Fixes as suggested by dgarske.

certmanager/README.md

@@ -13,10 +13,21 @@ $ ./certverify
 ```
 ## Verification of OQS Falcon Certificates
 
+Please see wolfssl/INSTALL for instructions on how to build and install the
+Open Quantum Safe project's liboqs. Once you have built that, you will then
+need to build the Open Quantum Safe project's OpenSSL. Instructions for
+downloading and building their OpenSSL fork can be found here:
+
+https://github.com/open-quantum-safe/openssl/releases/tag/OQS-OpenSSL_1_1_1-stable-snapshot-2021-08
+
+Note that installation of the OpenSSL fork is NOT neccessary.a
+
 The `generate_falcon_chains.sh` script will allow you to use the OQS project's
 OpenSSL in order to generate a self-signed CA certificate and entity
-certificate that use Falcon. In the OpenSSL directory, run the script to
-generate the certificates and then copy into this directory.
+certificate that uses Falcon. In the OpenSSL directory, run the script to
+generate the certificates and then copy them into this directory.
+
+Once that is complete, compile and run `falcon_certverify`:
 
 ```
 $ make

certmanager/certverify.c

@@ -55,14 +55,14 @@ int main(void)
     wolfSSL_CertManagerSetVerify(cm, myVerify);
 
     ret = wolfSSL_CertManagerLoadCA(cm, caCert, NULL);
-    if (ret != SSL_SUCCESS) {
+    if (ret != WOLFSSL_SUCCESS) {
         printf("wolfSSL_CertManagerLoadCA() failed (%d): %s\n",
                 ret, wolfSSL_ERR_reason_error_string(ret));
         ret = -1; goto exit;
     }
 
-    ret = wolfSSL_CertManagerVerify(cm, verifyCert, SSL_FILETYPE_PEM);
-    if (ret != SSL_SUCCESS) {
+    ret = wolfSSL_CertManagerVerify(cm, verifyCert, WOLFSSL_FILETYPE_PEM);
+    if (ret != WOLFSSL_SUCCESS) {
         printf("wolfSSL_CertManagerVerify() failed (%d): %s\n",
                 ret, wolfSSL_ERR_reason_error_string(ret));
         ret = -1; goto exit;
@@ -78,8 +78,8 @@ int main(void)
     bufSz = fread(buf, 1, sizeof(buf), file);
     fclose(file);
 
-    ret = wolfSSL_CertManagerLoadCRLBuffer(cm, buf, bufSz, SSL_FILETYPE_PEM);
-    if (ret != SSL_SUCCESS) {
+    ret = wolfSSL_CertManagerLoadCRLBuffer(cm, buf, bufSz, WOLFSSL_FILETYPE_PEM);
+    if (ret != WOLFSSL_SUCCESS) {
         printf("wolfSSL_CertManagerLoadCRLBuffer() failed (%d): %s\n",
             ret, wolfSSL_ERR_reason_error_string(ret));
         ret = -1; goto exit;
@@ -95,7 +95,7 @@ int main(void)
     fclose(file);
 
     ret = wolfSSL_CertManagerCheckCRL(cm, buf, bufSz);
-    if (ret != SSL_SUCCESS) {
+    if (ret != WOLFSSL_SUCCESS) {
         printf("wolfSSL_CertManagerCheckCRL() failed (%d): %s\n",
             ret, wolfSSL_ERR_reason_error_string(ret));
         ret = -1; goto exit;

certmanager/falcon_certverify.c

@@ -47,14 +47,22 @@ int main(void)
     wolfSSL_CertManagerSetVerify(cm, myVerify);
 
     ret = wolfSSL_CertManagerLoadCA(cm, caCert, NULL);
-    if (ret != SSL_SUCCESS) {
+    if (ret != WOLFSSL_SUCCESS) {
+        if (ret == -4) {
+            printf("No root certificate found. Please see the README.md file"
+                   " to learn how to generate the certificates.\n");
+        }
         printf("wolfSSL_CertManagerLoadCA() failed (%d): %s\n",
                 ret, wolfSSL_ERR_reason_error_string(ret));
         ret = -1; goto exit;
     }
 
-    ret = wolfSSL_CertManagerVerify(cm, verifyCert, SSL_FILETYPE_PEM);
-    if (ret != SSL_SUCCESS) {
+    ret = wolfSSL_CertManagerVerify(cm, verifyCert, WOLFSSL_FILETYPE_PEM);
+    if (ret != WOLFSSL_SUCCESS) {
+        if (ret == -4) {
+            printf("No entity certificate found. Please see the README.md file "
+                   "to learn how to generate the certificates.\n");
+        }
         printf("wolfSSL_CertManagerVerify() failed (%d): %s\n",
                 ret, wolfSSL_ERR_reason_error_string(ret));
         ret = -1; goto exit;

certmanager/generate_falcon_chains.sh

@@ -4,7 +4,11 @@
 #
 # Copyright 2021 wolfSSL Inc. All rights reserved.
 # Original Author: Anthony Hu.
-# Execute in openssl directory after building oqs fork of OpenSSL. 
+#
+# Execute this script in the openssl directory after building OQS's fork of
+# OpenSSL. Please see the README.md file for more details.
+
+OPENSSL="./apps/openssl"
 
 # Generate conf files.
 printf "\
@@ -52,38 +56,38 @@ extendedKeyUsage       = critical, serverAuth,clientAuth\n" > entity.conf
 ###############################################################################
 
 # Generate root key and entity private keys. 
-./apps/openssl genpkey -algorithm falcon512 -outform pem -out falcon512_root_key.pem
-./apps/openssl genpkey -algorithm falcon512 -outform pem -out falcon512_entity_key.pem
+${OPENSSL} genpkey -algorithm falcon512 -outform pem -out falcon512_root_key.pem
+${OPENSSL} genpkey -algorithm falcon512 -outform pem -out falcon512_entity_key.pem
 
 # Generate the root certificate
-./apps/openssl req -x509 -config root.conf -extensions ca_extensions -days 365 -set_serial 512 -key falcon512_root_key.pem -out falcon512_root_cert.pem 
+${OPENSSL} req -x509 -config root.conf -extensions ca_extensions -days 365 -set_serial 512 -key falcon512_root_key.pem -out falcon512_root_cert.pem 
 
 # Generate the entity CSR.
-./apps/openssl req -new -config entity.conf -key falcon512_entity_key.pem -out falcon512_entity_req.pem 
+${OPENSSL} req -new -config entity.conf -key falcon512_entity_key.pem -out falcon512_entity_req.pem 
 
 # Generate the entity X.509 certificate.
-./apps/openssl x509 -req -in falcon512_entity_req.pem -CA falcon512_root_cert.pem -CAkey falcon512_root_key.pem -extfile entity.conf -extensions x509v3_extensions -days 365 -set_serial 513 -out falcon512_entity_cert.pem
+${OPENSSL} x509 -req -in falcon512_entity_req.pem -CA falcon512_root_cert.pem -CAkey falcon512_root_key.pem -extfile entity.conf -extensions x509v3_extensions -days 365 -set_serial 513 -out falcon512_entity_cert.pem
 
 ###############################################################################
 # Falcon 1024
 ###############################################################################
 
 # Generate root key and entity private keys. 
-./apps/openssl genpkey -algorithm falcon1024 -outform pem -out falcon1024_root_key.pem
-./apps/openssl genpkey -algorithm falcon1024 -outform pem -out falcon1024_entity_key.pem
+${OPENSSL} genpkey -algorithm falcon1024 -outform pem -out falcon1024_root_key.pem
+${OPENSSL} genpkey -algorithm falcon1024 -outform pem -out falcon1024_entity_key.pem
 
 # Generate the root certificate
-./apps/openssl req -x509 -config root.conf -extensions ca_extensions -days 365 -set_serial 1024 -key falcon1024_root_key.pem -out falcon1024_root_cert.pem
+${OPENSSL} req -x509 -config root.conf -extensions ca_extensions -days 365 -set_serial 1024 -key falcon1024_root_key.pem -out falcon1024_root_cert.pem
 
 # Generate the entity CSR.
-./apps/openssl req -new -config entity.conf -key falcon1024_entity_key.pem -out falcon1024_entity_req.pem
+${OPENSSL} req -new -config entity.conf -key falcon1024_entity_key.pem -out falcon1024_entity_req.pem
 
 # Generate the entity X.509 certificate.
-./apps/openssl x509 -req -in falcon1024_entity_req.pem -CA falcon1024_root_cert.pem -CAkey falcon1024_root_key.pem -extfile entity.conf -extensions x509v3_extensions -days 365 -set_serial 1025 -out falcon1024_entity_cert.pem
+${OPENSSL} x509 -req -in falcon1024_entity_req.pem -CA falcon1024_root_cert.pem -CAkey falcon1024_root_key.pem -extfile entity.conf -extensions x509v3_extensions -days 365 -set_serial 1025 -out falcon1024_entity_cert.pem
 
 ###############################################################################
 # Verify all generated certificates.
 ###############################################################################
-./apps/openssl verify -no-CApath -check_ss_sig -CAfile falcon512_root_cert.pem falcon512_entity_cert.pem
-./apps/openssl verify -no-CApath -check_ss_sig -CAfile falcon1024_root_cert.pem falcon1024_entity_cert.pem
+${OPENSSL} verify -no-CApath -check_ss_sig -CAfile falcon512_root_cert.pem falcon512_entity_cert.pem
+${OPENSSL} verify -no-CApath -check_ss_sig -CAfile falcon1024_root_cert.pem falcon1024_entity_cert.pem