Skip to content

Commit

Permalink
fix for txt output length of plain PQ key material (open-quantum-safe…
Browse files Browse the repository at this point in the history
…#268)

* fix for txt output length of plain PQ key material

* clarify use of hybrids in txt encoder

* add txt/DER/PEM test and make key output dependent on tool availability

Signed-off-by: Felipe Ventura <[email protected]>
  • Loading branch information
baentsch authored and feventura committed Mar 13, 2024
1 parent dd7022f commit c131e31
Show file tree
Hide file tree
Showing 2 changed files with 54 additions and 33 deletions.
77 changes: 44 additions & 33 deletions oqsprov/oqs_encode_key2any.c
Original file line number Diff line number Diff line change
Expand Up @@ -1241,7 +1241,6 @@ static int print_labeled_buf(BIO *out, const char *label,
static int oqsx_to_text(BIO *out, const void *key, int selection)
{
OQSX_KEY *okey = (OQSX_KEY *)key;
int is_hybrid = 0;

if (out == NULL || okey == NULL) {
ERR_raise(ERR_LIB_USER, ERR_R_PASSED_NULL_PARAMETER);
Expand All @@ -1263,7 +1262,6 @@ static int oqsx_to_text(BIO *out, const void *key, int selection)
case KEY_TYPE_ECP_HYB_KEM:
case KEY_TYPE_ECX_HYB_KEM:
case KEY_TYPE_HYB_SIG:
is_hybrid = 1;
if (BIO_printf(out, "%s hybrid private key:\n", okey->tls_name)
<= 0)
return 0;
Expand All @@ -1287,7 +1285,6 @@ static int oqsx_to_text(BIO *out, const void *key, int selection)
case KEY_TYPE_ECP_HYB_KEM:
case KEY_TYPE_ECX_HYB_KEM:
case KEY_TYPE_HYB_SIG:
is_hybrid = 1;
if (BIO_printf(out, "%s hybrid public key:\n", okey->tls_name) <= 0)
return 0;
break;
Expand All @@ -1298,40 +1295,54 @@ static int oqsx_to_text(BIO *out, const void *key, int selection)
}

if ((selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0) {
int classic_key_len = 0;

if (okey->numkeys > 1) {
char classic_label[200];
sprintf(classic_label,
"%s key material:", OBJ_nid2sn(okey->evp_info->nid));
DECODE_UINT32(classic_key_len, okey->privkey);
if (!print_labeled_buf(out, classic_label, okey->comp_privkey[0],
classic_key_len))
return 0;
if (okey->privkey) {
if (okey->numkeys > 1) { // hybrid key
char classic_label[200];
int classic_key_len = 0;
sprintf(classic_label,
"%s key material:", OBJ_nid2sn(okey->evp_info->nid));
DECODE_UINT32(classic_key_len, okey->privkey);
if (!print_labeled_buf(out, classic_label,
okey->comp_privkey[0], classic_key_len))
return 0;
/* finally print pure PQ key */
if (!print_labeled_buf(out, "PQ key material:",
okey->comp_privkey[okey->numkeys - 1],
okey->privkeylen - classic_key_len
- SIZE_OF_UINT32))
return 0;
} else { // plain PQ key
if (!print_labeled_buf(out, "PQ key material:",
okey->comp_privkey[okey->numkeys - 1],
okey->privkeylen))
return 0;
}
}
/* finally print pure PQ key */
if (!print_labeled_buf(
out, "PQ key material:", okey->comp_privkey[okey->numkeys - 1],
okey->privkeylen - classic_key_len - SIZE_OF_UINT32))
return 0;
}
if ((selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) != 0) {
int classic_key_len = 0;

if (okey->numkeys > 1) {
char classic_label[200];
DECODE_UINT32(classic_key_len, okey->pubkey);
sprintf(classic_label,
"%s key material:", OBJ_nid2sn(okey->evp_info->nid));
if (!print_labeled_buf(out, classic_label, okey->comp_pubkey[0],
classic_key_len))
return 0;
if (okey->pubkey) {
if (okey->numkeys > 1) { // hybrid key
char classic_label[200];
int classic_key_len = 0;
DECODE_UINT32(classic_key_len, okey->pubkey);
sprintf(classic_label,
"%s key material:", OBJ_nid2sn(okey->evp_info->nid));
if (!print_labeled_buf(out, classic_label, okey->comp_pubkey[0],
classic_key_len))
return 0;
/* finally print pure PQ key */
if (!print_labeled_buf(out, "PQ key material:",
okey->comp_pubkey[okey->numkeys - 1],
okey->pubkeylen - classic_key_len
- SIZE_OF_UINT32))
return 0;
} else { // PQ key only
if (!print_labeled_buf(out, "PQ key material:",
okey->comp_pubkey[okey->numkeys - 1],
okey->pubkeylen))
return 0;
}
}
/* finally print pure PQ key */
if (!print_labeled_buf(
out, "PQ key material:", okey->comp_pubkey[okey->numkeys - 1],
okey->pubkeylen - classic_key_len - SIZE_OF_UINT32))
return 0;
}

return 1;
Expand Down
10 changes: 10 additions & 0 deletions scripts/oqsprovider-certgen.sh
Original file line number Diff line number Diff line change
@@ -1,6 +1,10 @@
#!/bin/bash

set -e
set -x

# Use newly built oqsprovider to generate certs for alg $1
# Tests use of openssl req genpkey x509 verify pkey commands

if [ $# -ne 1 ]; then
echo "Usage: $0 <algorithmname>. Exiting."
Expand Down Expand Up @@ -31,6 +35,12 @@ $OPENSSL_APP genpkey -algorithm $1 -out tmp/$1_srv.key && \
$OPENSSL_APP req -new -newkey $1 -keyout tmp/$1_srv.key -out tmp/$1_srv.csr -nodes -subj "/CN=oqstest server" && \
$OPENSSL_APP x509 -req -in tmp/$1_srv.csr -out tmp/$1_srv.crt -CA tmp/$1_CA.crt -CAkey tmp/$1_CA.key -CAcreateserial -days 365 && \
$OPENSSL_APP verify -CAfile tmp/$1_CA.crt tmp/$1_srv.crt
# test PEM/DER/TEXT encoder/decoder logic:
$OPENSSL_APP pkey -text -in tmp/$1_CA.key
$OPENSSL_APP pkey -in tmp/$1_CA.key -outform DER -out tmp/$1_CA.der
if command -v xxd &> /dev/null; then
xxd -i tmp/$1_CA.der
fi

#fails:
#$OPENSSL_APP verify -CAfile tmp/$1_CA.crt tmp/$1_srv.crt -provider oqsprovider -provider default
Expand Down

0 comments on commit c131e31

Please sign in to comment.