Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add OQS to libnss (enabling loading quantum safe certificate into Chromium) #92

Open
tylerleblond opened this issue Jul 9, 2021 · 25 comments
Labels
future work This issue is something that may or may not be dealt with help wanted Asking for support from non-core team

Comments

@tylerleblond
Copy link

Hello,

I am currently trying to use the quantum-safe Chromium (0.5.0) build as a client to connect to the OQS haproxy container using its default certificate generation settings (the default signature algorithm used is dilithium3 according to this page: https://github.com/open-quantum-safe/oqs-demos/tree/main/haproxy). I tried to load the CA certificate from the haproxy container into Chromium but got the following error:

Screen Shot 2021-07-09 at 12 51 02 PM

I have verified that I am able to use Curl with this certificate for authentication to access the haproxy, so it is not an issue with the certificate.

It appears that I obtain this error when I try to install certificates that use quantum-safe digital signature algorithms. For example, making use of the OQS fork of OpenSSL contained within the Curl container, I run the following command with <SIG_ALGO> = dilithium2, dilithium3, RSA, and falcon512:

docker run -v pwd:/opt/tmp -it openquantumsafe/curl openssl req -x509 -new -newkey <SIG_ALGO> -keyout /opt/tmp/CA.key -out /opt/tmp/CA.crt -nodes -subj "/CN=oqstest CA" -days 365

The certificates that used dilithium2, dilithium3, and falcon512 failed to load, but the certificate that used RSA loaded just fine.

Any help is appreciated!

Here is the certificate that I grabbed from within the haproxy container:

-----BEGIN CERTIFICATE-----
MIIVejCCCIWgAwIBAgIUAepY4WbwHzFTZHk5LX1YZEhPzzcwDQYLKwYBBAECggsH
BgUwFTETMBEGA1UEAwwKb3FzdGVzdCBDQTAeFw0yMTA2MjIxNjAxMDdaFw0yMjA2
MjIxNjAxMDdaMBUxEzARBgNVBAMMCm9xc3Rlc3QgQ0Ewgge0MA0GCysGAQQBAoIL
BwYFA4IHoQBVwCWhM80rjUCbrPOId2aPoiV3mfNDQoNXvieqvCCCRAz8HQUNLfY5
jlLC74xCSXOTY802dlLx/B3d7yeddNTTCnyk8PDVBRRrcobru7xQ3DiEX1rlD6fU
u8XD+YiHRcAVGkJ+O9TA4Tcshgj2J8DIUWNVFoiiAnkv0OnRAf+BmO0pVv11b0kK
oszV8ldDSwKWyEFRZZ/eKGTx7j/DNLlCkk6j8ybHr1m5G9el0FhzmL0IZ9ShFZby
ffEYgYNPRAo+HZb6S5y9cjP7Xj7VRhjQ5Y6+Y5zJaw/0x4dtCHSsOrftU+eaEHSi
irqZjf5HJhwHz9srgcJe4kbKNrzlmY2Pvx5f1tVLLm3LfIv1i6uUkvI+SjbRPrIv
UsTZQk0r40krWk7LJjhFuweyjbyrVQFitfZRmKOazm9em4Gvkxg1FUiuZW2MnVYD
8SohlUocrj7r34asbD8OLL+E35gasgUKdGZiCdVFjL8USuMRPekslbSLan7qs5yz
fwoAZjT5mWVWLJtrwXD4gH0dSllUnAcxxsf2eEeot2wOeaSs7l5DWnBgts/blpXn
mKZxx+GBFU/18zxfytl8n2qMD3BduEJRVVUrug1lNhjjMl3lkDuRHzkemkBCTFwg
aCs7/NqVBPsL0g8HE+sokml84cRoHNFPzOEcnTo/5iLBRiLfhWEC6vS+01f3EC+L
Ozi+TzZiiwiTIJzY1tJWgp7tM5WFXsWeIVfk9IPaDZbsfus9AwAiAOQJbkOan6Zx
ePMwTdYo9NKYBuw9ckzcOk2sY4QfhFYx2c25kGxDZkVGVzRQ9VLfKZUANgBr0fGv
GLpVlgSYMv+8hGB/iVJuQ6sEl7jI7AmSxKIDYrjbEEeVHP9tvew7EuMhJr2s4M5n
yjVj+bRKFz/eyGphm1mDU3iuYE6s0LWH/Ayqdl7yZ/hLvu7yPRLGzgADRv7jZSYl
mNzCCQM/HGh103wUOGbat8zSqYBKiC6i7clyLEmXQnmiFR0ZoFxnL6qteXjLLffj
vReD8WWn1mC/2BheJfTpWg5UmzJhIPUHk8gXCRKS6SYo2MvrCxvQb0Y1SHbb3s1V
n5nMjO+6Doz7yb0SdWNtR9p1I/fOyn/jD7ZLSZtsrMuPF/6l/kUGTwwXkPCuwyC8
fqC9AuakY1CwcFodFLOukzrdHAD3rhkk9CSgfHVoIgK5SYhZ8FoNri5V9W1rN/dG
yYjrHJFHxcWc9L1dwzvbWhhf3EsFZ0/4urmwAJjNFsc/aTkyrEc1km6MZxLmgurA
BU8sAL2qSlZDnQQ0VDdFzvz67wGNGJvLy71czsGWbR6HAq/E6bYmtDC0vwYvmPsS
kc5tcQzFLdwW2jTGmRXKRwAoQhSFAc1DnAUsMO1N8oT5Azbaw98yXEBehslCXglN
idrZs02U13xk/UkZbvebREuuY/fX6o5eXcENdy0di0tTEeNk3wgbaSSVtlGaOTOX
7i+8+n7rWGXVsPESkifmDyJPtHyQ/w5sZKRImKFdRw4HzyBkBQeJT8u7auVdm1Os
BsXoasK704TE25zHYzX1yRmOac9Z7Lw7rXC0mXFqPaibow0zBtZsyCyutL9lYMw6
lFjY0VmKpy/2OMIDyR7mz6WN6dcPbSaRU4/qYJ3PwW0LTyeo7Kmmai2VddcPq6Mq
1/PJhD0EuT0+s3DmVNO1Lr5lTulefBAHX8OKaRXydP5YIQ/jkr4UqApQw1vBUYP2
D31FwPO0UjcuQ7+REmfO8amUiVhJSKLncusBNSraKVTdo3zZo3mk/JY6zu+nv0fb
GXU3WSBOC4/wMs1hjVvfWLzvwgg9RM5f64SEFv7XGqjw06wNmTvua+moQi1eVNib
RPsNRKbTSdC2czq4zDZQ6XjZMRBMLnQ7DtoLxVweRn9woE75JhaDXlkJxLzU2roK
B8vlmxJ2B54VfVjo7q3LWttBb3dSovWJoIZ5MdktnV0hp2XSGHpzE41buydO4FpY
ElK4ckYieDRqkbdthOKIEdYNlGZFlJ1WauHpQBQyFsoOiMom4m/WcmxYkqVst86i
Jlbi8EuDXxSmpa/hTZj5PPhFLZuS5eSr1QInXY6SKMbD2/jDDdY5JBethv/kBZpP
g1NPe4bgXeJFLykQQJCApJSIaHrQFxytQUZdRWQy0AUQD6nxJ/Efu3GE7/SXnj9h
YzkHvqpCA9Biqs7qHCZhkTcTxKm9l8WQC4rEGcBPVzC1g5YIlGXa3N1SM0xNXYmP
qvIDXHZjEleVK8JuaB5YOT0SrazEpMmKckz0Vge1bB+dB3Rk1aB0xuFzoFNJbTx7
gahzZm0zcDRDkzAvEoWY6i3y94iP3/ewtlRefNdQRUc5av7+6dXSjisEF0ViPFIL
vTLTK9zhB7gRRa+yjDNP/xyUMfFOGTfzt6Td4JrW6KZnO3rm1tVD76SswsU/zPIA
IdZKjXo9UF62hiMnKTMfBYrgHTWpcdigF4eeTba0Q77cI3y2xGJr6BgDz8Chi/d4
TFH3cYyWoWGuQBPQgf2ScXUSD18pdhayQzpNe83b4erO9VUZGll6K3n53cQ7u5E1
ZyhW9heZALys3oDy7x9qjh5cA+G9GXsznfVpaZ4bq99wXo0Pbvh8DqNTMFEwHQYD
VR0OBBYEFOw5eLQtwcOYb/rCxX1quad/8ukdMB8GA1UdIwQYMBaAFOw5eLQtwcOY
b/rCxX1quad/8ukdMA8GA1UdEwEB/wQFMAMBAf8wDQYLKwYBBAECggsHBgUDggze
AAskMXI3a713Z6OrJMUd4OQd8g5RZ/oEnlgtOSpVhGVfPhfgEecFiCEiPQ2UZcHJ
4QK1/YtMbiFxPhXrZzsyUE3d/+dQhpu+jpgvlFwX3RCVSS9KMZeuA/ypVI6VetV+
MbDlUZib9NQBoUeO9H4Ni4WEOLFg0PZ8+dOcBWhk8NrUZI4I03NXTovHZNVkFhbw
J3yq6R4QNxaHB8iSK+KZ4CtOdpC/vuwxsSQcw5izFF5qHg2M+aYMzMkZIybUIlzw
Bbdg5aaVMlOsBd4k7nNLvPOyLTNKj/StDF+TnzCPaauIvnglfBqyUfLd0giJWwUL
IZ8trHZDPIBYHzHfCBZXSRJNRrLJKCoWmmJs97SBolpIrYiHLEQqy2PqROt+uXyL
fjSA95G71Inb1ULOBt6QvycN4rt/Lksg2CVF5SE2IhTYhpdytv9F6ZkMgHkfLdn/
lNtu81sMcaIe5gbIg53fqWwsmaDgAos+snXbocyuWzswE1BHQA9u7DeklIBh9JBT
b+MHLnp1r5UT0xMM5pk44j/5ITOXC5CeD+XD50IygoWrwbwR4jSNj0QCji8U4mV/
8qvdLhgFJPxuTWRwJCf1CrgWl8RBqAJtIAdCUiEvqGP77emuGeKoNV6qCv/uaegc
z/I74E8G50ztx4+KhhpMNLIoh7uU3j3/PmC8ZqGidGz7QN+W2gz9UGLw68/fI+al
c82iG0E4I6T0TqPT3oJ53WImCAK9hFyAQyd272+StbVLjcqRkADhUTbyYTqdHVau
WfOiCqC1vHse4qQt4uEPA5A18gMrwbrYFsaaPjp0ws8KPu72z5cD96qDJkxxP5DB
YDlb0352iElhsWRGoBlyT6QE9Nh+pGN6ynka6ExmRmXkv1M7DemKrEIO1inZalnG
uiZ6wXME6xPj3teqZz4GePUlqrqNGtDl1AhJQNiPBXaZzxnEn2xCpp3RhWxDeFYq
xurE6oPPMEZ2jltCv7lXvIxhewKVqguk6Htb6cPtyYfkDZWaZHX6VrRNiqxCFEkJ
jkt/JmKFkijd0Zx0vlVKFNKLm7ptRzWyWPG+Mk9cOmKDdnP0Jkl78s/I5HflVCUG
t/mPCbepsQLmHPzzSSaxTIIb6iEsIZxkuKonA00O7ZwuskBpVEFre6GeL2yULIEh
vcJWgNWJwwUczKsByr5diI4vwn0rRkBx1MsNwJHJ+zAGhgtT6IsvkK7g6+lRPebJ
XYWT9UkdD9Q8DvG20pkidFhL3VL5+JtITnOO8cKp41ZlpPP/7F0K5cf75AI9A/qy
o2XLXp7jv4kmoHsNOBledlk8BHPajLn8XJB+jx9Y0dsRVPmqDOJbpi/jMuRGJxo5
ObG6SzTXAD9ulcqcueQ+5hzAi7zAflxIUQ9iZ02ODYuM9eBU067pFnkCiuQJfPm/
y5v4RB4BE+6Sjc5Ymoti+wGYLXOGUJe2ls1GKaNTZZJnlf5XhnJ1SXtV0B+339gC
sxauyXeVlcBfc6Ug4kOuICZBkVqJux9FMAR8lEsMttmRNIA8UkBFtxnYAXnBKrgg
nF3mdHvuHQmsO4bLg36Kqgzza77ZNxX0Ggq/w60Eq/fOET+jk258OtHEvIglRH9L
qitOGA9QXJuJ5cm2XV9W+J+gjwMiRh2ZhjjqUHYZYUFI28n0J5Tdn3XLOVUxv5l1
Q6/T5XjDZEovqRr84+4GHBGN8HnXtMB/g6JuUwqLgsHiif6cLsMTDFtbxIhAL1j2
hKOTk9JfZ7lnJIA+LTEWrflHeSchICJUa4ZoY5jOnXVWBLq2ZlpgMVwiC4wJhcGq
2c0uAoxCKDiZIwcaWkEoVHP2CJFk1+vs19m2DVS60+mtG+2w+b+oqpBgtRcKT8wK
3BMOGJgkAau+XkCvJsK7gX57igBlM9xFRueCaedRWFBmNQ7LbesjDbUn825Whoy4
WRuBuPLgz6loKu1n96sog9kmZRjF3kmZyf5Y/zatpymvYaEIJgoob1AVwYnvmm4N
YZi7dZKOY9BHHOPYC6dnw/i+73aodeLhMCdc4PANgmhx4PC+hfmBZSzgFgM4g3E9
vBjZ26lxCMmVFHvNkA40tWr/xvFH8sF0TE3aCJojaZdMnxslKAS0Squh+EXJLwS3
WEuK/k4L30/KwxiQXgoieXQfPOXPaj5KCK/bmlrHU/auap/n08UmdoIC6mLb/a3b
Pj/+TMgiqTMf+IiFJPqAoJvFIq9TjlL1BwWRuR/mr81+xhlWcY5faNgPC8As9zlR
dq1Z5XyBqgJ92ctiaP1CkeQvda6fA03bLh0noiXbLC6rKpjunGgMpyozeZIxFhgS
WM6NWLYcfun5jbiFQWB/eCDXySZTq6uxed+Un9RdihNy7pTe50TUTBTBx6pNYVqA
pk6iCT5MUCeHfKZInMKsVBEeIe5HCd89rJ7qQN6eh3grDYrg2sR4E4O2MeFUoJYw
ID+zjqqtbi6yj5sKZSMtxvQuFgt6Ud/L654eaIFDUT/yPCliBDEhsia09osoS3wi
ChQPgD7M/enTPxMQWd1mltmFswHA9zj8WInMXeJPK1G6Z5yTw4fTKDT0w5k4onqj
h2n97K41pEUsXTxkghptyRcyWkr85rHEoK+HITmkwMD1CGXklw/ETrrnNU+/1xmt
5MKiU9qsCZfDTzVeBP/RooKpd4YrSYFMugbmrRfPFNM/gwNFwycD5xlKQ5NkEDsb
Q86ImNXJdXdWqrHX3Ilb9eSSzkl1wSR2ollZLZ7BjDb4fUvuMHNt4tNK3YOCvERx
yNw+NxPnP7KWBKVGrt/23Nq4GeXn1QbfMsq07GzgMTWMaSezcXHpq7gsME9oD9fy
mc528pA8osHv5ug1hbUpohiEi/ynf2zZ7lZs3wCv5kHKnHsge+zP430/EwGiFhHe
cV1xPdv5OgYi7QtJJkcp9gJ4ifa3dREN3XsDXhNFQFmBCO4xvFgM+96SLhpVztZN
R1zWzPwTKJz4WXGNVhilmQALYXYyC+jGaL6ouJGM4xEN1/0WW9m7dREqOVFRzcbz
Px/3nB5Y/XQLb+aWutmMiMPt60C3U2lfqdmPBMNa7Mmw9zOxO5Rbp5OBcHB82yTJ
GH4yW77v7NXHmGn5zTzHjsATP6/opz/pHAc2i/uft7zN4AtQJ3ecik5/hEIM+2CD
N4SpdcG3+ZGfHLXQhrW+bSR9hFm+3xSzDRFb9rEyHCKBC9eUZgtyzXL0/vJN5IvC
0Wv6vjIU0b3eO2/2uzlNwxSFxKwx5y49kphY1srVtyFDyhXRpi76U3p4e8CZ2rJZ
kI3MtQpy51PHwx4Yv7emb4kHEAGOF/WGxu/2UGk1boSVFcmKe4lWR1xEGMQC16UD
aYVM7E0iTxtqG0gqkpsNfVcxFjHP7ygQeYFF65coq+i4cbSUIcta0RCAWqNGiMdz
BQuOe7mv8+byzFR0rltu5op7AViIRx5afWGEI3SBaOabLIm6B5VKke0ueqtkL2Ey
dQ6Y/wb37o0CCPzKJRIHN74OCaA0VhvD89vHumQCaI3EgQZmw0MY/87wvMN+DqPn
gLVDAXHGOdwq8uHtkyYdNvWCd6KOgrFoAAk4Z3NdcQRgKjuZ4iklaRHseHbI8b3D
DiNWF7De1BnzRKXB4osrFvn2yjW1elMuu1MhUPqyUrLzIvk3nmTGGoCY/3GI0/vM
vr8td39pa6Nw4A07wFAe9IlX3pcBbXy1nptx3fVwTnA+kq2MW4eLzUIZ4dIycNx5
PdGO6fCXvB8ifJ4Ng4GhznZYoWuYwrro3KhE4YGaTc0oIQbwqFFSJ/KIQ46IZhNy
KCHYuXmj6pG3UulyrgME/cRTKWL+SVff8RguHXMTB2HU46lB6KbI/ZwyEaK7aD36
N21SW1hMjeBwErZZVC9v61tXeRDVVDrjA9OvgopwIkhkl13n7GC5HTNZzw+sM3Rr
RthrYTCoST3XfQ/J/Wuagga5Gm+4g9VQS3IaCQen+3ETJn5HtiKYcWcwlc/Mf9rg
u27Zg1SZ3F4Nq/3FN0LN8FMGbqODDQck4Z0rCeay3kj4pjW5J92AwfJU3/5Rlolm
SyOwX3hQhV0jTVohC2lchILpb/ol6VlUeI1hhyQzCrshlKSJy7r2ntTLqtxKlB43
RuQ5l8lbNyH/XAfMC6xmV44VsWcZ52mP1ugIO7ifTU1UZyPtfhG9K380tG73Ymqi
FqucW6G7j7VF5Mr7mq3bSPcYHAX2yQjEZbI31wH/31Lp9S/kRMgZqgrLr7vJg5Pd
aK2T8E3ujsh/uO8MEuIs4tcf7EVhwZ7kIgrBMMMRGqx9fXKELyyHv5vwFGNSRjT1
n8jSJAfJ3ItBo1HX1N40yRIkMnGaorO33fMqhJTC2Py2wlJajJOY4LE0Pj/j7wAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACQ8RFxgd
-----END CERTIFICATE-----

@taylormadehdz
Copy link

@baentsch do you have any guidance on this?

@baentsch
Copy link
Member

baentsch commented Jul 10, 2021

When running oqs-Chrome from a terminal, this error message is emitted when loading the cert above:

[1949:1949:0710/102038.438671:ERROR:nsNSSCertificateDB.cpp(89)] PK11_ImportCert failed with error -8168

This in turn to me means that Chromium uses (NSS') PKCS#11 API (store?) for maintaining certificates -- and I'm not aware of anyone who has begun to OQS-enable NSS, so a rejection of an OQS-cert seems logical. @xvzcf, @dstebila, @jschanck : Does either of you know more about NSS (an OQS-enablement thereof)? Do we know anyone at Mozilla who might be interested in this? And if NSS P11 is not the problem (to be determined), does anyone know what's implementing that API for Chromium?

@tylerleblond @taylormadehdz : Can you share what's your use case for this? We always only intended Chromium to be a demonstration, not a full-feature OQS browser integration -- but if there is serious interest, someone might look into it.

@baentsch
Copy link
Member

And if NSS P11 is not the problem (to be determined), does anyone know what's implementing that API for Chromium?

Answering my own question: Looks like it's really libnss(3) (failing to) provide that functionality.

So, indeed, it seems OQS-cert import won't work in Chromium until (lib)NSS is OQS-enabled. Nothing oqs-demos/chromium can do about (short of creating a new project: Volunteers welcome :)

@taylormadehdz
Copy link

Would there be a way to use a different lib for maintaining certificates?

Our use case is to migrate a chat app on one system to make it quantum safe for prototyping activities. @baentsch ... any other ideas for workarounds?

@baentsch
Copy link
Member

Would there be a way to use a different lib for maintaining certificates?

(OQS-)OpenSSL handles QSC certs just fine -- but then again, chromium doesn't use OSSL by default for all I know -- although there seem to be historical traces of chromium being able to utilize OpenSSL...

Our use case is to migrate a chat app on one system to make it quantum safe for prototyping activities. @baentsch ... any other ideas for workarounds?

Loads -- but I'm constrained by not knowing whether you're free to chose the chat app to QSC-enable. If that were possible, why not look for one using openssl as transport? Next idea: Why not completely do away with application-integrated (QSC-)confidentiality and use (oqs-)SSH instead (obviously only works with a-priori known chat partners)? Third, if for some reason you are bound to chromium, changing the cert-storage to one based on OSSL may be an option -- but that may be convoluted: I never checked all chromium cert-interaction points in that regard. But then again, I don't understand why chromium uses PKCS#11 for server cert storage to begin with: Normally, one would only use that for client certs... Simple file-storage (with a validation layer) might have been sufficient....

@taylormadehdz
Copy link

taylormadehdz commented Jul 13, 2021

Okay we're pretty set on using Chromium... Here is the sitch:

Quantum safe Chromium can connect to OQS test server using the quantum safe cert
Quantum safe HA proxy can connect to OQS test server with curl
want to connect HA proxy & chromium, chromium not accept

Would we be able to use the private server cert that Chromium does recognize when connecting to OQS test server on HA Proxy? I.e., is there a way for us to download that from y'all directly to upload to our HA proxy?

About cert-interaction points:

Alternatively when you said changing cert-interaction points, that would require us to build Chromium from scratch (following directions on repo), Correct? We have been using the binary

@baentsch
Copy link
Member

Would we be able to use the private server cert that Chromium does recognize when connecting to OQS test server on HA Proxy? I.e., is there a way for us to download that from y'all directly to upload to our HA proxy?

I'm not sure I understand: The CA cert at the OQS test server is plain, boring classic crypto: You can create such cert (incl. private key) yourself (and subsequently import to HAproxy, Chromium, whatever). Also, you can create CA-signed private server certs (of any kind, incl. QSC) also yourself (e.g., using the oqs-curl docker image): Why would you thus need "our" server certs?

that would require us to build Chromium from scratch (following directions on repo), Correct?

Yes (after mod'ing the source suitably). Just takes a day -- or a good many-core machine :-)

@taylormadehdz
Copy link

On it :)

@baentsch
Copy link
Member

@taylormadehdz : Any news on the above? I'd further suggest changing the title to "Add OQS to libnss" (tagged as future-work, help-wanted)

@baentsch baentsch changed the title Error loading quantum safe certificate into Chromium Add OQS to libnss (enabling loading quantum safe certificate into Chromium) Aug 7, 2021
@baentsch baentsch added future work This issue is something that may or may not be dealt with help wanted Asking for support from non-core team labels Aug 7, 2021
@baentsch
Copy link
Member

Like #52 this issue is due to Chromium not using openssl but libnss for certificate management. Until there is wider or libnssupstream interest in this feature (any inside insight about this, @jschanck ?) close this issue pointing to oqs-epiphany if someone wants to use QSC certificates with a browser.

@takao8
Copy link

takao8 commented Mar 9, 2023

Hello, I just wanted to reopen this issue since @taylormadehdz and I have plans to try and adjust NSS to accommodate for PQC certificates on Chromium. @baentsch, since last year have you heard of any developments to updates libnss for this feature? We've done some basic exploration of the libnss codebase, but I wanted to check with you to see if anybody has gotten anywhere so we don't replicate other efforts.

@baentsch
Copy link
Member

baentsch commented Mar 9, 2023

No, I'm not aware of activities to add OQS code to libnss (but would be glad to see that happen --if only for selfish reasons of not having to add another column to the IETF PQ cert hackathon interop test matrix :). And obviously I much less know whether anyone is adding any (other) PQ cert code to libnss. In sum, by all means, let's reopen this. Thanks, @takao8 @taylormadehdz to suggest this.

@baentsch baentsch reopened this Mar 9, 2023
@xvzcf
Copy link
Contributor

xvzcf commented Mar 9, 2023

For OQS in NSS, I'm aware of this.

@baentsch
Copy link
Member

For OQS in NSS, I'm aware of this.

Thanks for the information, @xvzcf ! I'm not entirely sure how to read this: Is this an integration of the OQS APIs (that would enable PQ certs, too) or rather a Cloudflare-specific code integration supporting their x25519_kyber768 KEM (only)?

If the latter, it doesn't help this issue. If the former, would it be helpful/possible for @takao8 @taylormadehdz to contribute there to move things forward more quickly?

@xvzcf
Copy link
Contributor

xvzcf commented Mar 10, 2023

The PR indeed does not involve liboqs, but Robert Relyea in that comment stated that he's currently working on liboqs integration, which will give us all the NIST kyber variants [...] as well as the PQ signing algorithms, so it might be worthwhile contacting him.

@baentsch
Copy link
Member

so it might be worthwhile contacting him

Absolutely. Do you know him/could touch base with him? Or do you know his github handle we could post here to get his input to this discussion?

@xvzcf
Copy link
Contributor

xvzcf commented Mar 26, 2023

Absolutely. Do you know him/could touch base with him? Or do you know his github handle we could post here to get his input to this discussion?

I emailed him.

@Raytonne
Copy link
Contributor

Raytonne commented Jul 1, 2023

Since Chromium is using its own root store, you may try to hard code your root CA into the Chromium source code

@baentsch
Copy link
Member

baentsch commented Jul 1, 2023

Since Chromium is using its own root store, you may try to hard code your root CA into the Chromium source code

Thanks for the pointer. How would this solve the issue of quantum safe server certificates/chains not being verifiable in Chromium, though? Isn't libnss still providing the code for this logic? If this code is not PQ-enabled, shouldn't verification fail right away -- before even hitting the root cert?

@Raytonne
Copy link
Contributor

Raytonne commented Jul 1, 2023

Thanks for the pointer. How would this solve the issue of quantum safe server certificates/chains not being verifiable in Chromium, though? Isn't libnss still providing the code for this logic? If this code is not PQ-enabled, shouldn't verification fail right away -- before even hitting the root cert?

The webpage I linked above explicitly mentions

Historically, Chrome integrated certificate verification processes with
the platform on which it was running. This resulted in inconsistent user
experiences across platforms, while also making it difficult for
developers to understand Chrome's expected behavior. ... Once complete,
the launch of the Chrome Certificate Verifier will ensure users have a
consistent experience across platforms, that developers have a
consistent understanding of Chrome‘s behavior, and that Chrome better
protects the security and privacy of users’ connections to websites.

So I think if the root certificate is in Chrome Root Store, then libnss is not providing the code for this logic; instead, the Chrome Certificate Verifier will build and verify the certificate chain.

In PR #210 , we provided a way to make Chrome Certificate Verifier able to verify quantum safe server certificates/chains.

@Raytonne
Copy link
Contributor

Raytonne commented Oct 11, 2023

@xvzcf @baentsch Should we close this issue since Chrome is using Chrome Certificate Verifier and Chrome Root Store now? Especially Chrome dropped libnss chromium/chromium@9942b74

@nickforsythbarr
Copy link
Contributor

is there a new issue recently with acceptance of CA certs in Chrome 124.0.6367.91
Im getting the error: [29771:29771:0429/142921.004838:ERROR:nsNSSCertificateDB.cpp(95)] PK11_ImportCert failed with error -8168

@Raytonne
Copy link
Contributor

is there a new issue recently with acceptance of CA certs in Chrome 124.0.6367.91 Im getting the error: [29771:29771:0429/142921.004838:ERROR:nsNSSCertificateDB.cpp(95)] PK11_ImportCert failed with error -8168

Are you importing a CA that uses quantum-safe algorithms? If yes, then this is expected.

@nickforsythbarr
Copy link
Contributor

nickforsythbarr commented May 23, 2024

For those seeking a fix who find their way here. This appears to work allowing Chrome, and VsCode etc to respect the CA:
(Ubuntu 24.04, Chrome 125.0.6422.76, Code 1.89.1)

# sudo chmod -R 766 /home/username/.pki/
# certutil -d sql:$HOME/.pki/nssdb -A -t "CT,c,c" -n "CertName" -i /usr/share/ca-certificates/your_ca.crt

@Raytonne
Copy link
Contributor

# sudo chmod -R 766 /home/username/.pki/ # certutil -d sql:$HOME/.pki/nssdb -A -t "CT,c,c" -n "CertName" -i /usr/share/ca-certificates/your_ca.crt

Thank you for the update! Could you update oqs-demos/blob/main/chromium/USAGE.md and create a PR?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
future work This issue is something that may or may not be dealt with help wanted Asking for support from non-core team
Projects
None yet
Development

No branches or pull requests

7 participants