The encoding::asn1 module which includes encoding and decoding support
has been upstreamed. ASN1 is required to parse the x509 certificates TLS
uses for authentication during the handshake phase.
I did also make good progress on the ECC front. Yesterday I've sent
upstream patches for crypto::ec, which contains the necessary elliptic
curve operations ported from BearSSL and for crypto::ecdh to the
hare-devel list. The implemented curves are p256, p384 and p521. Many
thanks in advance to the reviewers! If those are accepted, porting ecdsa
should not take long, since I already have working code that just needs
to be polished.
ecdh is a key agreement protocol that TLS requires during the handshake
phase and ecdsa is required for handling x509 certificates. Since for
example all certificates in the mozilla trust store use either RSA, P256
or P384 for their keys.
After ECC is done, I'll continue fleshing out x509 support, which will
be parsing and verifying certificates. I've forked x509test [0] and
added `zert`, the x509 cli tool in hare-tls as a test target. I'm quite
happy with the result so far. A bunch of tests are passing. Many are
failing still, but I need to check if they apply to hare-tls, because
I'll omit some of the features that are not strictly required for TLS
(for now). Later on I also want to support the x509 limbo testsuite [1],
which looks neat at the first glance.
If ECC is done in a hopefully not so distant future, the only thin left
is work on hammering down the crypto::tls API and finish implementing
support TLS 1.3 as a start.
That's it. Until next time.
Armin
[0] https://git.sr.ht/~apreiml/x509test
[1] https://x509-limbo.com/