-
Notifications
You must be signed in to change notification settings - Fork 30.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Generalized provisioning of crypto keys from OpenSSL engines and/or providers #43653
Comments
Can you post an example of what you think the API should look like? |
Riffing off the existing APIs, specifically...
I think I want to extend
So, for example, using the OpenSC PKCS#11 engine, I could write something like
(For this engine, the suitable key identifiers are PKCS#11 URIs or its custom naming scheme.) Using https://github.com/auth0/node-jwa as an example consumer of such an API, we see that it simply passes its This kind of pass-through extends quite high in application stacks and would address at least one of my two examples (octokit/auth-app.js#336) quite nicely: because private keys are simply passed down
the proposed API change would mean that changing only the very top of an OctoKit.js GitHub App (or even its json configuration file), from specifying a (The other example, Azure/azure-sdk-for-js#22011, starts off well from In any case, all of that argues, I think, for the suitability of this kind of extension to |
Seems reasonable. For feature parity there should probably be a similar "bridge" in cc @nodejs/crypto - needs your input. |
I'll take the lack of comments as quiet approval. :-) @nwf-msr Want to open a pull request? |
See octokit/auth-app.js#336 and nodejs/node#43653 for what I'd like to achieve here.
There has been no activity on this feature request for 5 months and it is unlikely to be implemented. It will be closed 6 months after the last non-automated comment. For more information on how the project manages feature requests, please consult the feature request management document. |
Please don't close this as "stale". It's still an outstanding issue. |
@nwf-msr if no one is going to work on it, then the right course of action is to eventually close it. Keeping all feature requests open indefinitely isn't really workable for a project the size of node.js, you end up with 10,000+ open issues. |
It looks like awesome work has been done but Node.JS doesn't have common view of private keys yet.
|
I've digged into the second issue. Node.js in crypto.getCiphers and crypto.getHashes filters ciphers and hashes that are not fetchable to prevent some internal OpenSSL algorithms from appearing in the list. But some useful ciphers are not fetchable as well. I'll try to understand how OpenSSL does the same filtration. |
Ok, I understood the reason of the 3rd issue mentioned by me earlier. |
I'm leaning towards 'no'. It's irrelevant for normal users (and won't work until you install the third-party GOST engine) but it increases the attack surface in openssl's TLS parser. For background, GOST was removed from openssl in 2016 (and moved to gost-engine) because it had fallen in disrepair. That's not very encouraging. |
1). Gost TLS in gost-engine doesn't work with OPENSSL_NO_GOST. Users have to use stunnel as a TLS proxy. |
I'm aware, but I still lean towards 'no'.
That's not quite true and it's the reason I'm -1. A non-trivial amount of code in openssl's TLS stack is involved. Grep deps/openssl/openssl/ssl for the define and you'll see. |
Please let me explain. Indeed, without OPENSSL_NO_GOST cipher descriptions are added to |
The cost/benefit calculation here is "what are the risks?" vs. "what does the average user gain?" The answer to the first question is "non-zero" whereas the answer to the second one is "nothing." I get that some people have a legitimate interest in GOST but they can build from source. |
Could you tell me what risks do you mean? If there are any, I'd like to fix them. |
There has been no activity on this feature request for 5 months and it is unlikely to be implemented. It will be closed 6 months after the last non-automated comment. For more information on how the project manages feature requests, please consult the feature request management document. |
There has been no activity on this feature request and it is being closed. If you feel closing this issue is not the right thing to do, please leave a comment. For more information on how the project manages feature requests, please consult the feature request management document. |
What is the problem this feature will solve?
The fix for #15113, #24234, added support for crypto key objects, but the issue notes that "Loading keys from engines is not supported yet.". Later, c2ce8d0 (see #28973) added support for loading engine keys specifically for TLS, which means that the requisite calls to OpenSSL had to be added but only for
SecureContext
objects. In the interim, this code has migrated over to crypto_context.cc, but it is still exclusively associated withSecureContext
objects, meaning, I think, that it is still not possible to use the lower-level cryptographic primitives of thecrypto
API with engine keys.This impacts node.js downstream libraries, by requiring that applications handle exposed private key material to, for example, construct JWTs. See Azure/azure-sdk-for-js#22011 and octokit/auth-app.js#336 .
What is the feature you are proposing to solve the problem?
I would like the API of #24234 to be extended to support loading key objects from engines. This should be, I think, a fairly straightforward refactoring of existing code.
What alternatives have you considered?
There appear to be no general-purpose, viable alternatives that do not require exposing keying material to the running
node.js
application. It could be possible to specifically modify https://github.com/auth0/node-jwa to reach around node.js to, say, contact anopenssh
agent for PKCS#11 services, but this is much less preferable to just allowing the built-incrypto
layer, whichjwa
already uses, able to load engine keys.The text was updated successfully, but these errors were encountered: