Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

New MLS ciphersuites #3964

Merged
merged 29 commits into from
Apr 24, 2024
Merged

New MLS ciphersuites #3964

merged 29 commits into from
Apr 24, 2024

Conversation

pcapriotti
Copy link
Contributor

@pcapriotti pcapriotti commented Mar 19, 2024
edited
Loading

Add support for more MLS ciphersuites:

  • MLS_128_DHKEMP256_AES128GCM_SHA256_P256
  • MLS_256_DHKEMP384_AES256GCM_SHA384_P384
  • MLS_256_DHKEMP521_AES256GCM_SHA512_P521

The latter is not yet supported in openmls, so it is currently untested.

https://wearezeta.atlassian.net/browse/WPB-7169

Checklist

  • Add a new entry in an appropriate subdirectory of changelog.d
  • Read and follow the PR guidelines

@pcapriotti pcapriotti force-pushed the pcapriotti/new-mls-ciphersuites branch from e934b61 to 36b32d8 Compare March 19, 2024 08:56
@zebot zebot added the ok-to-test Approved for running tests in CI, overrides not-ok-to-test if both labels exist label Mar 19, 2024
@pcapriotti pcapriotti force-pushed the pcapriotti/new-mls-ciphersuites branch from 5345f8f to d90d76c Compare April 5, 2024 07:57
@pcapriotti pcapriotti force-pushed the pcapriotti/new-mls-ciphersuites branch 4 times, most recently from 7e39139 to 9a43d6f Compare April 17, 2024 08:44
pcapriotti and others added 23 commits April 18, 2024 14:01
@pcapriotti
Add one ECDSA ciphersuite
6897079
@pcapriotti
Fix ECDSA signature decoding
7092d8a
@pcapriotti
Create test clients using correct signature scheme
715b464
@pcapriotti
Fix unsupported ciphersuite test
8b70a63
@pcapriotti
Create one mls-test-cli store per signature scheme
7fbdeb5
@pcapriotti
Add MLS_256_DHKEMP384_AES256GCM_SHA384_P384
42be3bc
@pcapriotti
Add MLS_256_DHKEMP521_AES256GCM_SHA512_P521
83c7024
@pcapriotti
Fix secp384 signature verification
5edf7e7
@pcapriotti
Fix x509 credential validation
2d53be6
@pcapriotti
Update mls-test-cli to 0.11
0ea3ba9
@pcapriotti
Turn TODO into FUTUREWORK
8765f37
@pcapriotti
Lint
4ae9527
@pcapriotti
Add failing test showing incorrect backend signature
312995c
@pcapriotti
Store private keys for other signature schemes
fc206de
@pcapriotti
Parse ECDSA private keys
d460684
@pcapriotti
Encode ECDSA signatures
353a228
@pcapriotti
Pass removal key correctly to mls-test-cli
a2217e8
@akshaymankar @pcapriotti
MLSKeys: Move from maps to records for config and public key endpoint
4331018
@pcapriotti
Adapt to MLSKeys changes in galley
f8ba2b5
@akshaymankar @pcapriotti
Move GET /mls/public-keys test to new integration suite
e2d1199
@pcapriotti
Remove SignaturePurpose type
8dd6504
@pcapriotti
Add golden tests for MLSKeys
4682e10 
The JSON files were generated using the code before this refactoring
@pcapriotti
Document new removal key config options
9d6672c
@pcapriotti pcapriotti force-pushed the pcapriotti/new-mls-ciphersuites branch from 89e05c7 to d670a4b Compare April 18, 2024 12:24
@pcapriotti pcapriotti marked this pull request as ready for review April 18, 2024 12:25
@pcapriotti pcapriotti force-pushed the pcapriotti/new-mls-ciphersuites branch from 81e3bee to ec3377e Compare April 18, 2024 13:24
stefanwire
stefanwire approved these changes Apr 24, 2024
View reviewed changes
integration/test/MLS/Util.hs Outdated Show resolved Hide resolved
integration/test/Testlib/Env.hs Outdated Show resolved Hide resolved
@pcapriotti pcapriotti merged commit f57321b into develop Apr 24, 2024
8 checks passed
@pcapriotti pcapriotti deleted the pcapriotti/new-mls-ciphersuites branch April 24, 2024 12:14
pcapriotti added a commit that referenced this pull request Apr 25, 2024
@pcapriotti @akshaymankar
New MLS ciphersuites (#3964)
eb2d182 
* Add one ECDSA ciphersuite

* Fix ECDSA signature decoding

* Create test clients using correct signature scheme

* Fix unsupported ciphersuite test

* Create one mls-test-cli store per signature scheme

* Add MLS_256_DHKEMP384_AES256GCM_SHA384_P384

* Add MLS_256_DHKEMP521_AES256GCM_SHA512_P521

* Fix secp384 signature verification

* Fix x509 credential validation

* Update mls-test-cli to 0.11

* Turn TODO into FUTUREWORK

* Add failing test showing incorrect backend signature

* Store private keys for other signature schemes

* Parse ECDSA private keys

* Encode ECDSA signatures

* Pass removal key correctly to mls-test-cli

* MLSKeys: Move from maps to records for config and public key endpoint

* Adapt to MLSKeys changes in galley

* Move GET /mls/public-keys test to new integration suite

* Remove SignaturePurpose type

* Add golden tests for MLSKeys

The JSON files were generated using the code before this refactoring

* Document new removal key config options

* Test public key endpoint when MLS is not enabled

* Fix galley configmap

* Make withCiphersuite exception-safe

---------

Co-authored-by: Akshay Mankar <[email protected]>
@pcapriotti pcapriotti mentioned this pull request Apr 25, 2024
Merged
2 tasks
@zebot zebot mentioned this pull request Apr 25, 2024
Merged
pcapriotti added a commit that referenced this pull request Apr 26, 2024
@pcapriotti
Backport New MLS ciphersuites (#3964) (#4017)
d261683 
* New MLS ciphersuites (#3964)

* Add one ECDSA ciphersuite

* Fix ECDSA signature decoding

* Create test clients using correct signature scheme

* Fix unsupported ciphersuite test

* Create one mls-test-cli store per signature scheme

* Add MLS_256_DHKEMP384_AES256GCM_SHA384_P384

* Add MLS_256_DHKEMP521_AES256GCM_SHA512_P521

* Fix secp384 signature verification

* Fix x509 credential validation

* Update mls-test-cli to 0.11

* Turn TODO into FUTUREWORK

* Add failing test showing incorrect backend signature

* Store private keys for other signature schemes

* Parse ECDSA private keys

* Encode ECDSA signatures

* Pass removal key correctly to mls-test-cli

* MLSKeys: Move from maps to records for config and public key endpoint

* Adapt to MLSKeys changes in galley

* Move GET /mls/public-keys test to new integration suite

* Remove SignaturePurpose type

* Add golden tests for MLSKeys

The JSON files were generated using the code before this refactoring

* Document new removal key config options

* Test public key endpoint when MLS is not enabled

* Fix galley configmap

* Make withCiphersuite exception-safe
@echoes-hq echoes-hq bot added echoes: technical-roadmap/security More specific category, to highlight task that tackle security requirements. echoes: product-roadmap Work aligned with the customer-announced roadmap, targeting a specific release date. labels Jul 2, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@stefanwire stefanwire stefanwire approved these changes

Assignees
No one assigned
Labels
echoes: product-roadmap Work aligned with the customer-announced roadmap, targeting a specific release date. echoes: technical-roadmap/security More specific category, to highlight task that tackle security requirements. ok-to-test Approved for running tests in CI, overrides not-ok-to-test if both labels exist
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@pcapriotti @stefanwire @zebot @akshaymankar