From ea6825ce1c0b95b2f7d902a2be42cec1e1806a8e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tobias=20Frauenschl=C3=A4ger?= Date: Fri, 5 Apr 2024 04:10:10 +0200 Subject: [PATCH] X9.146: Sign certificates with the right key (#426) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * X9.146: Sign certificates with the right key The hybrid certificate X9.146 examples used the wrong private key for creating the alternative signature of the server certificate. It has to be the issuer key (from the root certificate), not the private key from the server certificate. Also add -d for server to disable mutual authentication. --------- Signed-off-by: Tobias Frauenschläger Co-authored-by: Anthony Hu --- X9.146/README.md | 26 ++++++------------- X9.146/gen_dual_keysig_cert.c | 3 +-- X9.146/gen_ecdsa_dilithium_dual_keysig_cert.c | 10 +++---- X9.146/gen_ecdsa_falcon_dual_keysig_cert.c | 8 ++---- X9.146/gen_rsa_dilithium_dual_keysig_cert.c | 3 +-- X9.146/gen_rsa_falcon_dual_keysig_cert.c | 3 +-- 6 files changed, 16 insertions(+), 37 deletions(-) diff --git a/X9.146/README.md b/X9.146/README.md index 11cd3225..0923c0cb 100644 --- a/X9.146/README.md +++ b/X9.146/README.md @@ -30,7 +30,7 @@ Tested with these wolfSSL build options: ```sh ./autogen.sh # If cloned from GitHub -./configure --enable-dual-alg-certs --with-liboqs --enable-debug +./configure --enable-experimental --enable-dual-alg-certs --with-liboqs --enable-debug make sudo make install sudo ldconfig # required on some targets @@ -107,7 +107,7 @@ openssl pkey -in ../certs/dilithium_level2_server_key.der -inform der -out serv Then in wolfssl's source directory: ``` -examples/server/server -v 4 -c ../wolfssl-examples/X9.146/server-P256-dilithium2-cert.pem -k ../wolfssl-examples/X9.146/server-P256-key.pem --altPrivKey ../wolfssl-examples/X9.146/server-dilithium2-key-pq.pem +examples/server/server -d -v 4 -c ../wolfssl-examples/X9.146/server-P256-dilithium2-cert.pem -k ../wolfssl-examples/X9.146/server-P256-key.pem --altPrivKey ../wolfssl-examples/X9.146/server-dilithium2-key-pq.pem examples/client/client -v 4 -A ../wolfssl-examples/X9.146/ca-P256-dilithium2-cert.pem ``` @@ -146,7 +146,7 @@ openssl pkey -in ../certs/dilithium_level3_server_key.der -inform der -out serv Then in wolfssl's source directory: ``` -examples/server/server -v 4 -c ../wolfssl-examples/X9.146/server-P384-dilithium3-cert.pem -k ../wolfssl-examples/X9.146/server-P384-key.pem --altPrivKey ../wolfssl-examples/X9.146/server-dilithium3-key-pq.pem +examples/server/server -d -v 4 -c ../wolfssl-examples/X9.146/server-P384-dilithium3-cert.pem -k ../wolfssl-examples/X9.146/server-P384-key.pem --altPrivKey ../wolfssl-examples/X9.146/server-dilithium3-key-pq.pem examples/client/client -v 4 -A ../wolfssl-examples/X9.146/ca-P384-dilithium3-cert.pem ``` @@ -185,7 +185,7 @@ openssl pkey -in ../certs/dilithium_level5_server_key.der -inform der -out serv Then in wolfssl's source directory: ``` -examples/server/server -v 4 -c ../wolfssl-examples/X9.146/server-P521-dilithium5-cert.pem -k ../wolfssl-examples/X9.146/server-P521-key.pem --altPrivKey ../wolfssl-examples/X9.146/server-dilithium5-key-pq.pem +examples/server/server -d -v 4 -c ../wolfssl-examples/X9.146/server-P521-dilithium5-cert.pem -k ../wolfssl-examples/X9.146/server-P521-key.pem --altPrivKey ../wolfssl-examples/X9.146/server-dilithium5-key-pq.pem examples/client/client -v 4 -A ../wolfssl-examples/X9.146/ca-P521-dilithium5-cert.pem ``` @@ -224,7 +224,7 @@ i Then in wolfssl's source directory: ``` -examples/server/server -v 4 -c ../wolfssl-examples/X9.146/server-P256-falcon1-cert.pem -k ../wolfssl-examples/X9.146/server-P256-key.pem --altPrivKey ../wolfssl-examples/X9.146/server-falcon1-key-pq.pem +examples/server/server -d -v 4 -c ../wolfssl-examples/X9.146/server-P256-falcon1-cert.pem -k ../wolfssl-examples/X9.146/server-P256-key.pem --altPrivKey ../wolfssl-examples/X9.146/server-falcon1-key-pq.pem examples/client/client -v 4 -A ../wolfssl-examples/X9.146/ca-P256-falcon1-cert.pem ``` @@ -264,7 +264,7 @@ openssl pkey -in ../certs/falcon_level5_server_key.der -inform der -out server- Then in wolfssl's source directory: ``` -examples/server/server -v 4 -c ../wolfssl-examples/X9.146/server-P521-falcon5-cert.pem -k ../wolfssl-examples/X9.146/server-P521-key.pem --altPrivKey ../wolfssl-examples/X9.146/server-falcon5-key-pq.pem +examples/server/server -d -v 4 -c ../wolfssl-examples/X9.146/server-P521-falcon5-cert.pem -k ../wolfssl-examples/X9.146/server-P521-key.pem --altPrivKey ../wolfssl-examples/X9.146/server-falcon5-key-pq.pem examples/client/client -v 4 -A ../wolfssl-examples/X9.146/ca-P521-falcon5-cert.pem ``` @@ -305,7 +305,7 @@ openssl pkey -in ../certs/dilithium_level2_server_key.der -inform der -out serv Then in wolfssl's source directory: ``` -examples/server/server -v 4 -c ../wolfssl-examples/X9.146/server-rsa3072-dilithium2-cert.pem -k ../wolfssl-examples/X9.146/server-rsa3072-key.pem --altPrivKey ../wolfssl-examples/X9.146/server-dilithium2-key-pq.pem +examples/server/server -d -v 4 -c ../wolfssl-examples/X9.146/server-rsa3072-dilithium2-cert.pem -k ../wolfssl-examples/X9.146/server-rsa3072-key.pem --altPrivKey ../wolfssl-examples/X9.146/server-dilithium2-key-pq.pem examples/client/client -v 4 -A ../wolfssl-examples/X9.146/ca-rsa3072-dilithium2-cert.pem ``` @@ -344,23 +344,13 @@ openssl pkey -in ../certs/falcon_level1_server_key.der -inform der -out server- Then in wolfssl's source directory: ``` -examples/server/server -v 4 -c ../wolfssl-examples/X9.146/server-rsa3072-falcon1-cert.pem -k ../wolfssl-examples/X9.146/server-rsa3072-key.pem --altPrivKey ../wolfssl-examples/X9.146/server-falcon1-key-pq.pem +examples/server/server -d -v 4 -c ../wolfssl-examples/X9.146/server-rsa3072-falcon1-cert.pem -k ../wolfssl-examples/X9.146/server-rsa3072-key.pem --altPrivKey ../wolfssl-examples/X9.146/server-falcon1-key-pq.pem examples/client/client -v 4 -A ../wolfssl-examples/X9.146/ca-rsa3072-falcon1-cert.pem ``` ## Generating a Certificate Chain and Adding Alternative keys and Signatures -Tested with these wolfSSL build options: - -```sh -./autogen.sh # If cloned from GitHub -./configure --enable-dual-alg-certs --enable-debug -make -sudo make install -sudo ldconfig # required on some targets -``` - In the directory where this README.md file is found, build the applications: ```sh diff --git a/X9.146/gen_dual_keysig_cert.c b/X9.146/gen_dual_keysig_cert.c index dc080373..04e0a367 100644 --- a/X9.146/gen_dual_keysig_cert.c +++ b/X9.146/gen_dual_keysig_cert.c @@ -55,15 +55,14 @@ static int do_certgen(int argc, char** argv) int ret = 0; char caKeyFile[] = "./ca-key.der"; + char altPrivFile[] = "./alt-ca-key.der"; #ifdef GEN_ROOT_CERT char newCertOutput[] = "./ca-cert.der"; char sapkiFile[] = "./alt-ca-pub-key.der"; - char altPrivFile[] = "./alt-ca-key.der"; #else char caCert[] = "./ca-cert.der"; char newCertOutput[] = "./server-cert.der"; char sapkiFile[] = "./alt-server-pub-key.der"; - char altPrivFile[] = "./alt-server-key.der"; char serverKeyFile[] = "./server-key.der"; #endif FILE* file; diff --git a/X9.146/gen_ecdsa_dilithium_dual_keysig_cert.c b/X9.146/gen_ecdsa_dilithium_dual_keysig_cert.c index 1d2aad14..d4b91b23 100644 --- a/X9.146/gen_ecdsa_dilithium_dual_keysig_cert.c +++ b/X9.146/gen_ecdsa_dilithium_dual_keysig_cert.c @@ -79,25 +79,21 @@ static int do_certgen(int argc, char** argv) int ret = 0; char caKeyFile[] = "./ca-key.der"; + char altPrivFile2[] = "../certs/dilithium_level2_ca_key.der"; + char altPrivFile3[] = "../certs/dilithium_level3_ca_key.der"; + char altPrivFile5[] = "../certs/dilithium_level5_ca_key.der"; #ifdef GEN_ROOT_CERT char newCertOutput[] = "./ca-cert-pq.der"; char sapkiFile2[] = "../certs/dilithium_level2_ca_pubkey.der"; - char altPrivFile2[] = "../certs/dilithium_level2_ca_key.der"; char sapkiFile3[] = "../certs/dilithium_level3_ca_pubkey.der"; - char altPrivFile3[] = "../certs/dilithium_level3_ca_key.der"; char sapkiFile5[] = "../certs/dilithium_level5_ca_pubkey.der"; - char altPrivFile5[] = "../certs/dilithium_level5_ca_key.der"; #else char caCert[] = "./ca-cert-pq.der"; char newCertOutput[] = "./server-cert-pq.der"; char serverKeyFile[] = "./server-key.der"; - char sapkiFile2[] = "../certs/dilithium_level2_server_pubkey.der"; - char altPrivFile2[] = "../certs/dilithium_level2_server_key.der"; char sapkiFile3[] = "../certs/dilithium_level3_server_pubkey.der"; - char altPrivFile3[] = "../certs/dilithium_level3_server_key.der"; char sapkiFile5[] = "../certs/dilithium_level5_server_pubkey.der"; - char altPrivFile5[] = "../certs/dilithium_level5_server_key.der"; #endif FILE* file; Cert newCert; diff --git a/X9.146/gen_ecdsa_falcon_dual_keysig_cert.c b/X9.146/gen_ecdsa_falcon_dual_keysig_cert.c index 05da97c8..56ab23f1 100644 --- a/X9.146/gen_ecdsa_falcon_dual_keysig_cert.c +++ b/X9.146/gen_ecdsa_falcon_dual_keysig_cert.c @@ -79,22 +79,18 @@ static int do_certgen(int argc, char** argv) int ret = 0; char caKeyFile[] = "./ca-key.der"; + char altPrivFile1[] = "../certs/falcon_level1_ca_key.der"; + char altPrivFile5[] = "../certs/falcon_level5_ca_key.der"; #ifdef GEN_ROOT_CERT char newCertOutput[] = "./ca-cert-pq.der"; - char sapkiFile1[] = "../certs/falcon_level1_ca_pubkey.der"; - char altPrivFile1[] = "../certs/falcon_level1_ca_key.der"; char sapkiFile5[] = "../certs/falcon_level5_ca_pubkey.der"; - char altPrivFile5[] = "../certs/falcon_level5_ca_key.der"; #else char caCert[] = "./ca-cert-pq.der"; char newCertOutput[] = "./server-cert-pq.der"; char serverKeyFile[] = "./server-key.der"; - char sapkiFile1[] = "../certs/falcon_level1_server_pubkey.der"; - char altPrivFile1[] = "../certs/falcon_level1_server_key.der"; char sapkiFile5[] = "../certs/falcon_level5_server_pubkey.der"; - char altPrivFile5[] = "../certs/falcon_level5_server_key.der"; #endif FILE* file; Cert newCert; diff --git a/X9.146/gen_rsa_dilithium_dual_keysig_cert.c b/X9.146/gen_rsa_dilithium_dual_keysig_cert.c index f8e955a7..158b7756 100644 --- a/X9.146/gen_rsa_dilithium_dual_keysig_cert.c +++ b/X9.146/gen_rsa_dilithium_dual_keysig_cert.c @@ -72,16 +72,15 @@ static int do_certgen(int argc, char** argv) int ret = 0; char caKeyFile[] = "./ca-key.der"; + char altPrivFile[] = "../certs/dilithium_level2_ca_key.der"; #ifdef GEN_ROOT_CERT char newCertOutput[] = "./ca-cert-pq.der"; char sapkiFile[] = "../certs/dilithium_level2_ca_pubkey.der"; - char altPrivFile[] = "../certs/dilithium_level2_ca_key.der"; #else char caCert[] = "./ca-cert-pq.der"; char newCertOutput[] = "./server-cert-pq.der"; char serverKeyFile[] = "./server-key.der"; char sapkiFile[] = "../certs/dilithium_level2_server_pubkey.der"; - char altPrivFile[] = "../certs/dilithium_level2_server_key.der"; #endif FILE* file; Cert newCert; diff --git a/X9.146/gen_rsa_falcon_dual_keysig_cert.c b/X9.146/gen_rsa_falcon_dual_keysig_cert.c index 6ed442bc..bcdf6e08 100644 --- a/X9.146/gen_rsa_falcon_dual_keysig_cert.c +++ b/X9.146/gen_rsa_falcon_dual_keysig_cert.c @@ -72,15 +72,14 @@ static int do_certgen(int argc, char** argv) int ret = 0; char caKeyFile[] = "./ca-key.der"; + char altPrivFile[] = "../certs/falcon_level1_ca_key.der"; #ifdef GEN_ROOT_CERT char newCertOutput[] = "./ca-cert-pq.der"; char sapkiFile[] = "../certs/falcon_level1_ca_pubkey.der"; - char altPrivFile[] = "../certs/falcon_level1_ca_key.der"; #else char caCert[] = "./ca-cert-pq.der"; char newCertOutput[] = "./server-cert-pq.der"; char sapkiFile[] = "../certs/falcon_level1_server_pubkey.der"; - char altPrivFile[] = "../certs/falcon_level1_server_key.der"; char serverKeyFile[] = "./server-key.der"; #endif FILE* file;