bc-java icon indicating copy to clipboard operation
bc-java copied to clipboard

Published 20 hours ago verified publisher icon bcgit

Implement support for raw public keys (RFC 7250)

Open rdicroce opened this issue 4 years ago • 4 comments

Implement support for raw public keys, as described in RFC 7250 and RFC 8446 (section 4.4.2 especially). Also added tests to validate the implementation. Note that only TLS 1.2 is tested since BC's support for 1.3 isn't finished yet, but these changes should not create any additional work for 1.3.

rdicroce avatar Oct 26 '20 16:10 rdicroce

Just rebased this on top of the 1.67 tag. Also did some interop testing with GnuTLS, which revealed a mistake in the encoding of raw key certificates. That is now fixed and BC works against both gnutls-serv and gnutls-cli using raw keys.

rdicroce avatar Nov 10 '20 19:11 rdicroce

@peterdettman @dghgit This PR has been languishing for the last year and a half. I've rebased it on top of 1.71 to fix the conflicts. Also performed interop testing against GnuTLS, which confirmed the code works as both client and server, with TLS 1.2 and 1.3. Could you guys take a look? Thanks.

rdicroce avatar Apr 07 '22 18:04 rdicroce

@peterdettman @dghgit This PR has been languishing for almost 3 more months since my last comment. I don't mean to be a pest about this, but I also don't want to keep maintaining this patch forever and it already has merge conflicts again. Also, judging from the thumbs-up on my last comment, it looks like I'm not the only one who'd like to see this get merged. Is there any chance you guys could review and merge this? Thanks.

rdicroce avatar Jun 28 '22 18:06 rdicroce

@rdicroce I'm working on merging this now (leave the conflicts to me).

peterdettman avatar Jul 06 '22 05:07 peterdettman

@peterdettman Did you finish merging this? If not, is there anything I can do to help move this along?

rdicroce avatar Aug 22 '22 15:08 rdicroce

As I recall, I didn't like the negotiated certificate type being stored in the CertificateRequest and had intended to move it into the SecurityParameters. If you wanted to make that change it would help me out timewise.

peterdettman avatar Aug 22 '22 18:08 peterdettman

I've moved the certificate type to SecurityParameters as requested. Let me know if there are any other changes you want, or if you want me to rebase the changes to fix the merge conflicts.

rdicroce avatar Aug 23 '22 12:08 rdicroce

I've now merged this. Thanks for your patience. It will be in 1.72 that is releasing shortly.

Note that I cleaned up extraneous whitespace changes and also fixed some problems with the BC TlsCertificate implementations (around sigalg and keyusage).

peterdettman avatar Sep 23 '22 15:09 peterdettman

Thanks Peter! Much appreciated.

rdicroce avatar Sep 23 '22 15:09 rdicroce