Comments (23)
@baentsch do you have any guidance on this?
from oqs-demos.
When running oqs-Chrome from a terminal, this error message is emitted when loading the cert above:
[1949:1949:0710/102038.438671:ERROR:nsNSSCertificateDB.cpp(89)] PK11_ImportCert failed with error -8168
This in turn to me means that Chromium uses (NSS') PKCS#11 API (store?) for maintaining certificates -- and I'm not aware of anyone who has begun to OQS-enable NSS, so a rejection of an OQS-cert seems logical. @xvzcf, @dstebila, @jschanck : Does either of you know more about NSS (an OQS-enablement thereof)? Do we know anyone at Mozilla who might be interested in this? And if NSS P11 is not the problem (to be determined), does anyone know what's implementing that API for Chromium?
@tylerleblond @taylormadehdz : Can you share what's your use case for this? We always only intended Chromium to be a demonstration, not a full-feature OQS browser integration -- but if there is serious interest, someone might look into it.
from oqs-demos.
And if NSS P11 is not the problem (to be determined), does anyone know what's implementing that API for Chromium?
Answering my own question: Looks like it's really libnss(3)
(failing to) provide that functionality.
So, indeed, it seems OQS-cert import won't work in Chromium until (lib)NSS is OQS-enabled. Nothing oqs-demos/chromium
can do about (short of creating a new project: Volunteers welcome :)
from oqs-demos.
Would there be a way to use a different lib for maintaining certificates?
Our use case is to migrate a chat app on one system to make it quantum safe for prototyping activities. @baentsch ... any other ideas for workarounds?
from oqs-demos.
Would there be a way to use a different lib for maintaining certificates?
(OQS-)OpenSSL handles QSC certs just fine -- but then again, chromium doesn't use OSSL by default for all I know -- although there seem to be historical traces of chromium being able to utilize OpenSSL...
Our use case is to migrate a chat app on one system to make it quantum safe for prototyping activities. @baentsch ... any other ideas for workarounds?
Loads -- but I'm constrained by not knowing whether you're free to chose the chat app to QSC-enable. If that were possible, why not look for one using openssl as transport? Next idea: Why not completely do away with application-integrated (QSC-)confidentiality and use (oqs-)SSH instead (obviously only works with a-priori known chat partners)? Third, if for some reason you are bound to chromium, changing the cert-storage to one based on OSSL may be an option -- but that may be convoluted: I never checked all chromium cert-interaction points in that regard. But then again, I don't understand why chromium uses PKCS#11 for server cert storage to begin with: Normally, one would only use that for client certs... Simple file-storage (with a validation layer) might have been sufficient....
from oqs-demos.
Okay we're pretty set on using Chromium... Here is the sitch:
Quantum safe Chromium can connect to OQS test server using the quantum safe cert
Quantum safe HA proxy can connect to OQS test server with curl
want to connect HA proxy & chromium, chromium not acceptWould we be able to use the private server cert that Chromium does recognize when connecting to OQS test server on HA Proxy? I.e., is there a way for us to download that from y'all directly to upload to our HA proxy?
About cert-interaction points:
Alternatively when you said changing cert-interaction points, that would require us to build Chromium from scratch (following directions on repo), Correct? We have been using the binary
from oqs-demos.
Would we be able to use the private server cert that Chromium does recognize when connecting to OQS test server on HA Proxy? I.e., is there a way for us to download that from y'all directly to upload to our HA proxy?
I'm not sure I understand: The CA cert at the OQS test server is plain, boring classic crypto: You can create such cert (incl. private key) yourself (and subsequently import to HAproxy, Chromium, whatever). Also, you can create CA-signed private server certs (of any kind, incl. QSC) also yourself (e.g., using the oqs-curl docker image): Why would you thus need "our" server certs?
that would require us to build Chromium from scratch (following directions on repo), Correct?
Yes (after mod'ing the source suitably). Just takes a day -- or a good many-core machine :-)
from oqs-demos.
On it :)
from oqs-demos.
@taylormadehdz : Any news on the above? I'd further suggest changing the title to "Add OQS to libnss" (tagged as future-work, help-wanted)
from oqs-demos.
Like #52 this issue is due to Chromium not using openssl but libnss for certificate management. Until there is wider or libnss
upstream interest in this feature (any inside insight about this, @jschanck ?) close this issue pointing to oqs-epiphany if someone wants to use QSC certificates with a browser.
from oqs-demos.
Hello, I just wanted to reopen this issue since @taylormadehdz and I have plans to try and adjust NSS to accommodate for PQC certificates on Chromium. @baentsch, since last year have you heard of any developments to updates libnss
for this feature? We've done some basic exploration of the libnss
codebase, but I wanted to check with you to see if anybody has gotten anywhere so we don't replicate other efforts.
from oqs-demos.
No, I'm not aware of activities to add OQS code to libnss
(but would be glad to see that happen --if only for selfish reasons of not having to add another column to the IETF PQ cert hackathon interop test matrix :). And obviously I much less know whether anyone is adding any (other) PQ cert code to libnss
. In sum, by all means, let's reopen this. Thanks, @takao8 @taylormadehdz to suggest this.
from oqs-demos.
For OQS in NSS, I'm aware of this.
from oqs-demos.
For OQS in NSS, I'm aware of this.
Thanks for the information, @xvzcf ! I'm not entirely sure how to read this: Is this an integration of the OQS APIs (that would enable PQ certs, too) or rather a Cloudflare-specific code integration supporting their x25519_kyber768 KEM (only)?
If the latter, it doesn't help this issue. If the former, would it be helpful/possible for @takao8 @taylormadehdz to contribute there to move things forward more quickly?
from oqs-demos.
The PR indeed does not involve liboqs, but Robert Relyea in that comment stated that he's currently working on liboqs integration, which will give us all the NIST kyber variants [...] as well as the PQ signing algorithms
, so it might be worthwhile contacting him.
from oqs-demos.
so it might be worthwhile contacting him
Absolutely. Do you know him/could touch base with him? Or do you know his github handle we could post here to get his input to this discussion?
from oqs-demos.
Absolutely. Do you know him/could touch base with him? Or do you know his github handle we could post here to get his input to this discussion?
I emailed him.
from oqs-demos.
Since Chromium is using its own root store, you may try to hard code your root CA into the Chromium source code
from oqs-demos.
Since Chromium is using its own root store, you may try to hard code your root CA into the Chromium source code
Thanks for the pointer. How would this solve the issue of quantum safe server certificates/chains not being verifiable in Chromium, though? Isn't libnss
still providing the code for this logic? If this code is not PQ-enabled, shouldn't verification fail right away -- before even hitting the root cert?
from oqs-demos.
Thanks for the pointer. How would this solve the issue of quantum safe server certificates/chains not being verifiable in Chromium, though? Isn't
libnss
still providing the code for this logic? If this code is not PQ-enabled, shouldn't verification fail right away -- before even hitting the root cert?
The webpage I linked above explicitly mentions
Historically, Chrome integrated certificate verification processes with
the platform on which it was running. This resulted in inconsistent user
experiences across platforms, while also making it difficult for
developers to understand Chrome's expected behavior. ... Once complete,
the launch of the Chrome Certificate Verifier will ensure users have a
consistent experience across platforms, that developers have a
consistent understanding of Chrome‘s behavior, and that Chrome better
protects the security and privacy of users’ connections to websites.
So I think if the root certificate is in Chrome Root Store, then libnss
is not providing the code for this logic; instead, the Chrome Certificate Verifier will build and verify the certificate chain.
In PR #210 , we provided a way to make Chrome Certificate Verifier able to verify quantum safe server certificates/chains.
from oqs-demos.
@xvzcf @baentsch Should we close this issue since Chrome is using Chrome Certificate Verifier and Chrome Root Store now? Especially Chrome dropped libnss chromium/chromium@9942b74
from oqs-demos.
is there a new issue recently with acceptance of CA certs in Chrome 124.0.6367.91
Im getting the error: [29771:29771:0429/142921.004838:ERROR:nsNSSCertificateDB.cpp(95)] PK11_ImportCert failed with error -8168
from oqs-demos.
is there a new issue recently with acceptance of CA certs in Chrome 124.0.6367.91 Im getting the error: [29771:29771:0429/142921.004838:ERROR:nsNSSCertificateDB.cpp(95)] PK11_ImportCert failed with error -8168
Are you importing a CA that uses quantum-safe algorithms? If yes, then this is expected.
from oqs-demos.
Related Issues (20)
- Cannot switch off OQS_HAVE_GETENTROPY, OQS_HAVE_EXPLICIT_BZERO HOT 3
- Fix integrations to specific commits?
- OQS Chromium(117.0.5863.0) : ERR_SSL_VERSION_OR_CIPHER_MISMATCH HOT 15
- curl --write-out time_appconnect for SSL/TLS Handshake variable is faulty HOT 4
- Failed to build oqs-nginx on Mac M1
- Failed to build httpd on Mac M1 HOT 1
- ee key too small has occured in nginx with debian:bookworm-slim HOT 5
- https://test.openquantumsafe.org:6000 does not accept `x25519_kyber768`
- Wireshark Docker Build Fails with WolfSSL Due to Undeclared 'QSC_SIG_CPS' Variable HOT 1
- Update test server with liboqs 0.9.2 release HOT 3
- Introduce CI mechanism to use specific liboqs/oqs-provider versions
- Add QUIC support HOT 3
- !DOCTYPE ERROR HOT 1
- Not able to get OQS-Chromium browser working - https://openquantumsafe.org/applications/tls.html#chromium HOT 19
- oqs-epiphany not working HOT 11
- qteslapi is not supported by oqs openssl HOT 1
- Dont get Server Temp Key in openssl s_client when testing HOT 1
- Update test server with liboqs 0.10.0 release HOT 8
- HAProxy HOT 3
- httpd docker image is not running HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from oqs-demos.