From 358e4a2a04c7d9c24276b626687128d72d34731f Mon Sep 17 00:00:00 2001 From: Anthony Hu Date: Thu, 6 Feb 2025 14:39:32 -0500 Subject: [PATCH] PQ update. Prepare for OQS deprecation. --- X9.146/Makefile | 14 +- X9.146/README.md | 130 +-- X9.146/gen_ecdsa_falcon_dual_keysig_cert.c | 449 --------- X9.146/gen_ecdsa_mldsa_dual_keysig_cert.c | 4 +- X9.146/gen_rsa_falcon_dual_keysig_cert.c | 381 ------- X9.146/gen_rsa_mldsa_dual_keysig_cert.c | 4 +- certs/falcon_level1_ca_key.der | Bin 2202 -> 0 bytes certs/falcon_level1_ca_pubkey.der | Bin 915 -> 0 bytes certs/falcon_level1_entity_cert.pem | 50 - certs/falcon_level1_entity_key.pem | 48 - certs/falcon_level1_entity_req.pem | 39 - certs/falcon_level1_root_cert.pem | 49 - certs/falcon_level1_root_key.pem | 48 - certs/falcon_level1_server_key.der | Bin 2202 -> 0 bytes certs/falcon_level1_server_key.pem | 48 - certs/falcon_level1_server_pubkey.der | Bin 915 -> 0 bytes certs/falcon_level5_ca_key.der | Bin 4122 -> 0 bytes certs/falcon_level5_ca_pubkey.der | Bin 1811 -> 0 bytes certs/falcon_level5_entity_cert.pem | 81 -- certs/falcon_level5_entity_key.pem | 88 -- certs/falcon_level5_entity_req.pem | 70 -- certs/falcon_level5_root_cert.pem | 80 -- certs/falcon_level5_root_key.pem | 88 -- certs/falcon_level5_server_key.der | Bin 4122 -> 0 bytes certs/falcon_level5_server_key.pem | 88 -- certs/falcon_level5_server_pubkey.der | Bin 1811 -> 0 bytes certs/mldsa44_entity_cert.pem | 95 ++ certs/mldsa44_entity_key.pem | 84 ++ certs/mldsa44_entity_req.pem | 85 ++ certs/mldsa44_root_cert.pem | 94 ++ certs/mldsa44_root_key.pem | 84 ++ certs/mldsa65_entity_cert.pem | 127 +++ certs/mldsa65_entity_key.pem | 128 +++ certs/mldsa65_entity_req.pem | 116 +++ certs/mldsa65_root_cert.pem | 126 +++ certs/mldsa65_root_key.pem | 128 +++ certs/mldsa87_entity_cert.pem | 168 ++++ certs/mldsa87_entity_key.pem | 159 +++ certs/mldsa87_entity_req.pem | 157 +++ certs/mldsa87_root_cert.pem | 167 ++++ certs/mldsa87_root_key.pem | 159 +++ certs/sphincs_fast_level1_entity_cert.pem | 374 ------- certs/sphincs_fast_level1_entity_key.pem | 5 - certs/sphincs_fast_level3_entity_cert.pem | 761 -------------- certs/sphincs_fast_level3_entity_key.pem | 6 - certs/sphincs_fast_level5_entity_cert.pem | 1057 -------------------- certs/sphincs_fast_level5_entity_key.pem | 7 - certs/sphincs_small_level1_entity_cert.pem | 182 ---- certs/sphincs_small_level1_entity_key.pem | 5 - certs/sphincs_small_level3_entity_cert.pem | 356 ------- certs/sphincs_small_level3_entity_key.pem | 6 - certs/sphincs_small_level5_entity_cert.pem | 639 ------------ certs/sphincs_small_level5_entity_key.pem | 7 - pq/tls/README.md | 70 +- pq/tls/client-pq-tls13.c | 25 +- pq/tls/falcon_certverify.c | 86 -- pq/tls/server-pq-tls13.c | 33 +- pq/tls/sphincs_sign_verify.c | 214 ---- pq/tls/stm32/README.md | 6 +- 59 files changed, 1937 insertions(+), 5538 deletions(-) delete mode 100644 X9.146/gen_ecdsa_falcon_dual_keysig_cert.c delete mode 100644 X9.146/gen_rsa_falcon_dual_keysig_cert.c delete mode 100644 certs/falcon_level1_ca_key.der delete mode 100644 certs/falcon_level1_ca_pubkey.der delete mode 100644 certs/falcon_level1_entity_cert.pem delete mode 100644 certs/falcon_level1_entity_key.pem delete mode 100644 certs/falcon_level1_entity_req.pem delete mode 100644 certs/falcon_level1_root_cert.pem delete mode 100644 certs/falcon_level1_root_key.pem delete mode 100644 certs/falcon_level1_server_key.der delete mode 100644 certs/falcon_level1_server_key.pem delete mode 100644 certs/falcon_level1_server_pubkey.der delete mode 100644 certs/falcon_level5_ca_key.der delete mode 100644 certs/falcon_level5_ca_pubkey.der delete mode 100644 certs/falcon_level5_entity_cert.pem delete mode 100644 certs/falcon_level5_entity_key.pem delete mode 100644 certs/falcon_level5_entity_req.pem delete mode 100644 certs/falcon_level5_root_cert.pem delete mode 100644 certs/falcon_level5_root_key.pem delete mode 100644 certs/falcon_level5_server_key.der delete mode 100644 certs/falcon_level5_server_key.pem delete mode 100644 certs/falcon_level5_server_pubkey.der create mode 100644 certs/mldsa44_entity_cert.pem create mode 100644 certs/mldsa44_entity_key.pem create mode 100644 certs/mldsa44_entity_req.pem create mode 100644 certs/mldsa44_root_cert.pem create mode 100644 certs/mldsa44_root_key.pem create mode 100644 certs/mldsa65_entity_cert.pem create mode 100644 certs/mldsa65_entity_key.pem create mode 100644 certs/mldsa65_entity_req.pem create mode 100644 certs/mldsa65_root_cert.pem create mode 100644 certs/mldsa65_root_key.pem create mode 100644 certs/mldsa87_entity_cert.pem create mode 100644 certs/mldsa87_entity_key.pem create mode 100644 certs/mldsa87_entity_req.pem create mode 100644 certs/mldsa87_root_cert.pem create mode 100644 certs/mldsa87_root_key.pem delete mode 100644 certs/sphincs_fast_level1_entity_cert.pem delete mode 100644 certs/sphincs_fast_level1_entity_key.pem delete mode 100644 certs/sphincs_fast_level3_entity_cert.pem delete mode 100644 certs/sphincs_fast_level3_entity_key.pem delete mode 100644 certs/sphincs_fast_level5_entity_cert.pem delete mode 100644 certs/sphincs_fast_level5_entity_key.pem delete mode 100644 certs/sphincs_small_level1_entity_cert.pem delete mode 100644 certs/sphincs_small_level1_entity_key.pem delete mode 100644 certs/sphincs_small_level3_entity_cert.pem delete mode 100644 certs/sphincs_small_level3_entity_key.pem delete mode 100644 certs/sphincs_small_level5_entity_cert.pem delete mode 100644 certs/sphincs_small_level5_entity_key.pem delete mode 100644 pq/tls/falcon_certverify.c delete mode 100644 pq/tls/sphincs_sign_verify.c diff --git a/X9.146/Makefile b/X9.146/Makefile index a8731d15..b916de0d 100644 --- a/X9.146/Makefile +++ b/X9.146/Makefile @@ -27,7 +27,7 @@ CFLAGS+=$(DEBUG_FLAGS) #LIBS+=$(STATIC_LIB) LIBS+=$(DYN_LIB) -all: gen_dual_keysig_root_cert gen_dual_keysig_server_cert gen_rsa_mldsa_dual_keysig_root_cert gen_rsa_mldsa_dual_keysig_server_cert gen_rsa_falcon_dual_keysig_root_cert gen_rsa_falcon_dual_keysig_server_cert gen_ecdsa_mldsa_dual_keysig_root_cert gen_ecdsa_mldsa_dual_keysig_server_cert gen_ecdsa_falcon_dual_keysig_root_cert gen_ecdsa_falcon_dual_keysig_server_cert +all: gen_dual_keysig_root_cert gen_dual_keysig_server_cert gen_rsa_mldsa_dual_keysig_root_cert gen_rsa_mldsa_dual_keysig_server_cert gen_ecdsa_mldsa_dual_keysig_root_cert gen_ecdsa_mldsa_dual_keysig_server_cert gen_dual_keysig_root_cert: gen_dual_keysig_cert.c @@ -42,24 +42,12 @@ gen_rsa_mldsa_dual_keysig_root_cert: gen_rsa_mldsa_dual_keysig_cert.c gen_rsa_mldsa_dual_keysig_server_cert: gen_rsa_mldsa_dual_keysig_cert.c $(CC) -o $@ gen_rsa_mldsa_dual_keysig_cert.c $(CFLAGS) $(CPPFLAGS) $(LIBS) -DGEN_SERVER_CERT -gen_rsa_falcon_dual_keysig_root_cert: gen_rsa_falcon_dual_keysig_cert.c - $(CC) -o $@ gen_rsa_falcon_dual_keysig_cert.c $(CFLAGS) $(CPPFLAGS) $(LIBS) -DGEN_ROOT_CERT - -gen_rsa_falcon_dual_keysig_server_cert: gen_rsa_falcon_dual_keysig_cert.c - $(CC) -o $@ gen_rsa_falcon_dual_keysig_cert.c $(CFLAGS) $(CPPFLAGS) $(LIBS) -DGEN_SERVER_CERT - gen_ecdsa_mldsa_dual_keysig_root_cert: gen_ecdsa_mldsa_dual_keysig_cert.c $(CC) -o $@ gen_ecdsa_mldsa_dual_keysig_cert.c $(CFLAGS) $(CPPFLAGS) $(LIBS) -DGEN_ROOT_CERT gen_ecdsa_mldsa_dual_keysig_server_cert: gen_ecdsa_mldsa_dual_keysig_cert.c $(CC) -o $@ gen_ecdsa_mldsa_dual_keysig_cert.c $(CFLAGS) $(CPPFLAGS) $(LIBS) -DGEN_SERVER_CERT -gen_ecdsa_falcon_dual_keysig_root_cert: gen_ecdsa_falcon_dual_keysig_cert.c - $(CC) -o $@ gen_ecdsa_falcon_dual_keysig_cert.c $(CFLAGS) $(CPPFLAGS) $(LIBS) -DGEN_ROOT_CERT - -gen_ecdsa_falcon_dual_keysig_server_cert: gen_ecdsa_falcon_dual_keysig_cert.c - $(CC) -o $@ gen_ecdsa_falcon_dual_keysig_cert.c $(CFLAGS) $(CPPFLAGS) $(LIBS) -DGEN_SERVER_CERT - .PHONY: clean all clean: diff --git a/X9.146/README.md b/X9.146/README.md index 17088428..45257bdf 100644 --- a/X9.146/README.md +++ b/X9.146/README.md @@ -35,20 +35,6 @@ make sudo make install sudo ldconfig # required on some targets ``` -NOTE: This DOES NOT require installation of liboqs. - -Tested with these wolfSSL build options for Falcon certificates: - -```sh -./autogen.sh # If cloned from GitHub -./configure --enable-experimental --enable-dual-alg-certs --with-liboqs --enable-debug -make -sudo make install -sudo ldconfig # required on some targets -``` -NOTE: This REQUIRES installation of liboqs for its Falcon implementation. - - In the directory where this README.md file is found, clean up previous build products and certificates and then build the applications. @@ -76,13 +62,13 @@ verification was also successful. On the client side, during the call to `DoTls13CertificateVerify()` look for messages that indicate both conventional and post-quantum verification: -For example, if you are doing ECDSA with Falcon, you will see the following: +For example, if you are doing ECDSA with MLDSA, you will see the following: ``` Doing ECC peer cert verify wolfSSL Entering EccVerify wolfSSL Leaving EccVerify, return 0 -Doing Falcon peer cert verify +Doing MLDSA peer cert verify wolfSSL Leaving DoTls13CertificateVerify, return 0 ``` @@ -199,81 +185,6 @@ examples/server/server -d -v 4 -c ../wolfssl-examples/X9.146/server-P521-mldsa87 examples/client/client -v 4 -A ../wolfssl-examples/X9.146/ca-P521-mldsa87-cert.pem ``` -#### P-256 and Falcon Level 1 Demo - -Generate the various conventional keys; the post-quantum key are pre-generated: - -```sh -openssl genpkey -algorithm ec -pkeyopt ec_paramgen_curve:P-256 -out ca-key.der -outform der - -openssl genpkey -algorithm ec -pkeyopt ec_paramgen_curve:P-256 -out server-key.der -outform der -``` - -Generate the certificate chain: - -``` -./gen_ecdsa_falcon_dual_keysig_root_cert 1 - -./gen_ecdsa_falcon_dual_keysig_server_cert 1 -``` - -Convert the DER encoded resulting certificates and keys into PEM: - -``` -openssl x509 -in ca-cert-pq.der -inform der -out ca-P256-falcon1-cert.pem -outform pem - -openssl x509 -in server-cert-pq.der -inform der -out server-P256-falcon1-cert.pem -outform pem - -openssl pkey -in server-key.der -inform der -out server-P256-key.pem -outform pem - -cp ../certs/falcon_level1_server_key.pem server-falcon1-key-pq.pem -``` -Then in wolfssl's source directory: - -``` -examples/server/server -d -v 4 -c ../wolfssl-examples/X9.146/server-P256-falcon1-cert.pem -k ../wolfssl-examples/X9.146/server-P256-key.pem --altPrivKey ../wolfssl-examples/X9.146/server-falcon1-key-pq.pem - -examples/client/client -v 4 -A ../wolfssl-examples/X9.146/ca-P256-falcon1-cert.pem -``` - -#### P-521 and Falcon Level 5 Demo - -Generate the various conventional keys; the post-quantum key are pre-generated: - -```sh -openssl genpkey -algorithm ec -pkeyopt ec_paramgen_curve:P-521 -out ca-key.der -outform der - -openssl genpkey -algorithm ec -pkeyopt ec_paramgen_curve:P-521 -out server-key.der -outform der -``` - -Generate the certificate chain: - -``` - -./gen_ecdsa_falcon_dual_keysig_root_cert 5 - -./gen_ecdsa_falcon_dual_keysig_server_cert 5 -``` - -Convert the DER encoded resulting certificates and keys into PEM: - -``` -openssl x509 -in ca-cert-pq.der -inform der -out ca-P521-falcon5-cert.pem -outform pem - -openssl x509 -in server-cert-pq.der -inform der -out server-P521-falcon5-cert.pem -outform pem - -openssl pkey -in server-key.der -inform der -out server-P521-key.pem -outform pem - -cp ../certs/falcon_level5_server_key.pem server-falcon5-key-pq.pem -``` -Then in wolfssl's source directory: - -``` -examples/server/server -d -v 4 -c ../wolfssl-examples/X9.146/server-P521-falcon5-cert.pem -k ../wolfssl-examples/X9.146/server-P521-key.pem --altPrivKey ../wolfssl-examples/X9.146/server-falcon5-key-pq.pem - -examples/client/client -v 4 -A ../wolfssl-examples/X9.146/ca-P521-falcon5-cert.pem -``` - ### RSA Demos #### RSA-3072 and MLDSA44 Demo @@ -313,43 +224,6 @@ examples/server/server -d -v 4 -c ../wolfssl-examples/X9.146/server-rsa3072-mlds examples/client/client -v 4 -A ../wolfssl-examples/X9.146/ca-rsa3072-mldsa44-cert.pem ``` -#### RSA-3072 and Falcon Level 1 Demo - -Generate the various conventional keys; the post-quantum key are pre-generated: - -```sh -openssl genpkey -algorithm rsa -pkeyopt rsa_keygen_bits:3072 -out ca-key.der -outform der - -openssl genpkey -algorithm rsa -pkeyopt rsa_keygen_bits:3072 -out server-key.der -outform der -``` - -Generate the certificate chain: - -``` -./gen_rsa_falcon_dual_keysig_root_cert - -./gen_rsa_falcon_dual_keysig_server_cert -``` - -Convert the DER encoded resulting certificates and keys into PEM: - -``` -openssl x509 -in ca-cert-pq.der -inform der -out ca-rsa3072-falcon1-cert.pem -outform pem - -openssl x509 -in server-cert-pq.der -inform der -out server-rsa3072-falcon1-cert.pem -outform pem - -openssl pkey -in server-key.der -inform der -out server-rsa3072-key.pem -outform pem - -cp ../certs/falcon_level1_server_key.pem server-falcon1-key-pq.pem -``` -Then in wolfssl's source directory: - -``` -examples/server/server -d -v 4 -c ../wolfssl-examples/X9.146/server-rsa3072-falcon1-cert.pem -k ../wolfssl-examples/X9.146/server-rsa3072-key.pem --altPrivKey ../wolfssl-examples/X9.146/server-falcon1-key-pq.pem - -examples/client/client -v 4 -A ../wolfssl-examples/X9.146/ca-rsa3072-falcon1-cert.pem -``` - ## Generating a Certificate Chain and Adding Alternative keys and Signatures In the directory where this README.md file is found, build the applications: diff --git a/X9.146/gen_ecdsa_falcon_dual_keysig_cert.c b/X9.146/gen_ecdsa_falcon_dual_keysig_cert.c deleted file mode 100644 index c79981aa..00000000 --- a/X9.146/gen_ecdsa_falcon_dual_keysig_cert.c +++ /dev/null @@ -1,449 +0,0 @@ -/* gen_ecdsa_falcon_dual_keysig_cert.c - * - * Copyright (C) 2006-2024 wolfSSL Inc. - * - * This file is part of wolfSSL. - * - * wolfSSL is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * wolfSSL is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA - */ - -#include -#include -#include -#include -#include -#include -#include -#include -#include - -#if defined(WOLFSSL_DUAL_ALG_CERTS) && defined(HAVE_LIBOQS) - -#define LARGE_TEMP_SZ 9216 - -#if defined(GEN_ROOT_CERT) && defined(GEN_SERVER_CERT) - #error "Please only generate a root OR server certificate." -#endif - -#define SUBJECT_COUNTRY "US" -#define SUBJECT_STATE "MT" -#define SUBJECT_LOCALITY "YourCity" -#define SUBJECT_ORG "YourOrgName" -#define SUBJECT_UNIT "YourUnitName" -#define SUBJECT_COMMONNAME "www.YourDomain.com" - -#ifdef GEN_ROOT_CERT -#define SUBJECT_EMAIL "pq-root@YourDomain.com" -#else -#define SUBJECT_EMAIL "pq-server@YourDomain.com" -#endif - -void usage(char *prog_name) -{ - fprintf(stderr, "Usage: %s \n", prog_name); - fprintf(stderr, " level can be 1 or 5\n"); - exit(EXIT_FAILURE); -} - -int readFileIntoBuffer(char *fname, byte *buf, int *sz) -{ - int ret; - FILE *file; - XMEMSET(buf, 0, *sz); - file = fopen(fname, "rb"); - if (!file) { - printf("failed to open file: %s\n", fname); - return -1; - } - ret = fread(buf, 1, *sz, file); - fclose(file); - if (ret > 0) - *sz = ret; - return ret; -} - -#ifdef HAVE_FIPS - #include - - static void myFipsCb(int ok, int err, const char* hash) - { - printf("in my Fips callback, ok = %d, err = %d\n", ok, err); - printf("message = %s\n", wc_GetErrorString(err)); - printf("hash = %s\n", hash); - - if (err == IN_CORE_FIPS_E) { - printf("In core integrity hash check failure, copy above hash\n"); - printf("into verifyCore[] in fips_test.c and rebuild\n"); - } - } -#endif - -static int do_certgen(int argc, char** argv) -{ - int ret = 0; - - char caKeyFile[] = "./ca-key.der"; - char altPrivFile1[] = "../certs/falcon_level1_ca_key.der"; - char altPrivFile5[] = "../certs/falcon_level5_ca_key.der"; -#ifdef GEN_ROOT_CERT - char newCertOutput[] = "./ca-cert-pq.der"; - char sapkiFile1[] = "../certs/falcon_level1_ca_pubkey.der"; - char sapkiFile5[] = "../certs/falcon_level5_ca_pubkey.der"; -#else - char caCert[] = "./ca-cert-pq.der"; - char newCertOutput[] = "./server-cert-pq.der"; - char serverKeyFile[] = "./server-key.der"; - char sapkiFile1[] = "../certs/falcon_level1_server_pubkey.der"; - char sapkiFile5[] = "../certs/falcon_level5_server_pubkey.der"; -#endif - FILE* file; - Cert newCert; - DecodedCert preTBS; - char *sapkiFile = NULL; - char *altPrivFile = NULL; - -#ifndef GEN_ROOT_CERT - byte caCertBuf[LARGE_TEMP_SZ]; - int caCertSz = LARGE_TEMP_SZ; - byte serverKeyBuf[LARGE_TEMP_SZ]; - int serverKeySz = LARGE_TEMP_SZ; -#endif /* !GEN_ROOT_CERT */ - - byte caKeyBuf[LARGE_TEMP_SZ]; - int caKeySz = LARGE_TEMP_SZ; - byte sapkiBuf[LARGE_TEMP_SZ]; - int sapkiSz = LARGE_TEMP_SZ; - byte altPrivBuf[LARGE_TEMP_SZ]; - int altPrivSz = LARGE_TEMP_SZ; - byte altSigAlgBuf[LARGE_TEMP_SZ]; - int altSigAlgSz = LARGE_TEMP_SZ; - byte scratchBuf[LARGE_TEMP_SZ]; - int scratchSz = LARGE_TEMP_SZ; - byte preTbsBuf[LARGE_TEMP_SZ]; - int preTbsSz = LARGE_TEMP_SZ; - byte altSigValBuf[LARGE_TEMP_SZ]; - int altSigValSz = LARGE_TEMP_SZ; - byte outBuf[LARGE_TEMP_SZ]; - int outSz = LARGE_TEMP_SZ; - - /* The are for MakeCert and SignCert. */ - WC_RNG rng; - int initRng = 0; - - ecc_key caKey; - int initCaKey = 0; -#ifndef GEN_ROOT_CERT - ecc_key serverKey; - int initServerKey = 0; -#endif /* !GEN_ROOT_CERT */ - int initPreTBS = 0; - falcon_key altCaKey; - word32 idx = 0; - byte level = 0; - -#if 0 - wolfSSL_Debugging_ON(); -#endif - -#ifdef WC_RNG_SEED_CB - wc_SetSeed_Cb(wc_GenerateSeed); -#endif - -#if defined(HAVE_FIPS) - wolfCrypt_SetCb_fips(myFipsCb); - #if FIPS_VERSION3_GE(6,0,0) - printf("FIPS module version in use: %s\n", - wolfCrypt_GetVersion_fips()); - #endif -#endif - - if (argc != 2) - usage(argv[0]); - - switch (argv[1][0]) - { - case '1': - level = 1; - sapkiFile = sapkiFile1; - altPrivFile = altPrivFile1; - break; - case '5': - level = 5; - sapkiFile = sapkiFile5; - altPrivFile = altPrivFile5; - break; - default: - usage(argv[0]); - break; - } - - ret = wc_InitRng(&rng); - if (ret != 0) goto exit; - initRng = 1; - -#ifndef GEN_ROOT_CERT - /* Open the CA der formatted certificate. if we are generating the server - * certificate. We need to get it's subject line to use in the new cert - * we're creating as the "Issuer" line */ - printf("Loading CA certificate\n"); - ret = readFileIntoBuffer(caCert, caCertBuf, &caCertSz); - if (ret <= 0) goto exit; - printf("Successfully read %d bytes from %s\n\n", caCertSz, caCert); - - /* Open the server private key. We need this to embed the public part into - * the certificate. */ - printf("Loading server private key\n"); - ret = readFileIntoBuffer(serverKeyFile, serverKeyBuf, &serverKeySz); - if (ret <= 0) goto exit; - printf("Successfully read %d bytes from %s\n\n", serverKeySz, - serverKeyFile); - - printf("Decoding the server private key\n"); - ret = wc_ecc_init(&serverKey); - if (ret != 0) goto exit; - initServerKey = 1; - idx = 0; - ret = wc_EccPrivateKeyDecode(serverKeyBuf, &idx, &serverKey, serverKeySz); - if (ret != 0) goto exit; - printf("Successfully decoded server private key\n\n"); -#endif /* !GEN_ROOT_CERT */ - - /* Open caKey file and get the caKey, we need it to sign our new cert. */ - printf("Loading the CA key\n"); - ret = readFileIntoBuffer(caKeyFile, caKeyBuf, &caKeySz); - if (ret <= 0) goto exit; - printf("Successfully read %d bytes from %s\n", caKeySz, caKeyFile); - - printf("Decoding the CA private key\n"); - ret = wc_ecc_init(&caKey); - if (ret != 0) goto exit; - initCaKey = 1; - idx = 0; - ret = wc_EccPrivateKeyDecode(caKeyBuf, &idx, &caKey, caKeySz); - if (ret != 0) goto exit; - printf("Successfully decoded CA private key\n\n"); - - /* Open the subject alternative public key file. */ - printf("Loading the subject alternative public key\n"); - ret = readFileIntoBuffer(sapkiFile, sapkiBuf, &sapkiSz); - if (ret <= 0) goto exit; - printf("Successfully read %d bytes from %s\n", sapkiSz, sapkiFile); - - /* Open the issuer's alternative private key file. */ - printf("Loading the alternative private key\n"); - ret = readFileIntoBuffer(altPrivFile, altPrivBuf, &altPrivSz); - if (ret <= 0) goto exit; - printf("Successfully read %d bytes from %s\n", altPrivSz, altPrivFile); - - printf("Decoding the CA alt private key\n"); - wc_falcon_init(&altCaKey); - ret = wc_falcon_set_level(&altCaKey, level); - if (ret < 0) goto exit; - - idx = 0; - ret = wc_Falcon_PrivateKeyDecode(altPrivBuf, &idx, &altCaKey, - (word32)altPrivSz); - if (ret != 0) goto exit; - printf("Successfully decoded CA alt private key\n"); - - XMEMSET(altSigAlgBuf, 0, altSigAlgSz); - - switch (level) - { - case 1: - altSigAlgSz = SetAlgoID(CTC_FALCON_LEVEL1, altSigAlgBuf, oidSigType, 0); - break; - case 5: - altSigAlgSz = SetAlgoID(CTC_FALCON_LEVEL5, altSigAlgBuf, oidSigType, 0); - break; - } - if (altSigAlgSz <= 0) goto exit; - printf("Successfully generated alternative signature algorithm;"); - printf(" %d bytes.\n\n", altSigAlgSz); - - /* Create a new certificate. If server cert, use SUBJECT information from - * ca cert for ISSUER information in generated cert. */ -#ifdef GEN_ROOT_CERT - printf("Generate self signed cert\n"); -#else - printf("Generate the server cert\n"); -#endif - wc_InitCert(&newCert); - strncpy(newCert.subject.country, SUBJECT_COUNTRY, CTC_NAME_SIZE); - strncpy(newCert.subject.state, SUBJECT_STATE, CTC_NAME_SIZE); - strncpy(newCert.subject.locality, SUBJECT_LOCALITY, CTC_NAME_SIZE); - strncpy(newCert.subject.org, SUBJECT_ORG, CTC_NAME_SIZE); - strncpy(newCert.subject.unit, SUBJECT_UNIT, CTC_NAME_SIZE); - strncpy(newCert.subject.commonName, SUBJECT_COMMONNAME, CTC_NAME_SIZE); - strncpy(newCert.subject.email, SUBJECT_EMAIL, CTC_NAME_SIZE); - - switch (level) - { - case 1: - newCert.sigType = CTC_SHA256wECDSA; - break; - case 5: - newCert.sigType = CTC_SHA512wECDSA; - break; - } - -#ifdef GEN_ROOT_CERT - newCert.isCA = 1; -#else - newCert.isCA = 0; - ret = wc_SetIssuerBuffer(&newCert, caCertBuf, caCertSz); - if (ret != 0) goto exit; -#endif - - ret = wc_SetCustomExtension(&newCert, 0, "2.5.29.72", sapkiBuf, sapkiSz); - if (ret < 0) goto exit; - ret = wc_SetCustomExtension(&newCert, 0, "2.5.29.73", altSigAlgBuf, - altSigAlgSz); - if (ret < 0) goto exit; - - /* Generate a cert and then convert into a DecodedCert. */ - XMEMSET(scratchBuf, 0, scratchSz); -#ifdef GEN_ROOT_CERT - ret = wc_MakeCert(&newCert, scratchBuf, scratchSz, NULL, &caKey, &rng); - if (ret <= 0) goto exit; - printf("wc_MakeCert for preTBS returned %d\n", ret); - - ret = wc_SignCert(newCert.bodySz, newCert.sigType, scratchBuf, scratchSz, - NULL, &caKey, &rng); - if (ret <= 0) goto exit; - printf("wc_SignCert for preTBS returned %d\n", ret); -#else - ret = wc_MakeCert(&newCert, scratchBuf, scratchSz, NULL, &serverKey, &rng); - if (ret <= 0) goto exit; - printf("wc_MakeCert for preTBS returned %d\n", ret); - - /* Technically, we don't need to sign because as it stands now, the DER has - * everything we need. However, when we call wc_ParseCert, the lack of a - * signature will be fatal. */ - ret = wc_SignCert(newCert.bodySz, newCert.sigType, scratchBuf, - scratchSz, NULL, &caKey, &rng); - if (ret < 0) goto exit; - printf("wc_SignCert for preTBS returned %d\n", ret); -#endif - scratchSz = ret; - - wc_InitDecodedCert(&preTBS, scratchBuf, scratchSz, 0); - initPreTBS = 1; - ret = wc_ParseCert(&preTBS, CERT_TYPE, NO_VERIFY, NULL); - if (ret < 0) goto exit; - - /* Generate the DER for a pre-TBS. */ - XMEMSET(preTbsBuf, 0, preTbsSz); - ret = wc_GeneratePreTBS(&preTBS, preTbsBuf, preTbsSz); - if (ret < 0) goto exit; - printf("PreTBS is %d bytes.\n", ret); - preTbsSz = ret; - - /* Generate the contents of the altSigVal extension and inject into cert. */ - XMEMSET(altSigValBuf, 0, altSigValSz); - switch (level) - { - case 1: - ret = wc_MakeSigWithBitStr(altSigValBuf, altSigValSz, CTC_FALCON_LEVEL1, - preTbsBuf, preTbsSz, FALCON_LEVEL1_TYPE, - &altCaKey, &rng); - break; - case 5: - ret = wc_MakeSigWithBitStr(altSigValBuf, altSigValSz, CTC_FALCON_LEVEL5, - preTbsBuf, preTbsSz, FALCON_LEVEL5_TYPE, - &altCaKey, &rng); - break; - } - if (ret < 0) goto exit; - altSigValSz = ret; - printf("altSigVal is %d bytes.\n", altSigValSz); - - ret = wc_SetCustomExtension(&newCert, 0, "2.5.29.74", - altSigValBuf, altSigValSz); - if (ret < 0) goto exit; - - /* Finally, generate the new certificate. */ - XMEMSET(outBuf, 0, outSz); -#ifdef GEN_ROOT_CERT - ret = wc_MakeCert(&newCert, outBuf, outSz, NULL, &caKey, &rng); - if (ret <= 0) goto exit; - printf("wc_MakeCert for preTBS returned %d\n", ret); - - ret = wc_SignCert(newCert.bodySz, newCert.sigType, outBuf, outSz, - NULL, &caKey, &rng); - if (ret <= 0) goto exit; - printf("wc_SignCert for preTBS returned %d\n", ret); -#else - ret = wc_MakeCert(&newCert, outBuf, outSz, NULL, &serverKey, &rng); - if (ret < 0) goto exit; - printf("Make Cert returned %d\n", ret); - - ret = wc_SignCert(newCert.bodySz, newCert.sigType, outBuf, outSz, NULL, - &caKey, &rng); - if (ret < 0) goto exit; - printf("Sign Cert returned %d\n", ret); -#endif - outSz = ret; - - printf("Successfully created new certificate\n\n"); - - /* Write the new cert to file in der format. */ - printf("Writing newly generated DER certificate to file \"%s\"\n", - newCertOutput); - file = fopen(newCertOutput, "wb"); - if (!file) { - printf("failed to open file: %s\n", newCertOutput); - goto exit; - } - ret = fwrite(outBuf, 1, outSz, file); - fclose(file); - if (ret <= 0) goto exit; - printf("Successfully output %d bytes\n", ret); - - ret = 0; - printf("SUCCESS!\n"); -exit: - - if (initCaKey) - wc_ecc_free(&caKey); -#ifndef GEN_ROOT_CERT - if (initServerKey) - wc_ecc_free(&serverKey); -#endif - if (initPreTBS) - wc_FreeDecodedCert(&preTBS); - if (initRng) - wc_FreeRng(&rng); - - if (ret != 0) - printf("Failure code was %d\n", ret); - return ret; -} - -int main(int argc, char** argv) -{ - return do_certgen(argc, argv); -} - -#else - -int main(int argc, char** argv) -{ - printf("Please compile wolfSSL with --enable-dual-alg-certs --with-liboqs " - "or CFLAGS=\"-DWOLFSSL_DUAL_ALG_CERTS -DHAVE_LIBOQS\""); - return 0; -} - -#endif diff --git a/X9.146/gen_ecdsa_mldsa_dual_keysig_cert.c b/X9.146/gen_ecdsa_mldsa_dual_keysig_cert.c index 87613e22..521f5d22 100644 --- a/X9.146/gen_ecdsa_mldsa_dual_keysig_cert.c +++ b/X9.146/gen_ecdsa_mldsa_dual_keysig_cert.c @@ -470,8 +470,8 @@ int main(int argc, char** argv) int main(int argc, char** argv) { - printf("Please compile wolfSSL with --enable-dual-alg-certs --with-liboqs " - "or CFLAGS=\"-DWOLFSSL_DUAL_ALG_CERTS -DHAVE_LIBOQS\""); + printf("Please compile wolfSSL with --enable-dual-alg-certs " + "--enable-dilithium\n"); return 0; } diff --git a/X9.146/gen_rsa_falcon_dual_keysig_cert.c b/X9.146/gen_rsa_falcon_dual_keysig_cert.c deleted file mode 100644 index bbcda058..00000000 --- a/X9.146/gen_rsa_falcon_dual_keysig_cert.c +++ /dev/null @@ -1,381 +0,0 @@ -/* gen_rsa_falcon_dual_keysig_cert.c - * - * Copyright (C) 2006-2024 wolfSSL Inc. - * - * This file is part of wolfSSL. - * - * wolfSSL is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * wolfSSL is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA - */ - -#include -#include -#include -#include -#include -#include -#include -#include -#include - -#if defined(WOLFSSL_DUAL_ALG_CERTS) && defined(HAVE_LIBOQS) - -#define LARGE_TEMP_SZ 9216 - -#if defined(GEN_ROOT_CERT) && defined(GEN_SERVER_CERT) - #error "Please only generate a root OR server certificate." -#endif - -#define SUBJECT_COUNTRY "US" -#define SUBJECT_STATE "MT" -#define SUBJECT_LOCALITY "YourCity" -#define SUBJECT_ORG "YourOrgName" -#define SUBJECT_UNIT "YourUnitName" -#define SUBJECT_COMMONNAME "www.YourDomain.com" - -#ifdef GEN_ROOT_CERT -#define SUBJECT_EMAIL "pq-root@YourDomain.com" -#else -#define SUBJECT_EMAIL "pq-server@YourDomain.com" -#endif - -int readFileIntoBuffer(char *fname, byte *buf, int *sz) -{ - int ret; - FILE *file; - XMEMSET(buf, 0, *sz); - file = fopen(fname, "rb"); - if (!file) { - printf("failed to open file: %s\n", fname); - return -1; - } - ret = fread(buf, 1, *sz, file); - fclose(file); - if (ret > 0) - *sz = ret; - return ret; -} - -#ifdef HAVE_FIPS - #include - - static void myFipsCb(int ok, int err, const char* hash) - { - printf("in my Fips callback, ok = %d, err = %d\n", ok, err); - printf("message = %s\n", wc_GetErrorString(err)); - printf("hash = %s\n", hash); - - if (err == IN_CORE_FIPS_E) { - printf("In core integrity hash check failure, copy above hash\n"); - printf("into verifyCore[] in fips_test.c and rebuild\n"); - } - } -#endif - -static int do_certgen(int argc, char** argv) -{ - int ret = 0; - - char caKeyFile[] = "./ca-key.der"; - char altPrivFile[] = "../certs/falcon_level1_ca_key.der"; -#ifdef GEN_ROOT_CERT - char newCertOutput[] = "./ca-cert-pq.der"; - char sapkiFile[] = "../certs/falcon_level1_ca_pubkey.der"; -#else - char caCert[] = "./ca-cert-pq.der"; - char newCertOutput[] = "./server-cert-pq.der"; - char sapkiFile[] = "../certs/falcon_level1_server_pubkey.der"; - char serverKeyFile[] = "./server-key.der"; -#endif - FILE* file; - Cert newCert; - DecodedCert preTBS; - -#ifndef GEN_ROOT_CERT - byte caCertBuf[LARGE_TEMP_SZ]; - int caCertSz = LARGE_TEMP_SZ; - byte serverKeyBuf[LARGE_TEMP_SZ]; - int serverKeySz = LARGE_TEMP_SZ; -#endif /* !GEN_ROOT_CERT */ - - byte caKeyBuf[LARGE_TEMP_SZ]; - int caKeySz = LARGE_TEMP_SZ; - byte sapkiBuf[LARGE_TEMP_SZ]; - int sapkiSz = LARGE_TEMP_SZ; - byte altPrivBuf[LARGE_TEMP_SZ]; - int altPrivSz = LARGE_TEMP_SZ; - byte altSigAlgBuf[LARGE_TEMP_SZ]; - int altSigAlgSz = LARGE_TEMP_SZ; - byte scratchBuf[LARGE_TEMP_SZ]; - int scratchSz = LARGE_TEMP_SZ; - byte preTbsBuf[LARGE_TEMP_SZ]; - int preTbsSz = LARGE_TEMP_SZ; - byte altSigValBuf[LARGE_TEMP_SZ]; - int altSigValSz = LARGE_TEMP_SZ; - byte outBuf[LARGE_TEMP_SZ]; - int outSz = LARGE_TEMP_SZ; - - /* The are for MakeCert and SignCert. */ - WC_RNG rng; - int initRng = 0; - - RsaKey caKey; - int initCaKey = 0; -#ifndef GEN_ROOT_CERT - RsaKey serverKey; - int initServerKey = 0; -#endif /* !GEN_ROOT_CERT */ - int initPreTBS = 0; - falcon_key altCaKey; - word32 idx = 0; - -#if 0 - wolfSSL_Debugging_ON(); -#endif - -#ifdef WC_RNG_SEED_CB - wc_SetSeed_Cb(wc_GenerateSeed); -#endif - -#if defined(HAVE_FIPS) - wolfCrypt_SetCb_fips(myFipsCb); - #if FIPS_VERSION3_GE(6,0,0) - printf("FIPS module version in use: %s\n", - wolfCrypt_GetVersion_fips()); - #endif -#endif - - ret = wc_InitRng(&rng); - if (ret != 0) goto exit; - initRng = 1; - -#ifndef GEN_ROOT_CERT - /* Open the CA der formatted certificate. if we are generating the server - * certificate. We need to get it's subject line to use in the new cert - * we're creating as the "Issuer" line */ - printf("Loading CA certificate\n"); - ret = readFileIntoBuffer(caCert, caCertBuf, &caCertSz); - if (ret <= 0) goto exit; - printf("Successfully read %d bytes from %s\n\n", caCertSz, caCert); - - /* Open the server private key. We need this to embed the public part into - * the certificate. */ - printf("Loading server private key\n"); - ret = readFileIntoBuffer(serverKeyFile, serverKeyBuf, &serverKeySz); - if (ret <= 0) goto exit; - printf("Successfully read %d bytes from %s\n\n", serverKeySz, - serverKeyFile); - - printf("Decoding the server private key\n"); - ret = wc_InitRsaKey_ex(&serverKey, NULL, INVALID_DEVID); - if (ret != 0) goto exit; - initServerKey = 1; - idx = 0; - ret = wc_RsaPrivateKeyDecode(serverKeyBuf, &idx, &serverKey, - (word32)serverKeySz); - if (ret != 0) goto exit; - printf("Successfully decoded server private key\n\n"); -#endif /* !GEN_ROOT_CERT */ - - /* Open caKey file and get the caKey, we need it to sign our new cert. */ - printf("Loading the CA key\n"); - ret = readFileIntoBuffer(caKeyFile, caKeyBuf, &caKeySz); - if (ret <= 0) goto exit; - printf("Successfully read %d bytes from %s\n", caKeySz, caKeyFile); - - printf("Decoding the CA private key\n"); - ret = wc_InitRsaKey_ex(&caKey, NULL, INVALID_DEVID); - if (ret != 0) goto exit; - initCaKey = 1; - idx = 0; - ret = wc_RsaPrivateKeyDecode(caKeyBuf, &idx, &caKey, (word32)caKeySz); - if (ret != 0) goto exit; - printf("Successfully decoded CA private key\n\n"); - - /* Open the subject alternative public key file. */ - printf("Loading the subject alternative public key\n"); - ret = readFileIntoBuffer(sapkiFile, sapkiBuf, &sapkiSz); - if (ret <= 0) goto exit; - printf("Successfully read %d bytes from %s\n", sapkiSz, sapkiFile); - - /* Open the issuer's alternative private key file. */ - printf("Loading the alternative private key\n"); - ret = readFileIntoBuffer(altPrivFile, altPrivBuf, &altPrivSz); - if (ret <= 0) goto exit; - printf("Successfully read %d bytes from %s\n", altPrivSz, altPrivFile); - - printf("Decoding the CA alt private key\n"); - wc_falcon_init(&altCaKey); - ret = wc_falcon_set_level(&altCaKey, 1); - if (ret < 0) goto exit; - - idx = 0; - ret = wc_Falcon_PrivateKeyDecode(altPrivBuf, &idx, &altCaKey, - (word32)altPrivSz); - if (ret != 0) goto exit; - printf("Successfully decoded CA alt private key\n"); - - XMEMSET(altSigAlgBuf, 0, altSigAlgSz); - altSigAlgSz = SetAlgoID(CTC_FALCON_LEVEL1, altSigAlgBuf, oidSigType, 0); - if (altSigAlgSz <= 0) goto exit; - printf("Successfully generated alternative signature algorithm;"); - printf(" %d bytes.\n\n", altSigAlgSz); - - /* Create a new certificate. If server cert, use SUBJECT information from - * ca cert for ISSUER information in generated cert. */ -#ifdef GEN_ROOT_CERT - printf("Generate self signed cert\n"); -#else - printf("Generate the server cert\n"); -#endif - wc_InitCert(&newCert); - strncpy(newCert.subject.country, SUBJECT_COUNTRY, CTC_NAME_SIZE); - strncpy(newCert.subject.state, SUBJECT_STATE, CTC_NAME_SIZE); - strncpy(newCert.subject.locality, SUBJECT_LOCALITY, CTC_NAME_SIZE); - strncpy(newCert.subject.org, SUBJECT_ORG, CTC_NAME_SIZE); - strncpy(newCert.subject.unit, SUBJECT_UNIT, CTC_NAME_SIZE); - strncpy(newCert.subject.commonName, SUBJECT_COMMONNAME, CTC_NAME_SIZE); - strncpy(newCert.subject.email, SUBJECT_EMAIL, CTC_NAME_SIZE); - - newCert.sigType = CTC_SHA256wRSA; - -#ifdef GEN_ROOT_CERT - newCert.isCA = 1; -#else - newCert.isCA = 0; - ret = wc_SetIssuerBuffer(&newCert, caCertBuf, caCertSz); - if (ret != 0) goto exit; -#endif - - ret = wc_SetCustomExtension(&newCert, 0, "2.5.29.72", sapkiBuf, sapkiSz); - if (ret < 0) goto exit; - ret = wc_SetCustomExtension(&newCert, 0, "2.5.29.73", altSigAlgBuf, - altSigAlgSz); - if (ret < 0) goto exit; - - /* Generate a cert and then convert into a DecodedCert. */ - XMEMSET(scratchBuf, 0, scratchSz); -#ifdef GEN_ROOT_CERT - ret = wc_MakeSelfCert(&newCert, scratchBuf, scratchSz, &caKey, &rng); - if (ret <= 0) goto exit; - printf("wc_MakeSelfCert for preTBS returned %d\n", ret); -#else - ret = wc_MakeCert(&newCert, scratchBuf, scratchSz, &serverKey, NULL, &rng); - if (ret <= 0) goto exit; - printf("wc_MakeCert for preTBS returned %d\n", ret); - - /* Technically, we don't need to sign because as it stands now, the DER has - * everything we need. However, when we call wc_ParseCert, the lack of a - * signature will be fatal. */ - ret = wc_SignCert(newCert.bodySz, newCert.sigType, scratchBuf, - scratchSz, &caKey, NULL, &rng); - if (ret < 0) goto exit; - printf("wc_SignCert for preTBS returned %d\n", ret); -#endif - scratchSz = ret; - - wc_InitDecodedCert(&preTBS, scratchBuf, scratchSz, 0); - initPreTBS = 1; - ret = wc_ParseCert(&preTBS, CERT_TYPE, NO_VERIFY, NULL); - if (ret < 0) goto exit; - - /* Generate the DER for a pre-TBS. */ - XMEMSET(preTbsBuf, 0, preTbsSz); - ret = wc_GeneratePreTBS(&preTBS, preTbsBuf, preTbsSz); - if (ret < 0) goto exit; - printf("PreTBS is %d bytes.\n", ret); - preTbsSz = ret; - - /* Generate the contents of the altSigVal extension and inject into cert. */ - XMEMSET(altSigValBuf, 0, altSigValSz); - ret = wc_MakeSigWithBitStr(altSigValBuf, altSigValSz, CTC_FALCON_LEVEL1, - preTbsBuf, preTbsSz, FALCON_LEVEL1_TYPE, - &altCaKey, &rng); - if (ret < 0) goto exit; - altSigValSz = ret; - printf("altSigVal is %d bytes.\n", altSigValSz); - - ret = wc_SetCustomExtension(&newCert, 0, "2.5.29.74", - altSigValBuf, altSigValSz); - if (ret < 0) goto exit; - - /* Finally, generate the new certificate. */ - XMEMSET(outBuf, 0, outSz); -#ifdef GEN_ROOT_CERT - ret = wc_MakeSelfCert(&newCert, outBuf, outSz, &caKey, &rng); - if (ret <= 0) goto exit; - printf("wc_MakeSelfCert for preTBS returned %d\n", ret); -#else - ret = wc_MakeCert(&newCert, outBuf, outSz, &serverKey, NULL, &rng); - if (ret < 0) goto exit; - printf("Make Cert returned %d\n", ret); - - ret = wc_SignCert(newCert.bodySz, newCert.sigType, outBuf, outSz, &caKey, - NULL, &rng); - if (ret < 0) goto exit; - printf("Sign Cert returned %d\n", ret); -#endif - outSz = ret; - - printf("Successfully created new certificate\n\n"); - - /* Write the new cert to file in der format. */ - printf("Writing newly generated DER certificate to file \"%s\"\n", - newCertOutput); - file = fopen(newCertOutput, "wb"); - if (!file) { - printf("failed to open file: %s\n", newCertOutput); - goto exit; - } - ret = fwrite(outBuf, 1, outSz, file); - fclose(file); - if (ret <= 0) goto exit; - printf("Successfully output %d bytes\n", ret); - - ret = 0; - printf("SUCCESS!\n"); -exit: - - if (initCaKey) - wc_FreeRsaKey(&caKey); -#ifndef GEN_ROOT_CERT - if (initServerKey) - wc_FreeRsaKey(&serverKey); -#endif - if (initPreTBS) - wc_FreeDecodedCert(&preTBS); - if (initRng) - wc_FreeRng(&rng); - - if (ret != 0) - printf("Failure code was %d\n", ret); - return ret; -} - -int main(int argc, char** argv) -{ - return do_certgen(argc, argv); -} - -#else - -int main(int argc, char** argv) -{ - printf("Please compile wolfSSL with --enable-dual-alg-certs --with-liboqs " - "or CFLAGS=\"-DWOLFSSL_DUAL_ALG_CERTS -DHAVE_LIBOQS\""); - - return 0; -} - -#endif diff --git a/X9.146/gen_rsa_mldsa_dual_keysig_cert.c b/X9.146/gen_rsa_mldsa_dual_keysig_cert.c index f19c591f..26c2a2bf 100644 --- a/X9.146/gen_rsa_mldsa_dual_keysig_cert.c +++ b/X9.146/gen_rsa_mldsa_dual_keysig_cert.c @@ -381,8 +381,8 @@ int main(int argc, char** argv) int main(int argc, char** argv) { - printf("Please compile wolfSSL with --enable-dual-alg-certs --with-liboqs " - "or CFLAGS=\"-DWOLFSSL_DUAL_ALG_CERTS -DHAVE_LIBOQS\""); + printf("Please compile wolfSSL with --enable-dual-alg-certs " + "--enable-dilithium"); return 0; } diff --git a/certs/falcon_level1_ca_key.der b/certs/falcon_level1_ca_key.der deleted file mode 100644 index 9865ad20dc0bfd06b3aab5fcf2b959e3f72ebc0c..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 2202 zcmWNNX;c&E0*1dNGsz@@%#eiy2qb_NR4BnytEdpdVvDwjo?2|H$Zf?|y#-tfE-YC9 z@wO^$sdcMpZ^7lZTH0HyAR#QR=mi?YR-kGUAS41Nfdn%!L+1M9{qdahob#OXDzwN+ zIt?gTOn6Bz%3wlTr0T`A?+|^!17Ja23e|HDT0d`(FGEeuIM5^V4%A!;3Y9=XLz3q4 za24w4gq9{CFL!tpm2Qh}GF(GAd@Q4$+ee?|RYAFBcyh_3fJ9FU4bO!MUx#0=io{A; zMjs|q31x(ULgeK>fx$<#smSmYX)*=TlMs}F<dPZaU5{LwHW7+mW)|P&OKu1i}pBwlb&h4p6sX@)C*C=SM5!n$)be)F^Wb z+D8{_l5n2EYc6%ymB=^f{pbdw<%qaOgXOm2*j+i+I=P|5FZT}Ds0wM+i0gcm=?)UH znpDk$T!tNM7EC313p+7cirA-jmNiQYN}y!=L~lFlN)sE7crx2rF1iGxP@`@VB_M^) z6K8mVLM3IZfxSHkDQCrGIE`!Wl;%`PWGzU(f$Jokj-*KHE@kq$K#JGMAYX39RcRiX zX2PVSe!PhnB$F7x6^DgNHOMC@OA=X7LDG(3XgV=fO3IZiL%B3S@AlE4!jcyzWvsAW zP(naUn9{KGDb5#nl~+L9z!=i(PGhw*Ry>6AfF2Fyt?n%GAPbCk%oHIz~7 ztVyGe`D`^^lZ6#HswZla5Oo@osf6S!C*_(D>X6N37)9q1Kp_gvM1haEt^ta65D#%p zWvnSBsZiT9br7$G)d#SDKvETr(RNtKH%R5leu~4C>yRDjNK7M)LqI_yx2|Lo9I&gH zko<-)j`X@z9xTn-R%Vy!P>aE9nFm>`S-na`Udn9*)bT`@l47)~khtfpRscmLiJiB( z*Qil6)gy;NZmJa3<6#=)^A1R{N^nt&D9b~7!LreAHfkJ(ot+r<-sf`mlGwp+g^k;z{AYf04S51!gxqJZ+ zJaY@+Ir_9|3Ubf!q}CC?XP#lf*!O-Q!9g(@p>ZbQMF2eEbs`Lr$M;`OJYNpQyIn)v z@qQO87LV|Dg~vP}B^A`jNUV^uJHm#Y98_W-_i;EAHvd4Gd>|^2GZM)cum+}{0KmgY z+mLLD=kW%BO~=q!HdX*8i~MWeJTcy57e{xGSpx+w&hz_oFLJ>$f-ebeg_inD{|I6G zIP4URkBZ;Li80S20-cJ0QKXOH{}m)*4lqVU;Vf?$Vxv7lMi3q^3_>W;J z?Ew!UT0C?7RY8Q=LRk4rL+HVxu=$8}7B&&;cm-LxB*bq9ctRNd@KaY?Fe(^(>{QOi z2v&KmOa0^A|Fgx3hC*?ni|Y``?l2dNBPPqIfrD0AD7Y=o)I2YsV(q?Ol-QtI zQ(fzdZpNPEd~y5QhwqHE3B$pjmQSf9W5rL$tl#cU-?(x}z4L?UBjZ;VF)mxzFHbmI ztI7WWF6`{SvPTdZ&gCE)JE66MWJe~xTwZ7D+%qUvXN zC;Zkw_EuBS7O-GWcj@5A)q@}N*S@(dVZ~1!s~h0a&5ByNUr&UE%aLe`oDaygzodWG zRR5~fop0GQlX{wVwX$K={=9wLs`+alCTHitqkC7KX#CY`s+nglOx*7R>)@NqYSqZE z6X{xHHto+7!|*j?-^CHz&-(p#O@Dnw4E)}e22pY7iRA@daeG2Pm9I{1NsQTYsc?sJ zLu{1!GXL-ToMkH{Z@ig4-}Xu3hq`Rh<$I^@H=peSNd4#dsYKbqwGZGgJ^kORA1xFO z9@;=AUnt1sWF)>9q)Yg$Yv|;U$#+YZ=~SmrUZ~r*?=;9L$~-x>8_mL&H5Ko8IbwTo zgtVt|-O1C!A5MK8U-q`Sa8YDFoDtB~?|TiCJ+xmB2~p=nmhx}ER%EH~`3Q*0=Jp2e z^!;ESomR1p!Jp8JclQ5%V-u=d{^&sElM-$JH^Z;cJ6}Sx4_(~a9bMY_UBWBL(O+HK zzxrN&1@F^bUmK67NX)G@UVb;fqhTOz<3R!U-;1+%mUQkrJ9bogoEzQ!$NCs% zv{ecuwbjScG(Z+TRMEVVb3W$xxRKeO-LHRi@AA5d;;)K!?ijH#wvScsFJ^vOdF#l= V0&D5gx#B5#Xm4@Wm}RUk^Z)g2{rUg^ diff --git a/certs/falcon_level1_ca_pubkey.der b/certs/falcon_level1_ca_pubkey.der deleted file mode 100644 index c184e48b2d9afbd00a35a19bdf153b850e02d158..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 915 zcmV;E18n>-f&-5*2L=Tz&JP0y1A+sB012NeQjpmP*r_0M zJsD*~?&Y?WhDI!>f*W1=O7%{=A3|i&9p1fnIZ5|ffdeSIU3jW3FCh{2Kqpw|oS9Bn z^C`YKL2#h;0)kqIP-b}PaDasdmn}~)g9^h#MrG25&ItQZ>V0?|2=ymyUrDis1I3|^F@Nc07ZKg1yx(92oc0HznMu?Q~D7z5eUXr}7 zXIbOH6d?d{y^H@o(1fy$<)U&$QaajzX=5md>ZvIMsO3*LIh&M$Zes;-#LTI26EWJJ zP_f~&5t^akULiE{RSpIbnpO61-LbofC#tiMS=+VMAeVt1+M#Zq2uSX zzI5n;)1`zg1zV}66?YwvH*d%X3$YBC*Y_O+ofJLI2cS#Mg75b zJ!gYg6{yOX(z~0;00^a#_?SH(c}mm;ll0S~fZQe(*?Lj@K%j463Q0X%8G|{D$l8{$ zK*@YHgF%^=pr3PdnE*+4PL}a&4^R*_x_4$SB4ipO9L=#ymYEc-n3pkrR^V_cBW?vr z5y;d2M-U&^=&u_afLEPHK?%?rbpm&3)7!RH4}&+{ zc!l14g43PiGy=pW4_A7jUCbzb#H2YiKq!@`bUey#gbv);ak{bvretWf1qx*(70nM! z9wmDr(<~h6EigNgRT+RN}aLSHjm0Wt_*x z7+;!Xo*A&6epKn)wocuWMoE0Rc8|7l?gKh4Dw-IYoZvy1(2hbF;J=Xf63i0Arr1PM zc@qnxDpzTI#B-bGi9e1DD9q1KECwj$8~_-Uh>b*n03RsYgu7A-o-D>M^bG|>{uP;&oR}w%VlI%qa ze}zC^L8O06`A|Z;!c4jBi&_zsX$9yDQum$ZdMXN*@qQD{{vq+3diEyObzPOVc z)M~2`(=#D-u*eL6WRt`RqU@doETw}EG!l#3?R*j5t%e2hNc|IBBclscW~tJJujYWI z>~0mdXB~dG1GN<5rg%64M2{4kgW}Kz0IDtm5P~zal@2r`ZQ#fkCFZDDvdWE#Fjz_; ze$fW+mH^@o6i?(vt`fGz6H^j26$w2+kzFdo@fIusLf#bl4K@?`L_brkxm*eJ<@#0_ z(I|A09gwyVHLHLK8CTwk47M9GJ6&x`_W4+TFTl3AdEz!$CIfOGvyJVDu{cm8hbxL~ za)nKkuh$eh|ItMrC=NwbxEUnp#^M7+fdFKJVyvFT$!s6VTJMy{!hDpDD4Ad)IY(l% zpe{U`3CM)?@dgn{1Ob?-#8?Vln}jHe3-Po^bU${cC}BWtPnDo1CDfMaH|PlkBz8$G za@WP&UFsT?V?L|#NhJovnp4Q=bp@@hk>+UuSZe@gr>#e(%Xy6Swqg-7BI|@R^$)1K zm?#sYW+EH!K(zobs0ro; zYQ(XsjlT9ZO z&2bG2hqGitvkQy(9%h1w1+W7WOi*OAfNXO!%p{oxmF(*!rdIX)`=46^z*lI>JID>i zBYdSHtAnNykBC}PycHUh^B5AEh2%0pxH*>HTZF!9>8@(x<0L%}!hnd!c%*bv^i-y z8~-EF)Q<%9kCA4q<3?}HsIyxk28H)&137>x(OV4+W1y~&;6MHcZ6eAx7Q!*v3_*2E zKoW0g{zo2(vz)R5nS~*2JI$(hxP`-?-Dc+M0JqcC?HJFu3!MHB&0&UPVKKTaIo8K=1oF2m@i?BrRLtuWKM&H4J z7h;%(9AOTC&-^q2t_bHW0_HK$1sY+%lxIA|29D5xA*!2aZx5XOTvHx}0Z%=~nLdZp zVIE2)gu=mHFqds5kE%`XMHV99GoLa2k`_!y>?=Oe3|wI0A`3}_29Orc=8lmq4yP{x zwD!=QdLa}%#|i#*e`M6xH_<*uA0^p%vjB${q>?yqcy5$!ex8gaL5q}}FdV)QxaKK% z;anHgK#9@7)Ak^*Z{8`BxROfuMQv&i&$ycR~ z33=_|(bb*wLq=lU+;*PmWdU5&eeEu9UfJ<3$<`(0^NC&;kL*aPj;?;1Q&&^W>7(T} zFN---JLmVy*9lVEkgK>kE3i6yleRDC>XoP&Cy1 zwH>GS#a}zy9_-g&>8#B=Fn%eb>15c1(Uhmo_P5lmc=#bEJ>m7G`_|#nL z>dRLR8?ts)r=6tM01toID2^j;onIOf_R2gn@Cn+~cfr;|b@IHVSA5%cZK_+o@tpMA z%I6JW8RDRdLD zS+*c0KjZYH{!^KR+y2veS2F_ceDkbiIV)*t*&)l}WKn5t4r>zdz6xh2EJ<@zG#|IC zCf)l(tFjsXGty^A!}Gn^SImb}2lqNij-=cgO44lDSFiE$ZKi$)?~{lb%m@Wql74Sx zq&W4*YdZupnIg3EK-JgIo1!m49Z0)%J{4oS+{ZDmfN(AN3C( zpE(A;`A=zJ(t0C&f%Wg_Keg|WzN&}L7efWVjBP?X^e#(U(vvfnGM(x6Yq0-v=-ru&Q9L`&Eu9vyf zw+4KerhdEg!0ujYC6s(MIW~Hme(Oa>L!rWW`1vi}k)_Mt`b3?*9gmkgGbS)KbM}Mf zt4w=_$G$p!v}>9INRkE()Z%c7E{*LNmO#e@{? zpxy@SGM0OPd+;Y~aZAeduV=SxS$xNkF6qtN_-f&-5*2L=Tz&JP0y1A+sB00|EYSj2S|Oi96w5ob>tb%=mDRp%!h!YewW z#SCli1VSak96!x@2!79=t{f(be8)jlG6#@I2A6JGPog@a$Z)EoffU#abGi>M;E znx6t;3%a04o(D!uJY3<0@<{5;uyTT=6&s>wP2t#ZoSQNF56k#vFbBxCL&Jz6kCPhbZdq?{maw8S$exwb?sXMbenE^5f=w77>@>jnW9jnw;!OU|gbA zhYF(rwS`MSLIhMPh9fA>@cQ2615MbK^S%oB90p;V7QkFhsx?cEVQrSmumOn=_6bH1 z7@FP!Q38yFJE-P~h@t2)OeRdxXdBeQ2?*F`ccIthO6uR*bwb;?q;NDUPjy;~w%Uka z0<0PNbDUZlt!c@GH4;iQiEHs}Oh1OGa1!kR4V(yPMKV?PkG*{K!R`HJB%o&w8Tw(# zb}MxT6PxgBQQu?s1@=mEqX|kK2o~$$5f;4)bO>ZYKn@Tug7<`0u{bb5QBxXU!L_Gd zi;8ohqQmtF{&V<6^MJ_vgY?bV}JI)*sxjweZQigm@mZ_Zchc`gj4;rG^_yNA3uf z5|hf3!dYR?uLFy9BB+8@OpdCM8^>ONU{RDbp~q4SMDq0O0Rj&KLu3vGhd}8$B)thi zFP58IWNLsv7BSL;-l4zPQI?rh4Y=x#GK)Dba^tVI8g_*&}x#1I{`H97BMI4GB4yOnX)s9m7Z45N_5EZ^*bYeSqiKHs#-M-ZEBM8fxb`qos3da pF0JfVLD6$d$}T)e0gw*qa%Ol7YmZWZl+9D<37#$d0g3OH#g zvRIgJMgZVPXW3FqT@%PVQxc`GpZ>W~(cTCyR~4$Wg2tQub54NyjY1d53^Um%o|7Jh z3Pq=df;SfhIxgnF5kqDPsF!VsLfD9O+4Lki0b0H>P?~_lPJecmm+)LD@zeoU1b&v#wZ0?#3aHrK#^8JnG$a$NP=*p z`K$VRH8xU(YcfV6kpSPwjOfI=NC+yxxi?dj^P;nHvoNCdc!zOMZ-^)@$&ZiZn3+q- z*hny(nvJMlai)2Yk!9o(Ui!k>cjwU^SQu)OR3Bp6%6GlnnL3ctU?1QA&tJr6Ag{%CAr)i)H5w zQAn^Z9EB3k3m_nz#?>FMwwTn>*MIU-@A0liU|r~2lGa#+>Yfq4N2D<>sNv(>3)Rc4h%0~i{m%7I(NZ~}v`z>Mfu zz{S0Ki}$4|#Asg-2d(oXJLrTQYyu@hqGc)84rd~uxeVG3y@0v9ZL>SbD1rsTOK>u2 za&lE`j+E>{o~|$6rF;%xM$LjvC3#GqFOS9G5AnsOH$%mUG886X2YGBG1`^_$NHL!+}IoE~)*#lU%sR477z=lr073u$kn^2kEx04}7rXFQLf zB``y}vR-&b!_cTs5Wz+1u}An)f*B^*gIvGtG9X9Eb?}(4=7zrk)(f0WZ#R)o!050N z2L!MxH9@b!gx8cgRUlTsG?M&E-wX*O;HNAsfP_Z@yTLk53J)lpo;MpJft&_J*FhL^ ziZK)N^mWyR2}rg{xSP51V`eharb>@g#hCTG;N!|HXXGi`I6{ndD!!@5h_TM9W)!U+ zYBI~N_x+SesP~GvfkX8c4p}tF@DLmYXOHk()GsKf8ll2Yl@q*laj`@X_-8c(ICJ4& z;`}PCh*>v82J}%k1R`aO85;6<>|3%2Fd?)u<*Eq&pq@*?{f8qeEC5fi01FUeBW7W|M1w2^5DikSS{>^W;$%7A#6HJIc6lz7~l!;L_*c9ZY zn!8gsUxp2bLOF0VK4d5z$I!qkj$fozj!5Ea20>$C zQoe@LF)H#xNW$c?plhmEX#&o8gjv90Hi!Y-fA(BJAN+#5vnxdPLnQN=BD)S2Mx5FS zDHX_bRgAdMw&yp^fb(Y> z(Tr!Xy;RB;lC=A?7KJDju0uE(LewCN`4HxyZX^ba!8`Ua{4_3eJqumQ<*(pFMFeYAVz7HDa-MAOs;n%szEVHIGnQbDlm^Ci=aU!VY4 zKS6J{RQS$}I?>zx#SUr%-ixlV`d2BXEgshZ2DWBg8Z@h8Fl}QQ*jZ2`Y9ab_Fh+lM zn5`9>`N`g__at^IK_7E3f`jJ40h`IudEgz#Lf_$Sg2d>MZXnQ>hVnDm%hZUbSB68; z(K=NxU}u`MVNVV%W(~YvB9)Ju2TdlHW@3P7A{(T1yt`C8*(D)$xXv4_VI@NajGzfk z!wj6PohkKJn8!!xMyolai+Gx-G)yHbND`$exK#)HhEK{xgn=3S{7frYXTN?P98!`1 zA0)61;|UHg_Rx&|OIG_TI?c9fJNSt=#&g!+Mu+rB*a|QJ)1@KKkzpBPYoyrsvwLfO zV9o5b`}AiiurS=Dk&Ss^s8ddI_P}S%u#9Mi+W@hf58Tg@6ESucSRegFFNmjOTxU>9 zv&oHPEhbC_LugM&)LVzuk&+49Wjc3_(UUAUh-oAa+Iq|ii`E;>?{U$(IU?G9kYqJA zhwjBmN$4-;aj@3Q4m&jmbZT)VkWM7oQZc%Z8m!cU0;t`(fe8&k!=7Kz=rgAq)!Pls zC`kQ8km|t}Irghu7;bYI;LG^DK|9oG&$7iM$}xhLIXo~sqJW_eFFM}ZqfI?K%2sQ2 z-fA@@2lW9AvC?c$Le0|6CPVG*%+X4-Pd-o$2_@!beupwC#$>P^!lTCFW+ zY>bJ93>rm8pF^K&Mh%Y*V7|^kBanIizwOU(AO(7whVEm|(Y{a#_KY@1od)kMpFOU# zWMCu#RJ*Am8^>XhCnd_pMDM_Z)OJ`~n z47MJkjyCScQrQ@g+7eVhga>Zx$wqCK`gt8A>F~cptipkh0?35>UJG_ zTH8sxmD}ZATfJx_$7;bt`XN_EuxlP`ks-0*LgIQm)SY#AGeWlYNEitYoQki}2cx$u zwlHoSTHHh6k;~fR#lH{&8=~W*2W_c&myf2re)O#9NzoLT=RA@5ujtnchZ%(UBe-;l>!V4Z zy+52?d@uW+=+38u8<$veJ>Kp4CHBkc!Uc)dqx-3riCsOFLwE2ePnPuKj$5~Vcj;}? zfsmiN9Y{_3qo-v|HKd!artVcP%di_7WY#-fa<9g1?st@6{Jn|M0BnynKUlMWE1T zWb)PWAHRF`>lB|}aql+k&=odF*|A4Ral3qK(y_p0ovXdI{w+nQ9jiT6Qgyp_tjB-F z{PXDMlKhy^AGi2CQsQ{Pio285D+4x|FHoo6>j1&)nnsd35qxsA_(;wHQ+`!H-VI%X zP=E4J+8Qy(T6Yx}RFsu9Vq)z_{kQh^5}0FQg6B{g`!Up7wZ?oQNbFU;*(c{%QLg$U z;J>tZVyS&>&4;z5&b}Uc+^vzZmgww${+PdeX;A--+OYE<{#Wx|CK8RsSj~6(pr7QP z2zu-77oFt$d;0JhyGz?2j_0-Toi7AG$ybJ;2Lj1?ge~VXq{iQ9Dmh) zV@aI!pSXJhbF%bNa{htb(@VBhbC#VieeF8fT)Mq0$L1;L&aO_+fIa(OHOg#Hif_kz zDTbGd#ZIe27E?hkQ^xdM&g@%g>L+1iQzhG~#TY1>py6u|J zN#UM8|2x?JiRsSwvR7^OpyWFdb~2$tzE*-syhyQPY{c{ZtFYZ+_`*=_u&Xw@(Fv zI1I0*CS4{%(hqpe3?9}UzxnvJ*R_{W`d=d!mM0z#m#=KOJa_5!bBlX^O94)-YifRS zURy$`!>X%+dt&YeoO}8kdwl5`D`n^sa&z#Ov*FYQYkYyAi>s`VEu1r-%*D4*M=7NvrA0Aq z^`{CBoe5kv|GyQNIHPfCCA?eBij;<}B~IV`QC8c(129NVe`3*EROwy2!w=jxB~;g~bIQBod4Lf&SIJ!~<6HUexBFwqn{`9%;rr*@izx^H zzBgQQb^2laK!y0wNlO3YZAaYW-0!?y>zh|^w<*T++`zNiUV3~XGxAUA#*FvzmHUF$ fUTQCxb(em!_gdM@P`}~bTx}Wr_K%Q+(S`p9=3B04 diff --git a/certs/falcon_level5_ca_pubkey.der b/certs/falcon_level5_ca_pubkey.der deleted file mode 100644 index 1301e5b857be0c5d4f8da8f2058d9bafb8dfc34f..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 1811 zcmV+u2kiJTf(H*U2L=Tz&JP0#1A+$v0176Ex{~G2K83|-YNC&oec2^LAZ6IQCh9>| z&oNsCQm2Z={$A?15%vSG1`)uE#Vc5vasq?Y*)>$*mg>yF*-FsKcFx*+DM>?HtZtG| zLYH@x(HMc<xckXXIc5js58sqUWiYF z&khohNt61&P(Oi`#Rx0})-?s$lM)0yENYP&Dcsd_;z(z*mB%CQ3810_3aA7l0a(r7 zJQcC9yJ32`y3iA)fzc|uu`*C04lJ}4Yb5SDB!V6?`Cf*VUQQYTs7$GKJ6F`<7hN17 zs@y_qLRjup7olr49TXVl4`XihoFjC^uyG+ub+*NXWFb>pQQ3FBy!{j1jpR@@wVTW0 zZKk3mVC;f%C}y(f|+q+#EC&kZ5IbxZUuDV zB(>`+W^a)*t9z^8sMTsvH4S_x%w={&*W@iMUa{n85)EF_)UMvB28oG~+68?S$x@ig zUuiq-vr`b`%5cSL+r=n6D=`e=!2Z`Ns3E6DekOB=+i4@880GiF;;EaU}P{9 zRB9tytg^7oO{Np2dy+oWcm!cOpa5nG9X-rch^`2ikcg|jhOuwCjFjw8??yC;7US#0 zI&f0NdF_K0s;j0RYnmVk5nE-55ha<6>m7z8Oe7l=_{tH8^yRvXkg%q@<(vcL-QUI@2wk8Xcy{e`gF1|J_2Q zFeKT%y+CX$o7v(|JNEO*s{li&*&<;gRrWdH4`4n6=7(Gt zGs{dtE5%!uHvx{Uw8r$(U-$@|Oebn9RvczmK&=P8HhO%?SQl(i4KF=;V5&^ z@)eMW~P&K9(9YdPy$%cLL=*$Qd;z z7AGpf6*@aXWOZ?#H6y&~7Izz`J($n}DwY_VJ>akasYf@l&8|1V)09_%zYlQ@k;;O39i)v$~LH2JEQ zTEMa6V+Z+Ys$dbK-}RBH$JSs+v@3<9lCtN`90Eb6Bxb3wjOIh961}65?AaS7s$0m5 zFy9ZqCm6j1h0xC)#g==6t^*K}k%Yq8-Br9cs&oMlYfZR>gjNH9va)pO-~V)JDfQiL z_kE(a#wne{4|J#F3k`m>;-g2!nfjQ z=QfTG?>sdO!Z}otJ`yZSE&w=|NU(K$tpRLiM0LKD>z5@%1|^5#upuKb7Nc1W@i=Q< zm~CzP53=(b!(SaCD1&K%T$#loj@AB;r2%mfljD<&L&?31hHH*AH~XYUm?7j=Y>A&av3yp#}l$zU}ogx~Vhcuv{Zq!T_`iGtu+4woSLlsyYt2If$hH^0($OWTI zb-f3|R2o5Ata<}&j)0#W9Cw-{?4#9&69n(3He&qXXkLs<0h6g3ZLcL!U9r1NAA*`F zX%|-du6#@AgAOie8k<|kOx_^ktdb^=5o)cg;*gy4v|8J$;A@Ey+O}72CRQe>%1bVS zy&6$ND3aT`y4V$3hZsPf=1_IbTCQg}OPI@s_9o`l8!1QF7xBk{qDc)o%9}e~m^xIn%v+aAph(EI8a^Qi$W|Ibtt ztc*X7b&?mgKCK#Oh8fv@x}TSOwGp*jbvr5^dFrPfTkD) z?_1)TZO^U^CGnlf>qJG$XKC5ddPu6e!VeltNz+!!kaA}NDpK?Jr` zw^~`AV@i2QDne_JK?M@fndFEOfK!Y0tBh*FgwK~;IUGDEx06316%qsh?UaLV zqT*(E3$UheE1v0>{foYaKV^?+y9s@|=1V9QoJC`#YB*i42b^#*kcv&2BgJf!%9GJJ z87YW@j21*3na1`0&At-&7pS_^Afs1#sJCG-n8fW%TY~}Oii+d_oG2$n_f`pn_8#O= zeQe925mkpaUks2ovqjQmp35uGkCG ziI0h-qG@`qMJfoTx1a5h06bDGe{nbxgQpJ*LA+W9U!3{Mnjy z^3c@;Q73S?o?4_oW~a-7eI)<=AT@R`t~%U6%|a@r35!8kpwEP=Jd=g&Dd0f2Q;kQi z*kcu*=O;BH@fj*Vus|roF+iXTz~XWKaR3&`mVMcq&KA#2Q2?-iK`NU#md!=~Cjo3R zpN6T+{4x(iC%W(pWJEslQvr@?C$=41F>YJJo%P5 z#UpXiG69^adl#B(R4o#p$^s5yND*pAOKEd~q!?G4LyekzhZas+%T*Ks zLZZ(BXsY+hCTTZ9hY(91S*oGfa)vE2f*Foa^ui-Xaxb6hp|wH3*;rdJCv{y|Yb!`J zSWj!U0PH{|*_se#Z1VwyS@)0%g%LhTA3*E6W?D`*)4L7tbYC5vb>=+M_#i-XWjf6v zQ=ws$uS3*2%J3@UNdNcow)f3L4Fcxa$5Ck?!;j$YGd%{e2J~*-EK759L`ITZXtg?P zH-`6>RBs%q) zS@rd5jkQcVy{%W<*#W>FdV?G!%%3r0PafsAlo(4wCxayVQRx4v2<@U>DIvL1j~{^;e%92 zA4r}4Y^`c!_78SUxA(A#6uJF`9-h!5&*`9nXcPeWm`pbSj!hC;L5KEXCTFng^LV4d zq_L(C(pd18V3-AhIpIc6E#K0N*7R0sG0o+7I`Jd}psh7J446|!fAow(HeUccp3z>z zpLT4J@oZF7oJCmimnGi_QOgRc#)KD)bqxSTgD~D-T z3;{vVt+0RBeRp-=h1rcoEk=AjLrN$em<9Z1#ptFx?&NQ?Fy_PO>tcmDYTRTue zRDb6PB)FM|(%r68+jO!9Xj;u@jrtwkyvHqa^4TN{ayJ3#GR0Vzw2P@xFf3%Iq=5lY zOSPh_MyAc%d!<^ejy%rsfB>E=wVjJwjrEM%Q^}-}#nO%uAEU%}YLwVLjaY$J2u_)x zP=YkJG|Z0$epxd59i_?)4pSteyUdJLu4PPFSc7J7O)!+E6)a#d3CwB788#%+EUdk@ zV+LYAL6{!W`i!~3P2;)_e)l^v%P6O}>wB!fqJ)--F@~A#^jKr5WjCM#M@(z2#vyoE z-AKd$$dqK_XTo4L<2KIth^c-Mu;N>f*N#8djN+_GgSHc$toTl+)jtaYRxdUw#WXJP_%;C*sPZ zt^4y#WeJxk?(p2q_1VGud6PCDTB85m{0e{h?`hV#eF-^K;LVBVrqTxi{rt#{qMXAO zA)1zmrhSreq=5S@i`*Rv$w4z=C%@|W0_}%ulD-5>m)xi z>dhavi1JogU0CvHH0jspN9txDfzK?uMw7qnXSVYFn2?^9;*P10{WoF|=b zHEj}j_D_lwFc%Ys*K+WgA*%*W8zh4Sd{tF7wJP!Eo8 z+ls%QAwT%$@;~<+b8_O9HHHT;E?t|PSoQeB{1EbbvrX3@Z|N#*S#Y|kX#b*OpU7D9e2uv?^%p2i zWVx}Y^UATYt6R^TnelXtdY8Zbng_q{yAzjrXU15$M?lWYpd7=7$KC|y`JSqx?vUALkm z&&%%2kiE@s)F&>z9UqgpWsMJT5jg z=wCUu5fu_Z*`RR?JLRl&>-*_^l-G@sC(kQ?-8AF?f!u$Wg#CH{ zUSc_s3F;UmuMp0CHQqUX6M&Xk@iUSFgf zlkIv>%Aw8qz4_dOmU_{_g3V7lOv4f=wnd&;_UDi0*B@CGMoXUtm&R)-f4E$lduchy zS$pO!FJWWY{xfT?L7ny&&OHZAOwTS~nK}RUMX26wD7=wY{b1cP-+;uN`K~b$f%Lqv zIj#R@_^KY?-+-KMsTuC?W zPHwgTyUyKmm%FzjHeC7@3O54>uI<`_-S2A*KFGOyx>bD%ZTmSYW;^&a-{qr7w4f_> zL)G=eYxmX6oXA$sw7!1h9jmrv!81`!#EG3l-!rZ>zqk83oP4~>+AjRX8K-SKPMQYq z{k_P>m3KX&BV*O0sN1DW=sip~qsi=;x)k{6N-?6@dD=Z${QlN+uSW}xsGjcY^0q(m z>Ch9n-VV$O_3AlvG5(`N$X{70$1cFH)*d8XBbC4M{!&aZ69D)mC$$9#TU@@bm& zsSN%MQoDTIT9lSCQ@b+W((y&|DH`BsCEV)#xF$VZ*xvF!HiZM1677@I}T`Vt0ENJ}HrxonP zR^94*iu{D%Q5WuRn>z1}>UG_(f1Ge~h_gD#ySVe*+K)c_o9zmYy$jB{laPMr>inn; z3xB(@{^o<-C%#?}HdzqVeDrI(Ps=Y!t3DrEBEBnfA^)>o{yp~4vCU!TeIHiuDm`v; gOEIsZ;(6xQPkZj|xpPlCYgzBM5Hi-(wr1=90W6`easU7T diff --git a/certs/falcon_level5_server_key.pem b/certs/falcon_level5_server_key.pem deleted file mode 100644 index 0b8e0069..00000000 --- a/certs/falcon_level5_server_key.pem +++ /dev/null @@ -1,88 +0,0 @@ ------BEGIN PRIVATE KEY----- -MIIQFgIBADAHBgUrzg8DCQSCEAYEghACWukB8PhBFzu/cALwwc6H5C8IDwRfGMXR -A+QWyA+H/hCF3vg//j3fAB0AjeGEIhCEQfg9+DwfDEEWP8wMBfC8H/P//4Ife+Io -ghEQvjCB8ns790f+YCAAAh+MINCCEBAjFzvvB+AYf/CXw/+773gd+DpOh9/3ShAI -Ad990PAiGDwf6B8QO7CD4QBDvwy/6Ho/98AIQ6GHPQA4Eggh17QegJ4Hw9J73wkA -AP/CAUXe6KHwAf6DAviGHvPg8UPDf+TofACAQvc4H/f770AhCAIPfCBvofh78PQf -8H3ug4NIP/H8IAEJ8Av/50AwhCIXyE8EHygGU4ee6LZ+hF/4B9/voB9D8nt+9sHh -D74oAhCH5OdF3wueGDvRf4DIe/AD/xh8URBh1voyi1sIyY/4P/j6Pww+AIXwcKMH -BmD7vwHALwOi8L3/dB8XwD+MHg96YP+/6MfgC/0PPdF0QgBGUgACH/5fCB349770 -5C+z7vChGUHvZEEYgAB7oh7+L/BgCLneAB7X/FEH3PgAcG/+38ZM98EZfCJ8GwkL -sASeEMQP6+QPQd50JfACAJQ8+En+9CD5O8+L4ghKMYveH/nfgAIgAA2UI/f5v6fj -2QBOkF7/gj6EY/jEH/wi/4QtgDvgNdALvxg58gTDCH/i+AAn/8AAfPD8EQ+hFwXB -k1//Bg+PWgf+EgP/D/3/+D/YPdAIYwfD3vvhDsIv9GLwCAF0Hed+TvAAwL+/eEH/ -A+IEX+bCIIAiLwZP+GHZfe7v3fZ7sHsBEPoSmEHYwb9cAuD8H3yeD/oQD6IQvl4I -RBhR8QPEB8oA757/P/CAAQ/D7PwdH4AxbUP4PAAP5O+/wPf/+LvvEAL3wC+Afj++ -X3dfJzpQk8AYeC/4QgfKL4gd94I/CP7wAhIEftfAAIP/3wYQ98bwCgF4Gg+H4GQh -EAPwB6IQhe//ovBJ4gRC9gYwfOHuv98D3//AAfRF/7/vjCX5PfEDwg9+Pv+E6IgC -+OAAPiB/4gf+L4AB8Q3CBD0HQc////gCDwehAMAh/CDvv/6D4gd98X+m/4vfgFrg -w9HwHPg6MAAi10hP+6YfwAAEXBeH33geKboweGAIP+B4JOjQDwQfCEXQfBwhAdDw -ANbAHvPA/7wPkAEfwA4AJfC4EAPh4H+wdEDnvhDsIPCGH4Rh8Qgfg+QPAgEDohe+ -TwveF8hD+70nui//guhITgO69wAeA+T/fgAAfvd8D3Q/2AGhbB/4w/CAOvA8EAfa -/75eA/rgSD/rwiCBwRvk7wgOg4EIfCD0fCEDwWvDAEnQCF8IdB2AXx/ED3QdCAPj -g8X4BEz3g/c8PhQBGIPQi4HvwgEU3egME3wCAQf/BB/wh9+H/Q7IEnwBB3/cl93Q -AB4EYR88UQ9g/3/tgAH/w+EImya6L4hb0IXwhCEIOf17fv70IXweEEwCh94Ahc4M -nviKIfeDCDvQ+D34fGFz/++F0QyDD8HfcDwBCCD4ggfCMHiAF/wAd+MnxC+LwC9J -/4w+3/4Pb4HvPgGPgOH/8AAg90Hwb/8fjgAIIOFFz3N/F8Aye+QACD+PfBcD8oQd -EE3QABzwO9H8nx+8L/veEDfPB/4Pyh98ABgJ3vBl8EfzHKIX/A+D4RC8QXw/ETYf -+ELoAg+QWvA6LYwEB8IeBB0QvCAIgvfGT4v+7znAlIMAffAPnhAKDXvbKQff8B3f -dC+b3ic2BIvd9BAF1Ac3+hri7wsgDwQOMQAN78fo19/jDw4HDxMeBt/1CxwY7RPw -Agr///nmCO7+BuYfFS/2GxDTGxoSFfr34PDa2gED+xr99vYACCMMBBwFA+EXEerk -CuPs7xAIDx8BDuoQzeAmE/rYDuP7xvfSJSj3ER4E8+sABCsVJzEGDAftEB/3D/T3 -C+1JA+7p1PPbx9js0SAV8srx3+cUPgI6O/3yBxbq+C3jFhMREQ/hBOIS9vb3Gi0U -Bd0MEuT2wQsHNA3+Jzzt/OviHT471PYx+uYT8PMHBwgO3+XkBPDo3uoYDtIJICgE -BP7W9hwCACvk+gQ7D+8hHfYPEg/b/gTs9eXp+ewlDhjmEfzm2/n89BcLCPHnzCES -HAYdIuQX+vD1AwMn5goZ5+b2/sgVDg7b5vbe3QAIL/j74gECNSTuIgbr5SDjtRf/ -EAMq0PQ4DQDvCwcICc68+xg28Qv28tv+FvIFP/noCfkcDQwUFiXrA98L/+LbBQ0O -/yTW7vbw8BT/HBYdFBcBBA3jDD0jGfYA+AgX5yLP8fr73eHt1xLiExBCMNfu6O3Q -Jz/pDuAh5v8xGBUj2SIMFjAQG+kGLQcB5A/Y6N0BBwnv7P/bNxfdC+777uz9IkoK -5vv9HCXnCfwcOugMwu8N+QYh1g323AcEFAkbH+4TLtsF4/UIEPkWExQLHwEMB/hC -DP3MGu/WFenr3f3c5RcDC+Ii+fgI+fYPtw4B+wP+IAD/8uH36gHy+gLaASPc7RUY -6+DM89b7BdbE5wf1Eh5A8PASD/An//4w9h8TCg3XxegS/R0f3ice0OoBHBoQ7QAR -C/HV5fEHG88AIR7+IvUf/SXR4R4b7wwe5OLlDtrxFSsKLvn1Ffv2GxwGDP/++O73 -IyYHAQT1/CUg2fQH5vDhDOXmEejtDRkUIAIg4+QSCOQZAvXaDPcn3BkHAhsI7trz -ARb0/9EM8/jQDUHe5wMRFfvaAOYTKTEaAxDy29wAvwP01Bgg0P8K9Qvj3Pf0G94W -6g329cz19MYOEeUtWfq2+hYHLgUBDuHk8uDf4BX15BQS4QkE6uoB9gwZDu/u/RHc -5t/28M0G8xgvBwAeKwzcHf8Z8uXzIgwGBO48393uO/7QHPzxA+P9DxkBGQ//C/kL -C0P1HA3wPhYBz0Dx1BAM4fsj/AQDLuEKFr72FPwSGgEKxQXwEA32IDYUFQIV/SUk -GwQEKvDcyN0kDxH5Av3s9jvyLQjX8/fdH+PGBhb+4g7c+OUa0hAC2fnyFAoc/fLW -tBPjAO8B7gnIGfMHCO301gPwAAcJBAU+BRQW2P8bKP/uCfjrABkfGvPI87L18f8W -+vv23hAs5PXL/+z4Be0Qxu3/+CwE++br9AqsteRmSWHaGDmIWdJTbmUUS/RrZO20 -Vp9TgeInienegYbQzm++qACF6lkocVagsV52jAnhcJwLLggyglSESnYe+hvJ2V+v -XLr/ua+VFph1cIkMAL2R2Ne0rkHpH1lYh4mFv0v12VbXj49vcGtTdylydB0tkPWf -4qKYV1QF6cJWwSW6g6GrHMk69WLd7i4s0xbIEugzoaf3DsMre1a/cpvCbrwyE6cX -UL54GlmTQ5BELpGse7aQKH+OjgawLe0H6cGltO0vZpqLRDpCDmKNpDDalu1DDXha -gy6Ak4hw66Pn1YJFSzuG34wiHMEDi9oCX2EVl+2j5jsu99DVgc4RsNmHjEcZmkCx -8XRot4bNLIYIljmkDeK56RcrvO3yq7OPLw9sT3LsYBIYcrECh040H8azhhVu53V1 -LDJzTn635Rp78xXWrdH0SrdTTBSVuPfm4wBLgP2BnwYfHNkTI2JIbHFyrctXmYKM -SuXFp+INgpkiUkJDExqqcpQN6d9OHIdag64ImsQC8aJmPbUVSqcEaWYo+ieo11sg -vG0KeokTgZdonKp3H2AJIPfaEGY6uMFdRUpIW1y6PZbKT7uQ4l/UTBnNlgx682Je -/7sk4nq9n52sJYmJb+jEFL0CQhOtnpwZOJXj2XSAqflbbUdmpuDFdiZH70B8unE3 -KStkLj+pVYc1EdGENwEAe2fSj5hyDGA71YCEXM47qHD3Bo3N+FHN2xhbYqN95cf5 -wdhsdyh0+HXtj4KWKfv7GrRSeHLCssk1SwZUClulsl3gkNk2ldeedjmhO1lhBjX1 -ESgMYwdQhxNY5d6givKjXpkKCh73FM4pkj7Y69R1qmSCqiTyvi9BiblDiftVsjoC -FZnlwp5GXnQyp+bJnN1B6OVeQUWiV+RzRosftIwHX09hHZ4f53vX+H+NeQXM0xMW -XeLVluoHUXhg9vnJZKRlSwJvWjAizbarjJTTAqnBNWFt8Q4Q4iJRZKG7ZtZnJt7b -l3Jz9aLZnI0qWlngqF9ZmeGqJOHFjdb4ckSpb2ByZtNdDnx//q07Lu1GsykE4qIF -bUraKwJgIhV/it84ohdgg4JYicFcWnYU01npVmExBm6H81lSdKJLdQcp46GVJxth -bGS5lYVbuw3bnzEbQzDDPE/AhXe+zExv/MHhXSrvYnmpC1wrN1KqwzfzoQ1MEZiZ -v05IPaLDpdUOhDimehPxGI2wQo7A+9H4u1ZXNNWkWnEMW8X2x7hp5bRVGANgDbm8 -VgqSVE2IXZv8q7ZSFmAA+9EqPXA2mVJg62elOVPQW/kUzUZVAlQWuFpLQQtV9S1Q -lCjoLeczmVo4pu6zt8FoW+wjBwEdr0BQbq2TmW1IUKmQA10cFYoqaXFYkih7BH1v -9UPLRE/7LLZTYZGDH2Va3EVPWtENDvUVLINlbcHu+FUY2q6EGQJcB34ozg5gvS50 -i87u5hjIuUK5oFnHkLEYLOXSiqMQmR2RlrSUoVSe6PLhbMcEiQ0xatiYrtnOh3qP -XLPdCVBwCxyeMPCEzMoRpbEZkF/ftUq0b/ULaymcMpxGARhSlsUecFhQdpZOpAfe -IpqYtwAFCZdGSII1u5sHzi3sUdYNw65TRT1Bcok1K2BWQg6MUDHar4E977KtVQ+V -2c3ydS7NVQLTklOkoXTCaqRfHUEh4suzJmShRzhm0Es04aHalS8h3h3DP8bebeIp -q6hWVZxoB1EKAeqkbF3wrefWSnoYq5Xa9JwQ21daYGUBtY0pyoeHNuB8VcKlhVJ1 -xCb5hPQmGqWmxhbIoja2h8RWkWfs1IGg2Mch0u14jsIaIVG4lidiZpMJSnNqnhsr -HqVW3YFJsVqptEAO5RUt/gUsYM17CIhIwA/1Z5UueMDHqLc4sTaG77V14Doikct9 -swjOIQGJTzjlfZtvyiNLeYN7ipoIulJ6BKQEvro6z6ECCsBKUP15d6ZMCOWdSwEp -OZbEZFR3jbyPOgAyjBXimhTCWRPYsAVaOGSADZpWasclpE+uqLxHEyzQYTOmVOjm -BP8UAXPhjsAhjbr+RgeSKY/ZWiOoGtxR7KLSs6BmmVn7SyTKmwRQuNevwxl8ms3K -jR/beJUNGpSBHyQE3OLzGod+gSb2SG8TJbh4lA0APhmAXiiyxH9RgNzZx2F0Auqt -8MFgdoCusHiGrJuokPJp4Y79UOqt2CQGgm9Y6OpBxR6Pkbk0zACLiabU9ESIQzkC -OMDgFjgl8EPzlMtHF3La90ys5I1wahApHW0bzTpY9FPju9WRJyNkGXoem2eYUso7 -dtghj4rGSomqcH+qozVaVTdpplSnrm2R0qVKBTZD2IjS3DvZY3RJzH1AwKuHKQad -ZeLUYX2KXFAR58lMbLSOBajkNNG/t4Jey3Gscaqs3ypF5mJLBvDX205e ------END PRIVATE KEY----- diff --git a/certs/falcon_level5_server_pubkey.der b/certs/falcon_level5_server_pubkey.der deleted file mode 100644 index c339e30cdf73015200161b7ffc0be953990cfefc..0000000000000000000000000000000000000000 GIT binary patch literal 0 HcmV?d00001 literal 1811 zcmV+u2kiJTf(H*U2L=Tz&JP0#1A+$v01B+N+88;AS<+K(WfV*FYh>-TR-aRW z;wOpe-hqbD&Tqb`0EOyVC~;Pxv0iqJ3E^;@3oZyUf>eY`b{_g0$=P48T)O|cuay>< zb#RFc0KJje*R-xd=^t5Ghlz#1OZC}S*N=~HaBEX{DROijEs*t};-Z*WR0Zk6R>38@ zgQ2S&$vX97-R>?d(-z1Q=rf_G_YT7=dse@4o5F6qG83m4P`-E?S(8JML@tr6d$y1$ ze~yj@ur2Ke>A|J6?Js7Ui$pp?4q}a@Fxr;wLk)OZgD!xRh;Zwp=hcEmOFM?&j3OMt z1B==MUttxO?W5*9F89#YfzA=I*@uir8Ja+`@pNdnhRrO72$ngd4dS`!7c0E&@~g9t zFAr=_a_nFd7;>=!hfXvf#=lnv?MP8^3?gRTgg!~*f6 zW<9kPN~Z*AW+?h6sMlK{ylo14i4%dBXq>8dA7BX}_u3FXrr^bP zCP(i;e7bQrDJx_yKdDuRH4)K-Hvs^9XVQ<%Df{~xv{HC-!m`OVO9oU5TcxsH;E>rimDiqjIiWjQVFoqz z5hx5}2T+F-SmoZJit?jgnFIYGH zVD|aRWTa(F0&iL{BF(m|jFi&?slhd2ZSf8e;v!LGp}S_*XC~g;mvVFUqS>5{Dq30K zs9#x`;i@Fz#f{eZazv?bU~*>DT@HMI{;fMM?MAaH1mdCvZA#iJ0$?H)e~RBYq8DI; zf>?>cTv~P%(^=_OVKD}7hx1udbfQaj2PxyBl_wivY-G8WgsS8{yH&Uv@H}jzlOc9uwzfMR!qQj-t4um+SdK2*&jj%$F!28ko zyH-~;)udW+3|qza$GBu04o zQ_x%a6wO9e0#p{bT1!C-RrM`Ulql#e=QEjFIHvBix4~#z>>~#O9j`!8ZmpA)D(q+cCDA>zxkCS;*UIA+jGG~uDzl`kRQ9m7Ay-fiM3tEg60 zoM;D83IXb*Y+dlJ=hjMk7^{`q^qdgeS6X0Y0kw@O%7=$G;CxlWrG-*;#3uQK^d=gm zrp6Y?qBgdN#8#1K?9_pv*vBE#?RbvD8X-}*mM3CnlL<<5YMvV_9;H^@fl0AiskA^2 zm}*RR7Fe45S5jUU^1l?@t{fgdCU+~V^Zhkk)3_DF9NCAfH$ z4FEnFfLYkn(Baj{Q*Tt=J?6f^S&p>OsXG zkCC}F%m9mtrquLAh(kF7IKbc*I3@5y^OVa+7joM7OswRMaB2`K9c>%UI#~2m #include +#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_HAVE_KYBER) && \ + defined(HAVE_DILITHIUM) + #define DEFAULT_PORT 11111 -#define CERT_FILE "../certs/falcon_level5_root_cert.pem" +#define CERT_FILE "../../certs/mldsa87_root_cert.pem" -#if defined(HAVE_SECRET_CALLBACK) && defined(WOLFSSL_TLS13) && \ - defined(HAVE_LIBOQS) +#ifdef HAVE_SECRET_CALLBACK #ifndef WOLFSSL_SSLKEYLOGFILE_OUTPUT #define WOLFSSL_SSLKEYLOGFILE_OUTPUT "sslkeylog.log" @@ -108,12 +110,14 @@ static int Tls13SecretCallback(WOLFSSL* ssl, int id, const unsigned char* secret return 0; } -#endif /* WOLFSSL_TLS13 && HAVE_SECRET_CALLBACK */ +#endif /* HAVE_SECRET_CALLBACK */ +#endif /* WOLFSSL_TLS13 && WOLFSSL_HAVE_KYBER && HAVE_DILITHIUM */ int main(int argc, char** argv) { int ret = 0; -#if defined(WOLFSSL_TLS13) && defined(HAVE_LIBOQS) +#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_HAVE_KYBER) && \ + defined(HAVE_DILITHIUM) int sockfd = SOCKET_INVALID; struct sockaddr_in servAddr; char buff[256]; @@ -192,10 +196,10 @@ int main(int argc, char** argv) ret = -1; goto exit; } - ret = wolfSSL_UseKeyShare(ssl, WOLFSSL_P521_KYBER_LEVEL5); + ret = wolfSSL_UseKeyShare(ssl, WOLFSSL_P521_ML_KEM_1024); if (ret < 0) { fprintf(stderr, "ERROR: failed to set the requested group to " - "P521_KYBER_LEVEL5.\n"); + "WOLFSSL_P521_ML_KEM_1024.\n"); ret = -1; goto exit; } @@ -263,9 +267,10 @@ exit: wolfSSL_CTX_free(ctx); /* Free the wolfSSL context object */ wolfSSL_Cleanup(); /* Cleanup the wolfSSL environment */ #else - printf("Example requires TLS v1.3 and liboqs.\n"); - printf("Configure wolfssl like this: ./configure --with-liboqs\n"); -#endif + printf("This requires TLS 1.3, ML-DSA (Dilithium) and ML-KEM (Kyber).\n"); + printf("Configure wolfssl like this:\n"); + printf(" ./configure --enable-dilithium --enable-kyber\n"); +#endif /* WOLFSSL_TLS13 && WOLFSSL_HAVE_KYBER && HAVE_DILITHIUM */ (void)argc; (void)argv; diff --git a/pq/tls/falcon_certverify.c b/pq/tls/falcon_certverify.c deleted file mode 100644 index fca309b6..00000000 --- a/pq/tls/falcon_certverify.c +++ /dev/null @@ -1,86 +0,0 @@ -/* falcon_certverify.c - * - * Copyright (C) 2021 wolfSSL Inc. - * - * This file is part of wolfSSL. - * - * wolfSSL is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * wolfSSL is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA - */ - -#include -#include -#include -#include -#include - -int main(int argc, char **argv) -{ - int ret; - WOLFSSL_CERT_MANAGER* cm = NULL; - - const char* caCert = "./falcon_level5_root_cert.pem"; - const char* verifyCert = "./falcon_level5_entity_cert.pem"; - - if(argc == 3) { - caCert = argv[1]; - verifyCert = argv[2]; - } else if (argc != 1) { - printf("usage: %s [ ]\n", argv[0]); - printf("Default CA Cert: %s, verify Cert: %s\n", caCert, verifyCert); - return 0; - } - - wolfSSL_Init(); -#ifdef DEBUG_WOLFSSL - wolfSSL_Debugging_ON(); -#endif - - cm = wolfSSL_CertManagerNew(); - if (cm == NULL) { - printf("wolfSSL_CertManagerNew() failed\n"); - return -1; - } - - wolfSSL_CertManagerSetVerify(cm, myVerify); - - ret = wolfSSL_CertManagerLoadCA(cm, caCert, NULL); - if (ret != WOLFSSL_SUCCESS) { - if (ret == WOLFSSL_BAD_FILE) { - printf("No root certificate found. Please see the README.md file" - " to learn how to generate the certificates.\n"); - } - printf("wolfSSL_CertManagerLoadCA() failed (%d): %s\n", - ret, wolfSSL_ERR_reason_error_string(ret)); - ret = -1; goto exit; - } - - ret = wolfSSL_CertManagerVerify(cm, verifyCert, WOLFSSL_FILETYPE_PEM); - if (ret != WOLFSSL_SUCCESS) { - if (ret == WOLFSSL_BAD_FILE) { - printf("No entity certificate found. Please see the README.md file " - "to learn how to generate the certificates.\n"); - } - printf("wolfSSL_CertManagerVerify() failed (%d): %s\n", - ret, wolfSSL_ERR_reason_error_string(ret)); - ret = -1; goto exit; - } - printf("Verification Successful!\n"); - -exit: - wolfSSL_CertManagerFree(cm); - wolfSSL_Cleanup(); - - return ret; -} diff --git a/pq/tls/server-pq-tls13.c b/pq/tls/server-pq-tls13.c index 568ef978..0915f978 100644 --- a/pq/tls/server-pq-tls13.c +++ b/pq/tls/server-pq-tls13.c @@ -41,14 +41,16 @@ #include #include +#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_HAVE_KYBER) && \ + defined(HAVE_DILITHIUM) + #define DEFAULT_PORT 11111 -#define CERT_FILE "../certs/falcon_level5_entity_cert.pem" -#define KEY_FILE "../certs/falcon_level5_entity_key.pem" +#define CERT_FILE "../../certs/mldsa87_entity_cert.pem" +#define KEY_FILE "../../certs/mldsa87_entity_key.pem" -#if defined(HAVE_SECRET_CALLBACK) && defined(WOLFSSL_TLS13) && \ - defined(HAVE_LIBOQS) +#ifdef HAVE_SECRET_CALLBACK #ifndef WOLFSSL_SSLKEYLOGFILE_OUTPUT #define WOLFSSL_SSLKEYLOGFILE_OUTPUT "sslkeylog.log" @@ -115,9 +117,8 @@ static int Tls13SecretCallback(WOLFSSL* ssl, int id, const unsigned char* secret return 0; } -#endif /* WOLFSSL_TLS13 && HAVE_SECRET_CALLBACK */ +#endif /* HAVE_SECRET_CALLBACK */ -#if defined(WOLFSSL_TLS13) && defined(HAVE_LIBOQS) static int mSockfd = SOCKET_INVALID; static int mConnd = SOCKET_INVALID; static int mShutdown = 0; @@ -137,13 +138,16 @@ static void sig_handler(const int sig) mSockfd = SOCKET_INVALID; } } -#endif -#endif +#endif /* HAVE_SIGNAL */ +#endif /* WOLFSSL_TLS13 && WOLFSSL_HAVE_KYBER && HAVE_DILITHIUM */ int main(int argc, char** argv) { int ret = 0; -#if defined(WOLFSSL_TLS13) && defined(HAVE_LIBOQS) + +#if defined(WOLFSSL_TLS13) && defined(WOLFSSL_HAVE_KYBER) && \ + defined(HAVE_DILITHIUM) + struct sockaddr_in servAddr; struct sockaddr_in clientAddr; socklen_t size = sizeof(clientAddr); @@ -244,10 +248,10 @@ int main(int argc, char** argv) ret = -1; goto exit; } - ret = wolfSSL_UseKeyShare(ssl, WOLFSSL_P521_KYBER_LEVEL5); + ret = wolfSSL_UseKeyShare(ssl, WOLFSSL_P521_ML_KEM_1024); if (ret < 0) { fprintf(stderr, "ERROR: failed to set the requested group to " - "P521_KYBER_LEVEL5.\n"); + "WOLFSSL_P521_ML_KEM_1024.\n"); ret = -1; goto exit; } @@ -334,9 +338,10 @@ exit: wolfSSL_Cleanup(); /* Cleanup the wolfSSL environment */ #else - printf("Example requires TLS v1.3 and liboqs.\n"); - printf("Configure wolfssl like this: ./configure --with-liboqs\n"); -#endif /* WOLFSSL_TLS13 */ + printf("This requires TLS 1.3, ML-DSA (Dilithium) and ML-KEM (Kyber).\n"); + printf("Configure wolfssl like this:\n"); + printf(" ./configure --enable-dilithium --enable-kyber\n"); +#endif /* WOLFSSL_TLS13 && WOLFSSL_HAVE_KYBER && HAVE_DILITHIUM */ (void)argc; (void)argv; diff --git a/pq/tls/sphincs_sign_verify.c b/pq/tls/sphincs_sign_verify.c deleted file mode 100644 index 373fe065..00000000 --- a/pq/tls/sphincs_sign_verify.c +++ /dev/null @@ -1,214 +0,0 @@ -/* sphincs_sign_verify.c - * - * Copyright (C) 2022 wolfSSL Inc. - * - * This file is part of wolfSSL. - * - * wolfSSL is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * wolfSSL is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1335, USA - */ -#include -#include - -#include -#include -#include -#include - -#ifdef HAVE_LIBOQS - -#define MAX_PEM_CERT_SIZE 70000 -#define MAX_KEY_KEY_SIZE 256 - -/* You can use any of the following combinations, but make sure to use the - * correct file names: - * LEVEL = 1 | 3 | 5 - * VARIANT = FAST_VARIANT | SMALL_VARIANT */ -#define LEVEL 5 -#define VARIANT FAST_VARIANT -#define CERT_FILE "../certs/sphincs_fast_level5_entity_cert.pem" -#define KEY_FILE "../certs/sphincs_fast_level5_entity_key.pem" - -#define MESSAGE "This message is protected with post-quantum cryptography!" - -static void check_ret(char *func_name, int ret) { - if (ret != 0) { - fprintf(stderr, "ERROR: %s() returned %d\n", func_name, ret); - } -} - -int main(int argc, char** argv) -{ - int ret = 0; - int verify_result = -1; - FILE *file = NULL; - - byte pem_buf[MAX_PEM_CERT_SIZE]; - word32 pem_len = sizeof(pem_buf); - - byte priv_der_buf[MAX_KEY_KEY_SIZE]; - word32 priv_der_len = sizeof(priv_der_buf); - - byte cert_der_buf[MAX_PEM_CERT_SIZE]; - word32 cert_der_len = sizeof(cert_der_buf); - - byte pub_der_buf[MAX_KEY_KEY_SIZE]; - word32 pub_der_len = sizeof(pub_der_buf); - - byte signature[SPHINCS_MAX_SIG_SIZE]; - word32 signature_len = sizeof(signature); - - WC_RNG rng; - sphincs_key priv_key; - sphincs_key pub_key; - DecodedCert decodedCert; - - wc_InitRng(&rng); - - if (ret == 0) { - ret = wc_sphincs_init(&priv_key); - check_ret("wc_sphincs_init", ret); - } - - if (ret == 0) { - ret = wc_sphincs_init(&pub_key); - check_ret("wc_sphincs_init", ret); - } - - /* Get private key from key PEM file. */ - - if (ret == 0) { - ret = wc_sphincs_set_level_and_optim(&priv_key, LEVEL, VARIANT); - check_ret("wc_sphincs_set_level_and_optim", ret); - } - - if (ret == 0) { - file = fopen(KEY_FILE, "rb"); - ret = fread(pem_buf, 1, sizeof(pem_buf), file); - fclose(file); - file = NULL; - if (ret > 0) { - pem_len = ret; - ret = 0; - } else { - check_ret("fread", ret); - ret = -1; - } - } - - if (ret == 0) { - ret = wc_KeyPemToDer((const byte*)pem_buf, pem_len, - priv_der_buf, priv_der_len, NULL); - if (ret > 0) { - priv_der_len = ret; - ret = 0; - } else { - check_ret("wc_KeyPemToDer", ret); - /* In case ret = 0. */ - ret = -1; - } - } - - if (ret == 0) { - ret = wc_sphincs_import_private_only(priv_der_buf, priv_der_len, - &priv_key); - check_ret("wc_sphincs_import_private_only", ret); - } - - /* Get public key from certificate PEM file. */ - - if (ret == 0) { - ret = wc_sphincs_set_level_and_optim(&pub_key, LEVEL, VARIANT); - check_ret("wc_sphincs_set_level_and_optim", ret); - } - - if (ret == 0) { - file = fopen(CERT_FILE, "rb"); - ret = fread(pem_buf, 1, sizeof(pem_buf), file); - fclose(file); - file = NULL; - if (ret > 0) { - pem_len = ret; - ret = 0; - } else { - check_ret("fread", ret); - ret = -1; - } - } - - if (ret == 0) { - ret = wc_CertPemToDer((const byte*)pem_buf, pem_len, cert_der_buf, - cert_der_len, CERT_TYPE); - if (ret > 0) { - cert_der_len = ret; - ret = 0; - } else { - check_ret("wc_CertPemToDer", ret); - /* In case ret = 0. */ - ret = -1; - } - } - - if (ret == 0) { - wc_InitDecodedCert(&decodedCert, cert_der_buf, cert_der_len, 0); - ret = wc_ParseCert(&decodedCert, CERT_TYPE, NO_VERIFY, NULL); - check_ret("ParseCert", ret); - } - - if (ret == 0) { - ret = wc_GetPubKeyDerFromCert(&decodedCert, pub_der_buf, - &pub_der_len); - check_ret("wc_GetPubKeyDerFromCert", ret); - } - - if (ret == 0) { - ret = wc_sphincs_import_public(pub_der_buf, pub_der_len, &pub_key); - check_ret("wc_sphincs_import_public", ret); - } - - /* We now have the public and private key. Time to sign and verify the - * message. */ - - if (ret == 0) { - ret = wc_sphincs_sign_msg((const byte *)MESSAGE, sizeof(MESSAGE), - signature, &signature_len, &priv_key); - check_ret("wc_sphincs_sign_msg", ret); - } - - if (ret == 0) { - ret = wc_sphincs_verify_msg(signature, signature_len, - (const byte *)MESSAGE, sizeof(MESSAGE), &verify_result, - &pub_key); - check_ret("wc_sphincs_verify_msg", ret); - } - - printf("verify result: %s\n", verify_result == 1 ? "SUCCESS" : "FAILURE"); - - wc_FreeDecodedCert(&decodedCert); - wc_sphincs_free(&priv_key); - wc_sphincs_free(&pub_key); - wc_FreeRng(&rng); - wolfCrypt_Cleanup(); - - return ret; -} - -#else - -int main(int argc, char** argv) { - printf("This requires the --with-liboqs flag.\n"); - return 0; -} -#endif /* WITH_LIBOQS */ - diff --git a/pq/tls/stm32/README.md b/pq/tls/stm32/README.md index 04105038..feba30bb 100644 --- a/pq/tls/stm32/README.md +++ b/pq/tls/stm32/README.md @@ -17,9 +17,9 @@ is new and has not made it into a release as of the time of the writing of this document. Support will start as of release 5.3.0. Please see README.md in the parent of this directory for insructions on how to -build and install liboqs and wolfSSL on your linux machine. They will be -required to build the applications on the linux side that will talk to the -STM32 board over UART. +build and install wolfSSL on your linux machine with ML-DSA (Dilithium) support. +It will be required to build the applications on the linux side that will talk +to the STM32 board over UART. ## Building the Applications for the Linux Side