WolfSSL
/
wolfssl-examples
mirror of https://github.com/wolfSSL/wolfssl-examples.git
1
0
Fork 0
Code Issues Releases Wiki Activity
wolfssl-examples/pq
History
jordan 1252dd6a34 Add missing wc_LmsKey_Init call. 2024-05-09 15:31:11 -05:00
..
stateful_hash_sig Add missing wc_LmsKey_Init call. 2024-05-09 15:31:11 -05:00
stm32 Clean up wolfSSL path variable name 2024-04-04 13:28:23 -04:00
Makefile Clean up wolfSSL path variable name 2024-04-04 13:28:23 -04:00
README.md Add LMS/HSS example. (#390) 2023-07-14 16:38:41 -04:00
client-pq-tls13.c Peer review feedback fixes. 2022-02-22 13:45:10 -08:00
falcon_certverify.c Add command args for cert file 2022-02-12 09:18:38 +09:00
server-pq-tls13.c Add command args for cert file 2022-02-12 09:18:38 +09:00
sphincs_sign_verify.c Add LMS/HSS example. (#390) 2023-07-14 16:38:41 -04:00

README.md

wolfSSL Post-Quantum Cryptography Example

This directory contains:

  • A simple example of using the wolfSSL CertManager to verify a falcon certificate chain in a standalone manner, separate from an SSL/TLS connection.
  • A simple example of using wolfCrypt APIs to sign a message with a SPHINCS+ private key and verify that message using the corresponding SPHINCS+ public key from a an X.509 certificate. certificate chain in a standalone manner, separate from an SSL/TLS connection.
  • A server application that perform a completely quantum-safe TLS 1.3 connection.
  • A client application that perform a completely quantum-safe TLS 1.3 connection with the server above.
  • An STM32CubeIDE project for doing quantum-safe TLS 1.3 connection over UART and some applications that run on the Linux side to connect with it.

Prerequisites

Please see the wolfSSL repo's INSTALL file:

https://github.com/wolfSSL/wolfssl/blob/master/INSTALL

Item 15 (Building with liboqs for TLS 1.3 [EXPERIMENTAL]) has instructions on how to configure and build:

  • liboqs
  • wolfssl
  • patched OQS's OpenSSL fork

Building the Applications

$ make

Verification of OQS Falcon Certificates

The generate_falcon_chains.sh script in the oqs directory in the osp repo will allow you to use a patched version of OQS's OpenSSL fork in order to generate a self-signed CA certificate and entity certificate that uses the Falcon signature scheme. In the OpenSSL directory, run the script to generate the certificates and then copy them into this directory. Please see https://github.com/wolfSSL/osp/tree/master/oqs/README.md for further instructions about certificate generation.

Once that is complete, execute falcon_certverify:

$ ./falcon_certverify

Signing and Verifying a Message with SPHINCS+

The generate_sphincs_chains.sh script in the oqs directory in the osp repo will allow you to use a patched version of OQS's OpenSSL fork in order to generate a self-signed CA certificate and entity certificate that uses the SPHINCS+ signature scheme. In the OpenSSL directory, run the script to generate the certificates and then copy them into this directory. Please see https://github.com/wolfSSL/osp/tree/master/oqs/README.md for further instructions about certificate generation.

Once that is complete, execute sphincs_sign_verify:

$ ./sphincs_sign_verify

Quantum safe TLS 1.3 Connection

client-pq-tls13 will connect with server-pq-tls13 via a completely quantum- safe connection. Authentication will be done via the FALCON signature scheme. Ephemeral key establishment will be done via kYBER KEM. Both are NIST PQC competition round 3 finalists. Please see https://github.com/wolfSSL/osp/tree/master/oqs/README.md for further instructions about certificate generation.

In a terminal, execute the server:

./server-pq-tls13

In another terminal, execute the client:

./client-pq-tls13 127.0.0.1

The client will be prompted for a message to send to the server. Once you see this prompt, a quantum-safe connection has already been established. Use the client to send the message "shutdown" in order to end the execution of the server.