From 46f61cc8f817a90a2020f6e619a543970fa31bf8 Mon Sep 17 00:00:00 2001 From: Anthony Hu Date: Fri, 15 Oct 2021 10:08:00 -0400 Subject: [PATCH] Example of how to verify a falcon certificate chain. --- certmanager/README.md | 49 +++++++++++++++ certmanager/generate_falcon_chains.sh | 90 +++++++++++++++++++++++++++ 2 files changed, 139 insertions(+) create mode 100755 certmanager/generate_falcon_chains.sh diff --git a/certmanager/README.md b/certmanager/README.md index 281fa10f..67d3beec 100644 --- a/certmanager/README.md +++ b/certmanager/README.md @@ -11,3 +11,52 @@ in a standalone manner, separate from an SSL/TLS connection. $ make $ ./certverify ``` +## Verification of OQS Falcon Certificates + +The `generate_falcon_chains.sh` script will allow you to use the OQS project's +OpenSSL in order to generate a self-signed CA certificate and entity +certificate that use Falcon. In the OpenSSL directory, run the script to +generate the certificates in the the /tmp/ directory. + +Apply the following patch: + +``` +diff --git a/certmanager/certverify.c b/certmanager/certverify.c +index 4b5fed7..1b29d89 100644 +--- a/certmanager/certverify.c ++++ b/certmanager/certverify.c +@@ -25,13 +25,15 @@ + #include + #include + ++#undef HAVE_CRL ++ + int main(void) + { + int ret; + WOLFSSL_CERT_MANAGER* cm = NULL; + +- const char* caCert = "../certs/ca-cert.pem"; +- const char* verifyCert = "../certs/server-cert.pem"; ++ const char* caCert = "/tmp/falcon1024_root_cert.pem"; ++ const char* verifyCert = "/tmp/falcon1024_entity_cert.pem"; + + #ifdef HAVE_CRL + const char* crlPem = "../certs/crl/crl.pem"; +@@ -52,7 +54,7 @@ int main(void) + return -1; + } + +- wolfSSL_CertManagerSetVerify(cm, myVerify); ++ //wolfSSL_CertManagerSetVerify(cm, myVerify); + + ret = wolfSSL_CertManagerLoadCA(cm, caCert, NULL); + if (ret != SSL_SUCCESS) { +``` + +Then compile and run the sample: +``` +$ make +$ ./certverify +``` + diff --git a/certmanager/generate_falcon_chains.sh b/certmanager/generate_falcon_chains.sh new file mode 100755 index 00000000..b17cbec9 --- /dev/null +++ b/certmanager/generate_falcon_chains.sh @@ -0,0 +1,90 @@ +#!/bin/bash + +# Script to generate Falcon 512 and Falcon1024 certificate chains. +# +# Copyright 2021 wolfSSL Inc. All rights reserved. +# Original Author: Anthony Hu. +# Execute in openssl directory after building oqs fork of OpenSSL. + +# Generate conf files. +printf "\ +[ req ]\n\ +prompt = no\n\ +distinguished_name = req_distinguished_name\n\ +\n\ +[ req_distinguished_name ]\n\ +C = CA\n\ +ST = ON\n\ +L = Waterloo\n\ +O = wolfSSL Inc.\n\ +OU = Engineering\n\ +CN = Root Certificate\n\ +emailAddress = root@wolfssl.com\n\ +\n\ +[ ca_extensions ]\n\ +subjectKeyIdentifier = hash\n\ +authorityKeyIdentifier = keyid:always,issuer:always\n\ +keyUsage = critical, keyCertSign\n\ +basicConstraints = critical, CA:true\n" > root.conf + +printf "\ +[ req ]\n\ +prompt = no\n\ +distinguished_name = req_distinguished_name\n\ +\n\ +[ req_distinguished_name ]\n\ +C = CA\n\ +ST = ON\n\ +L = Waterloo\n\ +O = wolfSSL Inc.\n\ +OU = Engineering\n\ +CN = Entity Certificate\n\ +emailAddress = entity@wolfssl.com\n\ +\n\ +[ x509v3_extensions ]\n\ +subjectKeyIdentifier = hash\n\ +authorityKeyIdentifier = keyid:always,issuer:always\n\ +keyUsage = critical, digitalSignature\n\ +extendedKeyUsage = critical, serverAuth,clientAuth\n" > entity.conf + +############################################################################### +# Falcon 512 +############################################################################### + +# Generate root key and entity private keys. +./apps/openssl genpkey -algorithm falcon512 -outform pem -out falcon512_root_key.pem +./apps/openssl genpkey -algorithm falcon512 -outform pem -out falcon512_entity_key.pem + +# Generate the root certificate +./apps/openssl req -x509 -config root.conf -extensions ca_extensions -days 365 -set_serial 512 -key falcon512_root_key.pem -out falcon512_root_cert.pem + +# Generate the entity CSR. +./apps/openssl req -new -config entity.conf -key falcon512_entity_key.pem -out falcon512_entity_req.pem + +# Generate the entity X.509 certificate. +./apps/openssl x509 -req -in falcon512_entity_req.pem -CA falcon512_root_cert.pem -CAkey falcon512_root_key.pem -extfile entity.conf -extensions x509v3_extensions -days 365 -set_serial 513 -out falcon512_entity_cert.pem + +############################################################################### +# Falcon 1024 +############################################################################### + +# Generate root key and entity private keys. +./apps/openssl genpkey -algorithm falcon1024 -outform pem -out falcon1024_root_key.pem +./apps/openssl genpkey -algorithm falcon1024 -outform pem -out falcon1024_entity_key.pem + +# Generate the root certificate +./apps/openssl req -x509 -config root.conf -extensions ca_extensions -days 365 -set_serial 1024 -key falcon1024_root_key.pem -out falcon1024_root_cert.pem + +# Generate the entity CSR. +./apps/openssl req -new -config entity.conf -key falcon1024_entity_key.pem -out falcon1024_entity_req.pem + +# Generate the entity X.509 certificate. +./apps/openssl x509 -req -in falcon1024_entity_req.pem -CA falcon1024_root_cert.pem -CAkey falcon1024_root_key.pem -extfile entity.conf -extensions x509v3_extensions -days 365 -set_serial 1025 -out falcon1024_entity_cert.pem + +############################################################################### +# Verify all generated certificates. +############################################################################### +./apps/openssl verify -no-CApath -check_ss_sig -CAfile falcon512_root_cert.pem falcon512_entity_cert.pem +./apps/openssl verify -no-CApath -check_ss_sig -CAfile falcon1024_root_cert.pem falcon1024_entity_cert.pem + +mv *.pem /tmp/