Skip to content

New MLS ciphersuites#3964

Merged
pcapriotti merged 29 commits intodevelopfrom
pcapriotti/new-mls-ciphersuites
Apr 24, 2024
Merged

New MLS ciphersuites#3964
pcapriotti merged 29 commits intodevelopfrom
pcapriotti/new-mls-ciphersuites

Conversation

@pcapriotti
Copy link
Contributor

@pcapriotti pcapriotti commented Mar 19, 2024
edited
Loading

Add support for more MLS ciphersuites:

  • MLS_128_DHKEMP256_AES128GCM_SHA256_P256
  • MLS_256_DHKEMP384_AES256GCM_SHA384_P384
  • MLS_256_DHKEMP521_AES256GCM_SHA512_P521

The latter is not yet supported in openmls, so it is currently untested.

https://wearezeta.atlassian.net/browse/WPB-7169

Checklist

  • Add a new entry in an appropriate subdirectory of changelog.d
  • Read and follow the PR guidelines

@pcapriotti pcapriotti force-pushed the pcapriotti/new-mls-ciphersuites branch from e934b61 to 36b32d8 Compare March 19, 2024 08:56
@zebot zebot added the ok-to-test Approved for running tests in CI, overrides not-ok-to-test if both labels exist label Mar 19, 2024
@pcapriotti pcapriotti force-pushed the pcapriotti/new-mls-ciphersuites branch from 5345f8f to d90d76c Compare April 5, 2024 07:57
@pcapriotti pcapriotti force-pushed the pcapriotti/new-mls-ciphersuites branch 4 times, most recently from 7e39139 to 9a43d6f Compare April 17, 2024 08:44
pcapriotti and others added 23 commits April 18, 2024 14:01
@pcapriotti
Add one ECDSA ciphersuite
6897079
@pcapriotti
Fix ECDSA signature decoding
7092d8a
@pcapriotti
Create test clients using correct signature scheme
715b464
@pcapriotti
Fix unsupported ciphersuite test
8b70a63
@pcapriotti
Create one mls-test-cli store per signature scheme
7fbdeb5
@pcapriotti
Add MLS_256_DHKEMP384_AES256GCM_SHA384_P384
42be3bc
@pcapriotti
Add MLS_256_DHKEMP521_AES256GCM_SHA512_P521
83c7024
@pcapriotti
Fix secp384 signature verification
5edf7e7
@pcapriotti
Fix x509 credential validation
2d53be6
@pcapriotti
Update mls-test-cli to 0.11
0ea3ba9
@pcapriotti
Turn TODO into FUTUREWORK
8765f37
@pcapriotti
Lint
4ae9527
@pcapriotti
Add failing test showing incorrect backend signature
312995c
@pcapriotti
Store private keys for other signature schemes
fc206de
@pcapriotti
Parse ECDSA private keys
d460684
@pcapriotti
Encode ECDSA signatures
353a228
@pcapriotti
Pass removal key correctly to mls-test-cli
a2217e8
@akshaymankar @pcapriotti
MLSKeys: Move from maps to records for config and public key endpoint
4331018
@pcapriotti
Adapt to MLSKeys changes in galley
f8ba2b5
@akshaymankar @pcapriotti
Move GET /mls/public-keys test to new integration suite
e2d1199
@pcapriotti
Remove SignaturePurpose type
8dd6504
@pcapriotti
Add golden tests for MLSKeys
4682e10 
The JSON files were generated using the code before this refactoring
@pcapriotti
Document new removal key config options
9d6672c
@pcapriotti pcapriotti force-pushed the pcapriotti/new-mls-ciphersuites branch from 89e05c7 to d670a4b Compare April 18, 2024 12:24
@pcapriotti pcapriotti marked this pull request as ready for review April 18, 2024 12:25
@pcapriotti pcapriotti force-pushed the pcapriotti/new-mls-ciphersuites branch from 81e3bee to ec3377e Compare April 18, 2024 13:24
stefanwire
stefanwire approved these changes Apr 24, 2024
View reviewed changes
@pcapriotti pcapriotti merged commit f57321b into develop Apr 24, 2024
@pcapriotti pcapriotti deleted the pcapriotti/new-mls-ciphersuites branch April 24, 2024 12:14
pcapriotti added a commit that referenced this pull request Apr 25, 2024
@pcapriotti @akshaymankar
New MLS ciphersuites (#3964)
eb2d182 
* Add one ECDSA ciphersuite

* Fix ECDSA signature decoding

* Create test clients using correct signature scheme

* Fix unsupported ciphersuite test

* Create one mls-test-cli store per signature scheme

* Add MLS_256_DHKEMP384_AES256GCM_SHA384_P384

* Add MLS_256_DHKEMP521_AES256GCM_SHA512_P521

* Fix secp384 signature verification

* Fix x509 credential validation

* Update mls-test-cli to 0.11

* Turn TODO into FUTUREWORK

* Add failing test showing incorrect backend signature

* Store private keys for other signature schemes

* Parse ECDSA private keys

* Encode ECDSA signatures

* Pass removal key correctly to mls-test-cli

* MLSKeys: Move from maps to records for config and public key endpoint

* Adapt to MLSKeys changes in galley

* Move GET /mls/public-keys test to new integration suite

* Remove SignaturePurpose type

* Add golden tests for MLSKeys

The JSON files were generated using the code before this refactoring

* Document new removal key config options

* Test public key endpoint when MLS is not enabled

* Fix galley configmap

* Make withCiphersuite exception-safe

---------

Co-authored-by: Akshay Mankar <akshay@wire.com>
@pcapriotti pcapriotti mentioned this pull request Apr 25, 2024
Merged
2 tasks
@zebot zebot mentioned this pull request Apr 25, 2024
Merged
pcapriotti added a commit that referenced this pull request Apr 26, 2024
@pcapriotti
Backport New MLS ciphersuites (#3964) (#4017)
d261683 
* New MLS ciphersuites (#3964)

* Add one ECDSA ciphersuite

* Fix ECDSA signature decoding

* Create test clients using correct signature scheme

* Fix unsupported ciphersuite test

* Create one mls-test-cli store per signature scheme

* Add MLS_256_DHKEMP384_AES256GCM_SHA384_P384

* Add MLS_256_DHKEMP521_AES256GCM_SHA512_P521

* Fix secp384 signature verification

* Fix x509 credential validation

* Update mls-test-cli to 0.11

* Turn TODO into FUTUREWORK

* Add failing test showing incorrect backend signature

* Store private keys for other signature schemes

* Parse ECDSA private keys

* Encode ECDSA signatures

* Pass removal key correctly to mls-test-cli

* MLSKeys: Move from maps to records for config and public key endpoint

* Adapt to MLSKeys changes in galley

* Move GET /mls/public-keys test to new integration suite

* Remove SignaturePurpose type

* Add golden tests for MLSKeys

The JSON files were generated using the code before this refactoring

* Document new removal key config options

* Test public key endpoint when MLS is not enabled

* Fix galley configmap

* Make withCiphersuite exception-safe
@echoes-hq echoes-hq bot added echoes: technical-roadmap/security More specific category, to highlight task that tackle security requirements. echoes: product-roadmap Work aligned with the customer-announced roadmap, targeting a specific release date. labels Jul 2, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@stefanwire stefanwire stefanwire approved these changes

Assignees

No one assigned

Labels

echoes: product-roadmap Work aligned with the customer-announced roadmap, targeting a specific release date. echoes: technical-roadmap/security More specific category, to highlight task that tackle security requirements. ok-to-test Approved for running tests in CI, overrides not-ok-to-test if both labels exist

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@pcapriotti @stefanwire @zebot @akshaymankar