Add OQS to libnss (enabling loading quantum safe certificate into Chromium) #92
Comments
|
@baentsch do you have any guidance on this? |
|
When running oqs-Chrome from a terminal, this error message is emitted when loading the cert above:
This in turn to me means that Chromium uses (NSS') PKCS#11 API (store?) for maintaining certificates -- and I'm not aware of anyone who has begun to OQS-enable NSS, so a rejection of an OQS-cert seems logical. @xvzcf, @dstebila, @jschanck : Does either of you know more about NSS (an OQS-enablement thereof)? Do we know anyone at Mozilla who might be interested in this? And if NSS P11 is not the problem (to be determined), does anyone know what's implementing that API for Chromium? @tylerleblond @taylormadehdz : Can you share what's your use case for this? We always only intended Chromium to be a demonstration, not a full-feature OQS browser integration -- but if there is serious interest, someone might look into it. |
Answering my own question: Looks like it's really So, indeed, it seems OQS-cert import won't work in Chromium until (lib)NSS is OQS-enabled. Nothing |
|
Would there be a way to use a different lib for maintaining certificates? Our use case is to migrate a chat app on one system to make it quantum safe for prototyping activities. @baentsch ... any other ideas for workarounds? |
(OQS-)OpenSSL handles QSC certs just fine -- but then again, chromium doesn't use OSSL by default for all I know -- although there seem to be historical traces of chromium being able to utilize OpenSSL...
Loads -- but I'm constrained by not knowing whether you're free to chose the chat app to QSC-enable. If that were possible, why not look for one using openssl as transport? Next idea: Why not completely do away with application-integrated (QSC-)confidentiality and use (oqs-)SSH instead (obviously only works with a-priori known chat partners)? Third, if for some reason you are bound to chromium, changing the cert-storage to one based on OSSL may be an option -- but that may be convoluted: I never checked all chromium cert-interaction points in that regard. But then again, I don't understand why chromium uses PKCS#11 for server cert storage to begin with: Normally, one would only use that for client certs... Simple file-storage (with a validation layer) might have been sufficient.... |
|
Okay we're pretty set on using Chromium... Here is the sitch:
About cert-interaction points:
|
I'm not sure I understand: The CA cert at the OQS test server is plain, boring classic crypto: You can create such cert (incl. private key) yourself (and subsequently import to HAproxy, Chromium, whatever). Also, you can create CA-signed private server certs (of any kind, incl. QSC) also yourself (e.g., using the oqs-curl docker image): Why would you thus need "our" server certs?
Yes (after mod'ing the source suitably). Just takes a day -- or a good many-core machine :-) |
|
On it :) |
|
@taylormadehdz : Any news on the above? I'd further suggest changing the title to "Add OQS to libnss" (tagged as future-work, help-wanted) |
baentsch
changed the title
baentsch
added
future work
|
Like #52 this issue is due to Chromium not using openssl but libnss for certificate management. Until there is wider or |
|
Hello, I just wanted to reopen this issue since @taylormadehdz and I have plans to try and adjust NSS to accommodate for PQC certificates on Chromium. @baentsch, since last year have you heard of any developments to updates |
|
No, I'm not aware of activities to add OQS code to |
|
For OQS in NSS, I'm aware of this. |
Thanks for the information, @xvzcf ! I'm not entirely sure how to read this: Is this an integration of the OQS APIs (that would enable PQ certs, too) or rather a Cloudflare-specific code integration supporting their x25519_kyber768 KEM (only)? If the latter, it doesn't help this issue. If the former, would it be helpful/possible for @takao8 @taylormadehdz to contribute there to move things forward more quickly? |
|
The PR indeed does not involve liboqs, but Robert Relyea in that comment stated that he's |
Absolutely. Do you know him/could touch base with him? Or do you know his github handle we could post here to get his input to this discussion? |
I emailed him. |
|
Since Chromium is using its own root store, you may try to hard code your root CA into the Chromium source code |
Thanks for the pointer. How would this solve the issue of quantum safe server certificates/chains not being verifiable in Chromium, though? Isn't |
The webpage I linked above explicitly mentions So I think if the root certificate is in Chrome Root Store, then In PR #210 , we provided a way to make Chrome Certificate Verifier able to verify quantum safe server certificates/chains. |
|
@xvzcf @baentsch Should we close this issue since Chrome is using Chrome Certificate Verifier and Chrome Root Store now? Especially Chrome dropped libnss chromium/chromium@9942b74 |
|
is there a new issue recently with acceptance of CA certs in Chrome 124.0.6367.91 |
Are you importing a CA that uses quantum-safe algorithms? If yes, then this is expected. |
|
For those seeking a fix who find their way here. This appears to work allowing Chrome, and VsCode etc to respect the CA:
|
Thank you for the update! Could you update |
Hello,
I am currently trying to use the quantum-safe Chromium (0.5.0) build as a client to connect to the OQS haproxy container using its default certificate generation settings (the default signature algorithm used is dilithium3 according to this page: https://github.com/open-quantum-safe/oqs-demos/tree/main/haproxy). I tried to load the CA certificate from the haproxy container into Chromium but got the following error:
I have verified that I am able to use Curl with this certificate for authentication to access the haproxy, so it is not an issue with the certificate.
It appears that I obtain this error when I try to install certificates that use quantum-safe digital signature algorithms. For example, making use of the OQS fork of OpenSSL contained within the Curl container, I run the following command with <SIG_ALGO> = dilithium2, dilithium3, RSA, and falcon512:
docker run -v
pwd:/opt/tmp -it openquantumsafe/curl openssl req -x509 -new -newkey <SIG_ALGO> -keyout /opt/tmp/CA.key -out /opt/tmp/CA.crt -nodes -subj "/CN=oqstest CA" -days 365The certificates that used dilithium2, dilithium3, and falcon512 failed to load, but the certificate that used RSA loaded just fine.
Any help is appreciated!
Here is the certificate that I grabbed from within the haproxy container:
-----BEGIN CERTIFICATE-----
MIIVejCCCIWgAwIBAgIUAepY4WbwHzFTZHk5LX1YZEhPzzcwDQYLKwYBBAECggsH
BgUwFTETMBEGA1UEAwwKb3FzdGVzdCBDQTAeFw0yMTA2MjIxNjAxMDdaFw0yMjA2
MjIxNjAxMDdaMBUxEzARBgNVBAMMCm9xc3Rlc3QgQ0Ewgge0MA0GCysGAQQBAoIL
BwYFA4IHoQBVwCWhM80rjUCbrPOId2aPoiV3mfNDQoNXvieqvCCCRAz8HQUNLfY5
jlLC74xCSXOTY802dlLx/B3d7yeddNTTCnyk8PDVBRRrcobru7xQ3DiEX1rlD6fU
u8XD+YiHRcAVGkJ+O9TA4Tcshgj2J8DIUWNVFoiiAnkv0OnRAf+BmO0pVv11b0kK
oszV8ldDSwKWyEFRZZ/eKGTx7j/DNLlCkk6j8ybHr1m5G9el0FhzmL0IZ9ShFZby
ffEYgYNPRAo+HZb6S5y9cjP7Xj7VRhjQ5Y6+Y5zJaw/0x4dtCHSsOrftU+eaEHSi
irqZjf5HJhwHz9srgcJe4kbKNrzlmY2Pvx5f1tVLLm3LfIv1i6uUkvI+SjbRPrIv
UsTZQk0r40krWk7LJjhFuweyjbyrVQFitfZRmKOazm9em4Gvkxg1FUiuZW2MnVYD
8SohlUocrj7r34asbD8OLL+E35gasgUKdGZiCdVFjL8USuMRPekslbSLan7qs5yz
fwoAZjT5mWVWLJtrwXD4gH0dSllUnAcxxsf2eEeot2wOeaSs7l5DWnBgts/blpXn
mKZxx+GBFU/18zxfytl8n2qMD3BduEJRVVUrug1lNhjjMl3lkDuRHzkemkBCTFwg
aCs7/NqVBPsL0g8HE+sokml84cRoHNFPzOEcnTo/5iLBRiLfhWEC6vS+01f3EC+L
Ozi+TzZiiwiTIJzY1tJWgp7tM5WFXsWeIVfk9IPaDZbsfus9AwAiAOQJbkOan6Zx
ePMwTdYo9NKYBuw9ckzcOk2sY4QfhFYx2c25kGxDZkVGVzRQ9VLfKZUANgBr0fGv
GLpVlgSYMv+8hGB/iVJuQ6sEl7jI7AmSxKIDYrjbEEeVHP9tvew7EuMhJr2s4M5n
yjVj+bRKFz/eyGphm1mDU3iuYE6s0LWH/Ayqdl7yZ/hLvu7yPRLGzgADRv7jZSYl
mNzCCQM/HGh103wUOGbat8zSqYBKiC6i7clyLEmXQnmiFR0ZoFxnL6qteXjLLffj
vReD8WWn1mC/2BheJfTpWg5UmzJhIPUHk8gXCRKS6SYo2MvrCxvQb0Y1SHbb3s1V
n5nMjO+6Doz7yb0SdWNtR9p1I/fOyn/jD7ZLSZtsrMuPF/6l/kUGTwwXkPCuwyC8
fqC9AuakY1CwcFodFLOukzrdHAD3rhkk9CSgfHVoIgK5SYhZ8FoNri5V9W1rN/dG
yYjrHJFHxcWc9L1dwzvbWhhf3EsFZ0/4urmwAJjNFsc/aTkyrEc1km6MZxLmgurA
BU8sAL2qSlZDnQQ0VDdFzvz67wGNGJvLy71czsGWbR6HAq/E6bYmtDC0vwYvmPsS
kc5tcQzFLdwW2jTGmRXKRwAoQhSFAc1DnAUsMO1N8oT5Azbaw98yXEBehslCXglN
idrZs02U13xk/UkZbvebREuuY/fX6o5eXcENdy0di0tTEeNk3wgbaSSVtlGaOTOX
7i+8+n7rWGXVsPESkifmDyJPtHyQ/w5sZKRImKFdRw4HzyBkBQeJT8u7auVdm1Os
BsXoasK704TE25zHYzX1yRmOac9Z7Lw7rXC0mXFqPaibow0zBtZsyCyutL9lYMw6
lFjY0VmKpy/2OMIDyR7mz6WN6dcPbSaRU4/qYJ3PwW0LTyeo7Kmmai2VddcPq6Mq
1/PJhD0EuT0+s3DmVNO1Lr5lTulefBAHX8OKaRXydP5YIQ/jkr4UqApQw1vBUYP2
D31FwPO0UjcuQ7+REmfO8amUiVhJSKLncusBNSraKVTdo3zZo3mk/JY6zu+nv0fb
GXU3WSBOC4/wMs1hjVvfWLzvwgg9RM5f64SEFv7XGqjw06wNmTvua+moQi1eVNib
RPsNRKbTSdC2czq4zDZQ6XjZMRBMLnQ7DtoLxVweRn9woE75JhaDXlkJxLzU2roK
B8vlmxJ2B54VfVjo7q3LWttBb3dSovWJoIZ5MdktnV0hp2XSGHpzE41buydO4FpY
ElK4ckYieDRqkbdthOKIEdYNlGZFlJ1WauHpQBQyFsoOiMom4m/WcmxYkqVst86i
Jlbi8EuDXxSmpa/hTZj5PPhFLZuS5eSr1QInXY6SKMbD2/jDDdY5JBethv/kBZpP
g1NPe4bgXeJFLykQQJCApJSIaHrQFxytQUZdRWQy0AUQD6nxJ/Efu3GE7/SXnj9h
YzkHvqpCA9Biqs7qHCZhkTcTxKm9l8WQC4rEGcBPVzC1g5YIlGXa3N1SM0xNXYmP
qvIDXHZjEleVK8JuaB5YOT0SrazEpMmKckz0Vge1bB+dB3Rk1aB0xuFzoFNJbTx7
gahzZm0zcDRDkzAvEoWY6i3y94iP3/ewtlRefNdQRUc5av7+6dXSjisEF0ViPFIL
vTLTK9zhB7gRRa+yjDNP/xyUMfFOGTfzt6Td4JrW6KZnO3rm1tVD76SswsU/zPIA
IdZKjXo9UF62hiMnKTMfBYrgHTWpcdigF4eeTba0Q77cI3y2xGJr6BgDz8Chi/d4
TFH3cYyWoWGuQBPQgf2ScXUSD18pdhayQzpNe83b4erO9VUZGll6K3n53cQ7u5E1
ZyhW9heZALys3oDy7x9qjh5cA+G9GXsznfVpaZ4bq99wXo0Pbvh8DqNTMFEwHQYD
VR0OBBYEFOw5eLQtwcOYb/rCxX1quad/8ukdMB8GA1UdIwQYMBaAFOw5eLQtwcOY
b/rCxX1quad/8ukdMA8GA1UdEwEB/wQFMAMBAf8wDQYLKwYBBAECggsHBgUDggze
AAskMXI3a713Z6OrJMUd4OQd8g5RZ/oEnlgtOSpVhGVfPhfgEecFiCEiPQ2UZcHJ
4QK1/YtMbiFxPhXrZzsyUE3d/+dQhpu+jpgvlFwX3RCVSS9KMZeuA/ypVI6VetV+
MbDlUZib9NQBoUeO9H4Ni4WEOLFg0PZ8+dOcBWhk8NrUZI4I03NXTovHZNVkFhbw
J3yq6R4QNxaHB8iSK+KZ4CtOdpC/vuwxsSQcw5izFF5qHg2M+aYMzMkZIybUIlzw
Bbdg5aaVMlOsBd4k7nNLvPOyLTNKj/StDF+TnzCPaauIvnglfBqyUfLd0giJWwUL
IZ8trHZDPIBYHzHfCBZXSRJNRrLJKCoWmmJs97SBolpIrYiHLEQqy2PqROt+uXyL
fjSA95G71Inb1ULOBt6QvycN4rt/Lksg2CVF5SE2IhTYhpdytv9F6ZkMgHkfLdn/
lNtu81sMcaIe5gbIg53fqWwsmaDgAos+snXbocyuWzswE1BHQA9u7DeklIBh9JBT
b+MHLnp1r5UT0xMM5pk44j/5ITOXC5CeD+XD50IygoWrwbwR4jSNj0QCji8U4mV/
8qvdLhgFJPxuTWRwJCf1CrgWl8RBqAJtIAdCUiEvqGP77emuGeKoNV6qCv/uaegc
z/I74E8G50ztx4+KhhpMNLIoh7uU3j3/PmC8ZqGidGz7QN+W2gz9UGLw68/fI+al
c82iG0E4I6T0TqPT3oJ53WImCAK9hFyAQyd272+StbVLjcqRkADhUTbyYTqdHVau
WfOiCqC1vHse4qQt4uEPA5A18gMrwbrYFsaaPjp0ws8KPu72z5cD96qDJkxxP5DB
YDlb0352iElhsWRGoBlyT6QE9Nh+pGN6ynka6ExmRmXkv1M7DemKrEIO1inZalnG
uiZ6wXME6xPj3teqZz4GePUlqrqNGtDl1AhJQNiPBXaZzxnEn2xCpp3RhWxDeFYq
xurE6oPPMEZ2jltCv7lXvIxhewKVqguk6Htb6cPtyYfkDZWaZHX6VrRNiqxCFEkJ
jkt/JmKFkijd0Zx0vlVKFNKLm7ptRzWyWPG+Mk9cOmKDdnP0Jkl78s/I5HflVCUG
t/mPCbepsQLmHPzzSSaxTIIb6iEsIZxkuKonA00O7ZwuskBpVEFre6GeL2yULIEh
vcJWgNWJwwUczKsByr5diI4vwn0rRkBx1MsNwJHJ+zAGhgtT6IsvkK7g6+lRPebJ
XYWT9UkdD9Q8DvG20pkidFhL3VL5+JtITnOO8cKp41ZlpPP/7F0K5cf75AI9A/qy
o2XLXp7jv4kmoHsNOBledlk8BHPajLn8XJB+jx9Y0dsRVPmqDOJbpi/jMuRGJxo5
ObG6SzTXAD9ulcqcueQ+5hzAi7zAflxIUQ9iZ02ODYuM9eBU067pFnkCiuQJfPm/
y5v4RB4BE+6Sjc5Ymoti+wGYLXOGUJe2ls1GKaNTZZJnlf5XhnJ1SXtV0B+339gC
sxauyXeVlcBfc6Ug4kOuICZBkVqJux9FMAR8lEsMttmRNIA8UkBFtxnYAXnBKrgg
nF3mdHvuHQmsO4bLg36Kqgzza77ZNxX0Ggq/w60Eq/fOET+jk258OtHEvIglRH9L
qitOGA9QXJuJ5cm2XV9W+J+gjwMiRh2ZhjjqUHYZYUFI28n0J5Tdn3XLOVUxv5l1
Q6/T5XjDZEovqRr84+4GHBGN8HnXtMB/g6JuUwqLgsHiif6cLsMTDFtbxIhAL1j2
hKOTk9JfZ7lnJIA+LTEWrflHeSchICJUa4ZoY5jOnXVWBLq2ZlpgMVwiC4wJhcGq
2c0uAoxCKDiZIwcaWkEoVHP2CJFk1+vs19m2DVS60+mtG+2w+b+oqpBgtRcKT8wK
3BMOGJgkAau+XkCvJsK7gX57igBlM9xFRueCaedRWFBmNQ7LbesjDbUn825Whoy4
WRuBuPLgz6loKu1n96sog9kmZRjF3kmZyf5Y/zatpymvYaEIJgoob1AVwYnvmm4N
YZi7dZKOY9BHHOPYC6dnw/i+73aodeLhMCdc4PANgmhx4PC+hfmBZSzgFgM4g3E9
vBjZ26lxCMmVFHvNkA40tWr/xvFH8sF0TE3aCJojaZdMnxslKAS0Squh+EXJLwS3
WEuK/k4L30/KwxiQXgoieXQfPOXPaj5KCK/bmlrHU/auap/n08UmdoIC6mLb/a3b
Pj/+TMgiqTMf+IiFJPqAoJvFIq9TjlL1BwWRuR/mr81+xhlWcY5faNgPC8As9zlR
dq1Z5XyBqgJ92ctiaP1CkeQvda6fA03bLh0noiXbLC6rKpjunGgMpyozeZIxFhgS
WM6NWLYcfun5jbiFQWB/eCDXySZTq6uxed+Un9RdihNy7pTe50TUTBTBx6pNYVqA
pk6iCT5MUCeHfKZInMKsVBEeIe5HCd89rJ7qQN6eh3grDYrg2sR4E4O2MeFUoJYw
ID+zjqqtbi6yj5sKZSMtxvQuFgt6Ud/L654eaIFDUT/yPCliBDEhsia09osoS3wi
ChQPgD7M/enTPxMQWd1mltmFswHA9zj8WInMXeJPK1G6Z5yTw4fTKDT0w5k4onqj
h2n97K41pEUsXTxkghptyRcyWkr85rHEoK+HITmkwMD1CGXklw/ETrrnNU+/1xmt
5MKiU9qsCZfDTzVeBP/RooKpd4YrSYFMugbmrRfPFNM/gwNFwycD5xlKQ5NkEDsb
Q86ImNXJdXdWqrHX3Ilb9eSSzkl1wSR2ollZLZ7BjDb4fUvuMHNt4tNK3YOCvERx
yNw+NxPnP7KWBKVGrt/23Nq4GeXn1QbfMsq07GzgMTWMaSezcXHpq7gsME9oD9fy
mc528pA8osHv5ug1hbUpohiEi/ynf2zZ7lZs3wCv5kHKnHsge+zP430/EwGiFhHe
cV1xPdv5OgYi7QtJJkcp9gJ4ifa3dREN3XsDXhNFQFmBCO4xvFgM+96SLhpVztZN
R1zWzPwTKJz4WXGNVhilmQALYXYyC+jGaL6ouJGM4xEN1/0WW9m7dREqOVFRzcbz
Px/3nB5Y/XQLb+aWutmMiMPt60C3U2lfqdmPBMNa7Mmw9zOxO5Rbp5OBcHB82yTJ
GH4yW77v7NXHmGn5zTzHjsATP6/opz/pHAc2i/uft7zN4AtQJ3ecik5/hEIM+2CD
N4SpdcG3+ZGfHLXQhrW+bSR9hFm+3xSzDRFb9rEyHCKBC9eUZgtyzXL0/vJN5IvC
0Wv6vjIU0b3eO2/2uzlNwxSFxKwx5y49kphY1srVtyFDyhXRpi76U3p4e8CZ2rJZ
kI3MtQpy51PHwx4Yv7emb4kHEAGOF/WGxu/2UGk1boSVFcmKe4lWR1xEGMQC16UD
aYVM7E0iTxtqG0gqkpsNfVcxFjHP7ygQeYFF65coq+i4cbSUIcta0RCAWqNGiMdz
BQuOe7mv8+byzFR0rltu5op7AViIRx5afWGEI3SBaOabLIm6B5VKke0ueqtkL2Ey
dQ6Y/wb37o0CCPzKJRIHN74OCaA0VhvD89vHumQCaI3EgQZmw0MY/87wvMN+DqPn
gLVDAXHGOdwq8uHtkyYdNvWCd6KOgrFoAAk4Z3NdcQRgKjuZ4iklaRHseHbI8b3D
DiNWF7De1BnzRKXB4osrFvn2yjW1elMuu1MhUPqyUrLzIvk3nmTGGoCY/3GI0/vM
vr8td39pa6Nw4A07wFAe9IlX3pcBbXy1nptx3fVwTnA+kq2MW4eLzUIZ4dIycNx5
PdGO6fCXvB8ifJ4Ng4GhznZYoWuYwrro3KhE4YGaTc0oIQbwqFFSJ/KIQ46IZhNy
KCHYuXmj6pG3UulyrgME/cRTKWL+SVff8RguHXMTB2HU46lB6KbI/ZwyEaK7aD36
N21SW1hMjeBwErZZVC9v61tXeRDVVDrjA9OvgopwIkhkl13n7GC5HTNZzw+sM3Rr
RthrYTCoST3XfQ/J/Wuagga5Gm+4g9VQS3IaCQen+3ETJn5HtiKYcWcwlc/Mf9rg
u27Zg1SZ3F4Nq/3FN0LN8FMGbqODDQck4Z0rCeay3kj4pjW5J92AwfJU3/5Rlolm
SyOwX3hQhV0jTVohC2lchILpb/ol6VlUeI1hhyQzCrshlKSJy7r2ntTLqtxKlB43
RuQ5l8lbNyH/XAfMC6xmV44VsWcZ52mP1ugIO7ifTU1UZyPtfhG9K380tG73Ymqi
FqucW6G7j7VF5Mr7mq3bSPcYHAX2yQjEZbI31wH/31Lp9S/kRMgZqgrLr7vJg5Pd
aK2T8E3ujsh/uO8MEuIs4tcf7EVhwZ7kIgrBMMMRGqx9fXKELyyHv5vwFGNSRjT1
n8jSJAfJ3ItBo1HX1N40yRIkMnGaorO33fMqhJTC2Py2wlJajJOY4LE0Pj/j7wAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACQ8RFxgd
-----END CERTIFICATE-----
The text was updated successfully, but these errors were encountered: