~apreiml/hare-tls

A work in progress TLS module for hare
foreach at some places
make it compile again
remove upstreamed genoiddb command

refs

master
browse  log 

clone

read-only
https://git.sr.ht/~apreiml/hare-tls
read/write
git@git.sr.ht:~apreiml/hare-tls

You can also use your local clone with git send-email.

#Hare TLS

A work in progress hare TLS module. It additionally contains all the crypto required for TLS that is not yet ready for upstream. Notably:

  • Eliptic Curve: ECDSA for p256, p384 and p521
  • PKCS key format
  • X509 certificate handling

All code in this repository is not ready for production. Use at your own risk. The API design may change until it's ready for upstream. The TLS module will break and leak all your secrets. In fact it will sometimes log them to the terminal for the sake of debugging.

Updates regarding API and notable progress will be posted to the hare-tls mailing list. Bugs may be submitted to the tracker, but note that the library is currently in heavy developement. Only submit bugs, if you also describe how to reproduce them and they are a major blocker to your current use case. I may shift my priorities accordingly to tackle them first.

Currently only ED25519 server certificates are supported.

#Roadmap

Rough Roadmap, order may change or items will be developed in parallel:

  • [x] ASN1 DER support (done and and merged in upstream)
  • [x] Minimal TLS 1.3 client w/o cert verification (done)
    • [x] Only one cipher and key exchange method (done)
  • [x] Minimal TLS 1.3 Server (done)
  • [x] Initial API design (done)
  • [ ] ECC:
    • [x] Curves p256, p384 and p521 (merged upstream)
    • [x] ECDH (merged upstream)
    • [x] Key generation (merged upstream)
    • [ ] ECDSA (verify: prototype done)
  • [ ] x509: Certificate Handling
    • [ ] Parsing (refactor in progress)
    • [ ] Verification (refactor in progress)
    • [ ] CRL
    • [ ] Generation
    • [ ] CSR
  • [ ] RSA-PSS Sign/Verify
  • [ ] RSA Key generation
  • [ ] TLS 1.3 (API refactor pending)
  • [ ] Flesh out missing client parts.
    • [ ] Cipher Suite
    • [ ] Key exchange
    • [ ] Signature verification
    • [ ] Failure mode tests
    • [ ] Conformance tests
  • [ ] TLS 1.2 Client
  • [ ] TLS 1.2 Server
  • [ ] Add support for required ciphers, signature methods, key exchange methods
  • [ ] Further add missing crypto bits targeting Mozillas intermediate compatibility