Example of how to verify a falcon certificate chain.

certmanager/README.md

@@ -11,3 +11,52 @@ in a standalone manner, separate from an SSL/TLS connection.
 $ make
 $ ./certverify
 ```
+## Verification of OQS Falcon Certificates
+
+The `generate_falcon_chains.sh` script will allow you to use the OQS project's
+OpenSSL in order to generate a self-signed CA certificate and entity
+certificate that use Falcon. In the OpenSSL directory, run the script to
+generate the certificates in the the /tmp/ directory.
+
+Apply the following patch:
+
+```
+diff --git a/certmanager/certverify.c b/certmanager/certverify.c
+index 4b5fed7..1b29d89 100644
+--- a/certmanager/certverify.c
++++ b/certmanager/certverify.c
+@@ -25,13 +25,15 @@
+ #include <wolfssl/wolfcrypt/error-crypt.h>
+ #include <wolfssl/test.h>
+ 
++#undef HAVE_CRL
++
+ int main(void)
+ {
+     int ret;
+     WOLFSSL_CERT_MANAGER* cm = NULL;
+ 
+-    const char* caCert     = "../certs/ca-cert.pem";
+-    const char* verifyCert = "../certs/server-cert.pem";
++    const char* caCert     = "/tmp/falcon1024_root_cert.pem";
++    const char* verifyCert = "/tmp/falcon1024_entity_cert.pem";
+ 
+ #ifdef HAVE_CRL
+     const char* crlPem     = "../certs/crl/crl.pem";
+@@ -52,7 +54,7 @@ int main(void)
+         return -1;
+     }
+ 
+-    wolfSSL_CertManagerSetVerify(cm, myVerify);
++    //wolfSSL_CertManagerSetVerify(cm, myVerify);
+ 
+     ret = wolfSSL_CertManagerLoadCA(cm, caCert, NULL);
+     if (ret != SSL_SUCCESS) {
+```
+
+Then compile and run the sample:
+```
+$ make
+$ ./certverify
+```
+

certmanager/generate_falcon_chains.sh

@@ -0,0 +1,90 @@
+#!/bin/bash 
+
+# Script to generate Falcon 512 and Falcon1024 certificate chains.
+#
+# Copyright 2021 wolfSSL Inc. All rights reserved.
+# Original Author: Anthony Hu.
+# Execute in openssl directory after building oqs fork of OpenSSL. 
+
+# Generate conf files.
+printf "\
+[ req ]\n\
+prompt                 = no\n\
+distinguished_name     = req_distinguished_name\n\
+\n\
+[ req_distinguished_name ]\n\
+C                      = CA\n\
+ST                     = ON\n\
+L                      = Waterloo\n\
+O                      = wolfSSL Inc.\n\
+OU                     = Engineering\n\
+CN                     = Root Certificate\n\
+emailAddress           = root@wolfssl.com\n\
+\n\
+[ ca_extensions ]\n\
+subjectKeyIdentifier   = hash\n\
+authorityKeyIdentifier = keyid:always,issuer:always\n\
+keyUsage               = critical, keyCertSign\n\
+basicConstraints       = critical, CA:true\n" > root.conf
+
+printf "\
+[ req ]\n\
+prompt                 = no\n\
+distinguished_name     = req_distinguished_name\n\
+\n\
+[ req_distinguished_name ]\n\
+C                      = CA\n\
+ST                     = ON\n\
+L                      = Waterloo\n\
+O                      = wolfSSL Inc.\n\
+OU                     = Engineering\n\
+CN                     = Entity Certificate\n\
+emailAddress           = entity@wolfssl.com\n\
+\n\
+[ x509v3_extensions ]\n\
+subjectKeyIdentifier   = hash\n\
+authorityKeyIdentifier = keyid:always,issuer:always\n\
+keyUsage               = critical, digitalSignature\n\
+extendedKeyUsage       = critical, serverAuth,clientAuth\n" > entity.conf
+
+###############################################################################
+# Falcon 512
+###############################################################################
+
+# Generate root key and entity private keys. 
+./apps/openssl genpkey -algorithm falcon512 -outform pem -out falcon512_root_key.pem
+./apps/openssl genpkey -algorithm falcon512 -outform pem -out falcon512_entity_key.pem
+
+# Generate the root certificate
+./apps/openssl req -x509 -config root.conf -extensions ca_extensions -days 365 -set_serial 512 -key falcon512_root_key.pem -out falcon512_root_cert.pem 
+
+# Generate the entity CSR.
+./apps/openssl req -new -config entity.conf -key falcon512_entity_key.pem -out falcon512_entity_req.pem 
+
+# Generate the entity X.509 certificate.
+./apps/openssl x509 -req -in falcon512_entity_req.pem -CA falcon512_root_cert.pem -CAkey falcon512_root_key.pem -extfile entity.conf -extensions x509v3_extensions -days 365 -set_serial 513 -out falcon512_entity_cert.pem
+
+###############################################################################
+# Falcon 1024
+###############################################################################
+
+# Generate root key and entity private keys. 
+./apps/openssl genpkey -algorithm falcon1024 -outform pem -out falcon1024_root_key.pem
+./apps/openssl genpkey -algorithm falcon1024 -outform pem -out falcon1024_entity_key.pem
+
+# Generate the root certificate
+./apps/openssl req -x509 -config root.conf -extensions ca_extensions -days 365 -set_serial 1024 -key falcon1024_root_key.pem -out falcon1024_root_cert.pem
+
+# Generate the entity CSR.
+./apps/openssl req -new -config entity.conf -key falcon1024_entity_key.pem -out falcon1024_entity_req.pem
+
+# Generate the entity X.509 certificate.
+./apps/openssl x509 -req -in falcon1024_entity_req.pem -CA falcon1024_root_cert.pem -CAkey falcon1024_root_key.pem -extfile entity.conf -extensions x509v3_extensions -days 365 -set_serial 1025 -out falcon1024_entity_cert.pem
+
+###############################################################################
+# Verify all generated certificates.
+###############################################################################
+./apps/openssl verify -no-CApath -check_ss_sig -CAfile falcon512_root_cert.pem falcon512_entity_cert.pem
+./apps/openssl verify -no-CApath -check_ss_sig -CAfile falcon1024_root_cert.pem falcon1024_entity_cert.pem
+
+mv *.pem /tmp/