Issue 20967 in dart: Using an SSL certificate emitted by an authority should be much simpler in Dart

[da...@googlecode.com]

Status: New
Owner: ----
Labels: Type-Defect Priority-Unassigned

New issue 20967 by fmuad...@gmail.com: Using an SSL certificate emitted by
an authority should be much simpler in Dart
https://code.google.com/p/dart/issues/detail?id=20967

PROBLEM: Using an SSL certificate emitted by an authority is TOO complex in
Dart. Many struggle and fail to do it. Read for example:
http://stackoverflow.com/questions/25873528/dart-use-ssl-emitted-by-an-authority
http://stackoverflow.com/questions/21685205/how-does-darts-bindsecure-function-find-ssl-certificates
http://stackoverflow.com/questions/25388750/dart-https-request-with-ssl-certificate-please
http://stackoverflow.com/questions/24048258/dart-http-server-and-importing-a-ssl-certificate

SOLUTION: Dart should support SSL certificate management natively,
simplifying and automating it. To do this the following improvements are
needed:
1 - Eliminate the need of external utilities (certutil, openssl,... etc.)
implementing their basic functionalities in the Dart framework. External
utilities are often untested and full of vulnerabilities (see the openssl
disaster for example). Only a google certified and tested library can be
fully trusted.
2 - Provide a single Dart function with few parameters for installing an
SSL certificate provided by an authority, and a single Dart function for
using it. One line of Dart code should be all it takes to do both
operations.
3 - Provide a simple SSL configuration class for additional, non standard
SSL options (expiration, revocation, handshake, strict transport security,
signature algorithm and key sizes, subdomain certificates, allowed
protocols, allowed cipher suites, forward secrecy, SNI, etc.).
4 - Provide a simple client class for testing and verifying SSL
certificates and HTTPS connections (expiration, revocation, handshake,
strict transport security, signature algorithm and key sizes, subdomain
certificates, allowed protocols, allowed cipher suites, forward secrecy,
SNI, etc.)
5 - Provide a function in the ssl configuration class to save and load
configuration options in a portable and human readable external json file.
6 - Extensive debugging, testing and strict code validation protocols
should be done on the library before each new release to ensure high
security and lack of vulnerabilities.






--
You received this message because this project is configured to send all
issue notifications to this address.
You may adjust your notification preferences at:
https://code.google.com/hosting/settings

[da...@googlecode.com]

Updates:
Labels: -Security

Comment #2 on issue 20967 by sgj...@google.com: Using an SSL certificate

emitted by an authority should be much simpler in Dart
https://code.google.com/p/dart/issues/detail?id=20967

(No comment was entered for this change.)

[da...@googlecode.com]

Comment #3 on issue 20967 by fmuad...@gmail.com: Using an SSL certificate

emitted by an authority should be much simpler in Dart
https://code.google.com/p/dart/issues/detail?id=20967

Other troubles with Dart and SSL certificates:
http://stackoverflow.com/questions/26067511/accepting-any-ssl-certificate-causes-my-program-to-hang

Such an important component for a web framework like Dart cannot be
neglected any more. Please hire more programmers and security experts to
create a new team dedicated only to make a secure, reliable and complete
HTTPS library for Dart with the features described above. Such library
would be the backbone of any server side Dart application, and deserves the
maximum committment from Google.

[da...@googlecode.com]

Comment #4 on issue 20967 by sgj...@google.com: Using an SSL certificate

emitted by an authority should be much simpler in Dart
https://code.google.com/p/dart/issues/detail?id=20967

The SSL/TLS library used for standalone Dart is currently NSS from Mozilla
(https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS). This is
what is used by Chrome and based on that the Dart team selected NSS as well.

We might re-evaluate and move to OpenSSL/BoringSSL as Chrome moves in that
direction.

[da...@googlecode.com]

Comment #5 on issue 20967 by fmuad...@gmail.com: Using an SSL certificate

emitted by an authority should be much simpler in Dart
https://code.google.com/p/dart/issues/detail?id=20967

Projects like OpenSSL are full of bugs and insecure, as the recent
Heartbleed disaster proved.
Google should write its own SSL/TLS library for Dart, exactly like
Microsoft did for C# and Oracle did for Java. Please show us that Google is
really committed to Dart as a development platform hiring full time
security experts to develop the security part of Dart, and not just
recycling some existing and buggy open source projects to skimp on
development costs. We need Google to provide Dart developers a strong,
fully bounds-checked library for all x509 secure protocols, with a codebase
they can trust because there are higly skilled people paid to check and fix
it full time. Dart is a web language more than C# and Java are. If Google
is not taking it seriously enough to make it's own SSL/TLS library, then
why should we?

[da...@googlecode.com]

Comment #6 on issue 20967 by fmuad...@gmail.com: Using an SSL certificate

emitted by an authority should be much simpler in Dart
https://code.google.com/p/dart/issues/detail?id=20967

Also, there is a huge problem with USABILITY with the current Dart https
stack (just look at the piling stackoverflow issues about that), and the
Dart team should address this also with a new integrated framework. We need
a better designed API for managing certificates and secure connections, one
that doesn't rely on third party non-dart libraries.

[da...@googlecode.com]

Comment #7 on issue 20967 by sgj...@google.com: Using an SSL certificate

emitted by an authority should be much simpler in Dart
https://code.google.com/p/dart/issues/detail?id=20967

Making a clean-room implementation of SSL/TLS for Dart is not an option we
are considering. Even though there are bugs in existing implementations
they are still way more stable and correct that a new implementation will
be.

I agree that the tooling we are depending on as we are using NSS (mainly
certutil) are not that user friendly tools. However the answers on
stackowerflow should help there.

We have considered adding certificate management functions to the Dart API.
However, as NSS is global for the whole Dart process - that is all isolates
- we decided against it. Having one isolate change e.g. the root CAs for
all isolates can introduce a security risk.

Google is participating actively in both the NSS and OpenSSL project.

[da...@googlecode.com]

Comment #8 on issue 20967 by olli.s...@gmail.com: Using an SSL certificate

emitted by an authority should be much simpler in Dart
https://code.google.com/p/dart/issues/detail?id=20967

For everyone that has problems getting it setup using the answers on
StackOverflow, I found this blog post very helpful:
http://jamesslocum.com/post/70003236123

[da...@googlecode.com]

Comment #9 on issue 20967 by fmuad...@gmail.com: Using an SSL certificate

emitted by an authority should be much simpler in Dart
https://code.google.com/p/dart/issues/detail?id=20967

@sgjesse: With this decision Dart is going to lose a lot of developers. But
it seems that Google doesn't care about that for quite a while now.

[da...@googlecode.com]

Updates:
Status: Started
Owner: whe...@google.com
Labels: -Priority-Unassigned Priority-Medium

Comment #10 on issue 20967 by whe...@google.com: Using an SSL certificate

emitted by an authority should be much simpler in Dart
https://code.google.com/p/dart/issues/detail?id=20967

We agree with the points made in this bug report, and are moving Dart from
using the NSS secure networking library to using BoringSSL, Google's fork
of OpenSSL that is being used in Chrome and other Google products.
BoringSSL is simplified and checked by Google, with some old and unneeded
parts of OpenSSL removed, so it as secure a library as Google can make.

The certificate management in BoringSSL is much easier than in NSS, using
certificates and keys in .PEM files (base64-endoded DEM ASN1 X509
certificates), and we will expose the SecurityContext object, where trusted
certificates, keys, and certificate chains are loaded by methods on
SecurityContext.

[da...@googlecode.com]

Comment #11 on issue 20967 by warren.s...@gmail.com: Using an SSL

certificate emitted by an authority should be much simpler in Dart
https://code.google.com/p/dart/issues/detail?id=20967

What are the implications of this move? Will the underlying crypto
functions be exposed so that they can be used for other purposes (for
example, signing JWT tokens?)

[da...@googlecode.com]

Comment #12 on issue 20967 by whe...@google.com: Using an SSL certificate

emitted by an authority should be much simpler in Dart
https://code.google.com/p/dart/issues/detail?id=20967

We are also working on a crypto library that will support basic crypto
operations, and be implemented optimally on each platform. Actually
signing something would be an advanced API - I would think that for now,
signing things by running a command-line subprocess from Dart, using tools
from OpenSSL or another library, is the most stable solution. The obstacle
to exposing all of the functions is just the size of the API, the amount of
implementation, and how it would make the API more complex than most users
need.

[da...@googlecode.com]

Comment #13 on issue 20967 by jonas.ke...@gmail.com: Using an SSL

certificate emitted by an authority should be much simpler in Dart
https://code.google.com/p/dart/issues/detail?id=20967

Where is the work on the crypto library taking place? Is it public so we
can view the progress?

I have ported a library for JWT signing from Java to Dart but cannot get it
working because there is no package that has a working way to generate RSA
key pairs in Dart. Initially I thought the cipher package could do this but
it did not work in practice. I think it would be really nice if the
mentioned crypto library could provide this function. The ported library is
here:

https://github.com/jonaskello/jose_jwt/tree/develop

[da...@googlecode.com]

Updates:
Cc: aliva...@google.com sgj...@google.com

Comment #14 on issue 20967 by whe...@google.com: Using an SSL certificate

emitted by an authority should be much simpler in Dart
https://code.google.com/p/dart/issues/detail?id=20967

(No comment was entered for this change.)

[da...@googlecode.com]

Comment #15 on issue 20967 by gzoe...@gmail.com: Using an SSL certificate

emitted by an authority should be much simpler in Dart
https://code.google.com/p/dart/issues/detail?id=20967

@jonas.kello isn't this already used in packages like shelf_auth or
googleapis_auth?