From b4bd51b019bd2aa787fa2b40cfa35a6ea62c3730 Mon Sep 17 00:00:00 2001 From: Michael Baentsch <57787676+baentsch@users.noreply.github.com> Date: Sat, 30 Sep 2023 17:05:36 +0200 Subject: [PATCH 1/3] fix for txt output length of plain PQ key material --- oqsprov/oqs_encode_key2any.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/oqsprov/oqs_encode_key2any.c b/oqsprov/oqs_encode_key2any.c index ca545dd8..35da3af9 100644 --- a/oqsprov/oqs_encode_key2any.c +++ b/oqsprov/oqs_encode_key2any.c @@ -1160,7 +1160,7 @@ static int oqsx_to_text(BIO *out, const void *key, int selection) } if ((selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0) { - int classic_key_len = 0; + int classic_key_len = 0 - SIZE_OF_UINT32; if (okey->numkeys > 1) { char classic_label[200]; @@ -1178,7 +1178,7 @@ static int oqsx_to_text(BIO *out, const void *key, int selection) return 0; } if ((selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) != 0) { - int classic_key_len = 0; + int classic_key_len = 0 - SIZE_OF_UINT32; if (okey->numkeys > 1) { char classic_label[200]; From 0bc3b38cb204bb48c34099181870ed69042f1981 Mon Sep 17 00:00:00 2001 From: Michael Baentsch <57787676+baentsch@users.noreply.github.com> Date: Mon, 2 Oct 2023 17:19:47 +0200 Subject: [PATCH 2/3] clarify use of hybrids in txt encoder --- oqsprov/oqs_encode_key2any.c | 77 +++++++++++++++++++--------------- scripts/oqsprovider-certgen.sh | 8 ++++ 2 files changed, 52 insertions(+), 33 deletions(-) diff --git a/oqsprov/oqs_encode_key2any.c b/oqsprov/oqs_encode_key2any.c index 35da3af9..7704da89 100644 --- a/oqsprov/oqs_encode_key2any.c +++ b/oqsprov/oqs_encode_key2any.c @@ -1103,7 +1103,6 @@ static int print_labeled_buf(BIO *out, const char *label, static int oqsx_to_text(BIO *out, const void *key, int selection) { OQSX_KEY *okey = (OQSX_KEY *)key; - int is_hybrid = 0; if (out == NULL || okey == NULL) { ERR_raise(ERR_LIB_USER, ERR_R_PASSED_NULL_PARAMETER); @@ -1125,7 +1124,6 @@ static int oqsx_to_text(BIO *out, const void *key, int selection) case KEY_TYPE_ECP_HYB_KEM: case KEY_TYPE_ECX_HYB_KEM: case KEY_TYPE_HYB_SIG: - is_hybrid = 1; if (BIO_printf(out, "%s hybrid private key:\n", okey->tls_name) <= 0) return 0; @@ -1149,7 +1147,6 @@ static int oqsx_to_text(BIO *out, const void *key, int selection) case KEY_TYPE_ECP_HYB_KEM: case KEY_TYPE_ECX_HYB_KEM: case KEY_TYPE_HYB_SIG: - is_hybrid = 1; if (BIO_printf(out, "%s hybrid public key:\n", okey->tls_name) <= 0) return 0; break; @@ -1160,40 +1157,54 @@ static int oqsx_to_text(BIO *out, const void *key, int selection) } if ((selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0) { - int classic_key_len = 0 - SIZE_OF_UINT32; - - if (okey->numkeys > 1) { - char classic_label[200]; - sprintf(classic_label, - "%s key material:", OBJ_nid2sn(okey->evp_info->nid)); - DECODE_UINT32(classic_key_len, okey->privkey); - if (!print_labeled_buf(out, classic_label, okey->comp_privkey[0], - classic_key_len)) - return 0; + if (okey->privkey) { + if (okey->numkeys > 1) { // hybrid key + char classic_label[200]; + int classic_key_len = 0; + sprintf(classic_label, + "%s key material:", OBJ_nid2sn(okey->evp_info->nid)); + DECODE_UINT32(classic_key_len, okey->privkey); + if (!print_labeled_buf(out, classic_label, + okey->comp_privkey[0], classic_key_len)) + return 0; + /* finally print pure PQ key */ + if (!print_labeled_buf(out, "PQ key material:", + okey->comp_privkey[okey->numkeys - 1], + okey->privkeylen - classic_key_len + - SIZE_OF_UINT32)) + return 0; + } else { // plain PQ key + if (!print_labeled_buf(out, "PQ key material:", + okey->comp_privkey[okey->numkeys - 1], + okey->privkeylen)) + return 0; + } } - /* finally print pure PQ key */ - if (!print_labeled_buf( - out, "PQ key material:", okey->comp_privkey[okey->numkeys - 1], - okey->privkeylen - classic_key_len - SIZE_OF_UINT32)) - return 0; } if ((selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) != 0) { - int classic_key_len = 0 - SIZE_OF_UINT32; - - if (okey->numkeys > 1) { - char classic_label[200]; - DECODE_UINT32(classic_key_len, okey->pubkey); - sprintf(classic_label, - "%s key material:", OBJ_nid2sn(okey->evp_info->nid)); - if (!print_labeled_buf(out, classic_label, okey->comp_pubkey[0], - classic_key_len)) - return 0; + if (okey->pubkey) { + if (okey->numkeys > 1) { // hybrid key + char classic_label[200]; + int classic_key_len = 0; + DECODE_UINT32(classic_key_len, okey->pubkey); + sprintf(classic_label, + "%s key material:", OBJ_nid2sn(okey->evp_info->nid)); + if (!print_labeled_buf(out, classic_label, okey->comp_pubkey[0], + classic_key_len)) + return 0; + /* finally print pure PQ key */ + if (!print_labeled_buf(out, "PQ key material:", + okey->comp_pubkey[okey->numkeys - 1], + okey->pubkeylen - classic_key_len + - SIZE_OF_UINT32)) + return 0; + } else { // PQ key only + if (!print_labeled_buf(out, "PQ key material:", + okey->comp_pubkey[okey->numkeys - 1], + okey->pubkeylen)) + return 0; + } } - /* finally print pure PQ key */ - if (!print_labeled_buf( - out, "PQ key material:", okey->comp_pubkey[okey->numkeys - 1], - okey->pubkeylen - classic_key_len - SIZE_OF_UINT32)) - return 0; } return 1; diff --git a/scripts/oqsprovider-certgen.sh b/scripts/oqsprovider-certgen.sh index e642bedd..9ac5295a 100755 --- a/scripts/oqsprovider-certgen.sh +++ b/scripts/oqsprovider-certgen.sh @@ -1,6 +1,10 @@ #!/bin/bash +set -e +set -x + # Use newly built oqsprovider to generate certs for alg $1 +# Tests use of openssl req genpkey x509 verify pkey commands if [ $# -ne 1 ]; then echo "Usage: $0 . Exiting." @@ -31,6 +35,10 @@ $OPENSSL_APP genpkey -algorithm $1 -out tmp/$1_srv.key && \ $OPENSSL_APP req -new -newkey $1 -keyout tmp/$1_srv.key -out tmp/$1_srv.csr -nodes -subj "/CN=oqstest server" && \ $OPENSSL_APP x509 -req -in tmp/$1_srv.csr -out tmp/$1_srv.crt -CA tmp/$1_CA.crt -CAkey tmp/$1_CA.key -CAcreateserial -days 365 && \ $OPENSSL_APP verify -CAfile tmp/$1_CA.crt tmp/$1_srv.crt +# test PEM/DER/TEXT encoder/decoder logic: +$OPENSSL_APP pkey -text -in tmp/$1_CA.key +$OPENSSL_APP pkey -in tmp/$1_CA.key -outform DER -out tmp/$1_CA.der +xxd -i tmp/$1_CA.der #fails: #$OPENSSL_APP verify -CAfile tmp/$1_CA.crt tmp/$1_srv.crt -provider oqsprovider -provider default From 0c1bd58befa27a94d9e3a1992d14a91c79e91fb8 Mon Sep 17 00:00:00 2001 From: Michael Baentsch <57787676+baentsch@users.noreply.github.com> Date: Mon, 2 Oct 2023 18:12:29 +0200 Subject: [PATCH 3/3] make key output dependent on tool availability --- scripts/oqsprovider-certgen.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/scripts/oqsprovider-certgen.sh b/scripts/oqsprovider-certgen.sh index 9ac5295a..6f607bd1 100755 --- a/scripts/oqsprovider-certgen.sh +++ b/scripts/oqsprovider-certgen.sh @@ -38,7 +38,9 @@ $OPENSSL_APP verify -CAfile tmp/$1_CA.crt tmp/$1_srv.crt # test PEM/DER/TEXT encoder/decoder logic: $OPENSSL_APP pkey -text -in tmp/$1_CA.key $OPENSSL_APP pkey -in tmp/$1_CA.key -outform DER -out tmp/$1_CA.der +if command -v xxd &> /dev/null; then xxd -i tmp/$1_CA.der +fi #fails: #$OPENSSL_APP verify -CAfile tmp/$1_CA.crt tmp/$1_srv.crt -provider oqsprovider -provider default