~apreiml/hare-tls

[hare-tls] Status Update March 2024

Details
Message ID
<0f7a9976-db09-4ce1-959d-b937216f1c20@strohwolke.at>
DKIM signature
pass
Download raw message
The encoding::asn1 module which includes encoding and decoding support 
has been upstreamed. ASN1 is required to parse the x509 certificates TLS 
uses for authentication during the handshake phase.

I did also make good progress on the ECC front. Yesterday I've sent 
upstream patches for crypto::ec, which contains the necessary elliptic 
curve operations ported from BearSSL and for crypto::ecdh to the 
hare-devel list. The implemented curves are p256, p384 and p521. Many 
thanks in advance to the reviewers! If those are accepted, porting ecdsa 
should not take long, since I already have working code that just needs 
to be polished.

ecdh is a key agreement protocol that TLS requires during the handshake 
phase and ecdsa is required for handling x509 certificates. Since for 
example all certificates in the mozilla trust store use either RSA, P256 
or P384 for their keys.

After ECC is done, I'll continue fleshing out x509 support, which will 
be parsing and verifying certificates. I've forked x509test [0] and 
added `zert`, the x509 cli tool in hare-tls as a test target. I'm quite 
happy with the result so far. A bunch of tests are passing. Many are 
failing still, but I need to check if they apply to hare-tls, because 
I'll omit some of the features that are not strictly required for TLS 
(for now). Later on I also want to support the x509 limbo testsuite [1], 
which looks neat at the first glance.

If ECC is done in a hopefully not so distant future, the only thin left 
is work on hammering down the crypto::tls API and finish implementing 
support TLS 1.3 as a start.

That's it. Until next time.
Armin

[0] https://git.sr.ht/~apreiml/x509test
[1] https://x509-limbo.com/
Reply to thread Export thread (mbox)