New issue
Advanced search Search tips

Issue 695759 link

Starred by 10 users
Status: ExternalDependency
Owner: ----
Cc:
davidben@chromium.org
agl@chromium.org
Components:
EstimatedDays: ----
NextAction: ----
OS: Linux , Android , Windows , Chrome , Mac
Pri: 3
Type: Feature



Sign in to add a comment

Chrome does not support certificates with signatures over SHA3 hashes

Reported by pzbo...@gmail.com, Feb 24 2017 
UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.54 Safari/537.36

Example URL:

Steps to reproduce the problem:
1) Find the list of algorithm identifiers published by NIST for signatures over SHA3 hashes:

http://csrc.nist.gov/groups/ST/crypto_apps_infra/csor/algorithms.html

id-rsassa-pkcs1-v1_5-with-sha3-256 ::= { sigAlgs 14 }
id-rsassa-pkcs1-v1_5-with-sha3-384 ::= { sigAlgs 15 }
id-rsassa-pkcs1-v1_5-with-sha3-512 ::= { sigAlgs 16 }

id-ecdsa-with-sha3-256 ::= { sigAlgs 10 }
id-ecdsa-with-sha3-384 ::= { sigAlgs 11 }
id-ecdsa-with-sha3-512 ::= { sigAlgs 12 }

What is the expected behavior?

What went wrong?
Not supported by Chrome's crypto stack.

Did this work before? No 

Chrome version: 57.0.2987.54  Channel: n/a
OS Version: OS X 10.12.3
Flash Version: Shockwave Flash 25.0 r0

Comment 1 by rsleevi@chromium.org, Feb 24 2017

Cc: agl@chromium.org davidben@chromium.org
Components: -Internals>Network Internals>Network>Certificate
Labels: -Type-Bug -Pri-2 -Via-Wizard-NetworkDownloading OS-Android OS-Chrome OS-Linux OS-Windows Pri-3 Type-Feature
Status: ExternalDependency (was: Unconfirmed)
David, Adam: Are there any plans for this on the BoringSSL side?

I'm marking this as all platforms, but here's the status:
- For macOS, either macOS would need to add support, or we transition off using macOS crypto APIs. So ExternalDependency on macOS, or on moving off macOS Security.frameowrk.
- For Linux/ChromeOS users, either NSS would need to add support, or we transition off using NSS crypto APIs for certificate validation. So ExternalDependency on NSS or on moving off NSS
- For Android, either Android would need to add support (via Conscrypt), or we transition off using Android crypto APIs. So ExternalDepedency on Android platform or moving off Android security APIs. For Android security APIs to add it, we generally need BoringSSL to support it and the Java JCE provider APIs to expose it.
- For Windows, either Microsoft would need to add support (to CNG), we'd need to develop our own CNG provider and inject that, or we transition off Microsoft's CNG/CryptoAPI framework for certificate validation.

So marking it P-3/Feature/ExternalDependency. I don't believe we'd want to partially transition Chrome on its supported platforms due to ecosystem risk.

I'm ignoring iOS in the room, but iOS fully uses iOS Security.framework APIs due to WKWebView and there are no plans to change that. So iOS is fully with Apple.

Comment 2 by marcuskoehler@chromium.org, Jan 15

Labels: Enterprise-Triaged

Sign in to add a comment