if they are still needed and/or there is an open issue that should be listed instead of this one as to why they are excluded? |
Member
Author
|
@mhdawson These tests were disabled because they kept timing out. I "temporarily disabled" them more than two years ago, see #31178 (comment) 😄 |
abhishekumar-tyagi
pushed a commit
to abhishekumar-tyagi/node
that referenced
this pull request
May 5, 2024
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
12 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This adds support for DH/ECDH/ECDH-ES via the
KeyObjectAPI, and should fix #26626. I also added DH support togenerateKeyPair, which is a partial solution to #28404. There are still lots of things I need to figure out, but I would like to see if people are okay with this approach.(Note that the current API does not support "raw" DH keys, only SPKI/PKCS#8 keys are supported as of now. That will likely change via the previously discussed
.params/.fieldsAPIs.)cc @nodejs/crypto @nodejs/security
Checklist
make -j4 test(UNIX), orvcbuild test(Windows) passes