iqrcrypto

package module
v0.0.0-...-e66b43d Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Oct 26, 2020 License: Apache-2.0 Imports: 19 Imported by: 3

README

Golang Quantum-Safe Crypto

Introduction

Quantum-safe crypto golang library. Includes Golang wrapper for the ISARA Radiate™ Quantum-Resistant Library 2.0 and implementation of ISARA Catalyst™ Agile Digital Certificate Technology.

This is a limited-functionality wrapper intended for use with ISARA's Quantum-safe extension to Venafi's VCert.

For more information about ISARA and our quantum-safe solutions, visit www.isara.com.

Building

This wrapper requires the ISARA toolkit. Please contact quantumsafe@isara.com for more information.

  1. Extract the toolkit. In the rest of these instructions we'll assume it has been extracted to ~/iqr_toolkit.
  2. Set the environment variable so the wrapper can find the toolkit.
export IQR_TOOLKIT_PATH=~/iqr_toolkit # Use your actual iqr toolkit path
  1. Build and run tests
cd golang-iqrcrypto
make

If IQR_TOOLKIT_PATH is not set, the wrapper will still build but any functions that rely on the ISARA toolkit will return an error.

OpenSSL Connector Compatibility Tests

To run the OpenSSL Connector compatibility tests you need ISARA Catalyst OpenSSL Connector 2.0. Please contact quantumsafe@isara.com for more information.

  1. Using the OpenSSL Connector guide, build and install OpenSSL Connector. In the rest of the instructions we'll assume it has been installed to /usr/local/isara_ssl.
  2. Set the environment so the tests can find the toolkit and OpenSSL Connector
export IQR_TOOLKIT_PATH=~/iqr_toolkit # Use your actual iqr toolkit path
export OPENSSL=/usr/local/isara_ssl/bin/openssl
export ENGINE=/usr/local/isara_ssl/lib/engines/libiqre_engine.so
  1. Run tests
cd golang-iqrcrypto/compatibility_test/certificate
./test.sh
cd ../dilithium
./test.sh
cd ../hss
./test.sh

License

See the LICENSE file for details:

Copyright © 2020, ISARA Corporation

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

http://www.apache.org/licenses/LICENSE-2.0

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Trademarks

ISARA Radiate™ and ISARA Catalyst™ are trademarks of ISARA Corporation.

Patent Information

Portions of this software are covered by US Patent 10,425,401

Documentation

Overview

Copyright (C) 2020, ISARA Corporation

Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at

<a href="http://www.apache.org/licenses/LICENSE-2.0">http://www.apache.org/licenses/LICENSE-2.0</a>

Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.

Package iqrcrypto privides Quantum-Safe algorithms and certificates using ISARA's Quantum Resistant Toolkit.

Index

Constants

View Source
const IQR_OK = C.IQR_OK

IQR_OK function completed successfully.

Variables

View Source
var (
	OidDilithium_III_SHAKE_r2 = asn1.RawValue{
		Class:      0,
		Tag:        6,
		IsCompound: false,
		Bytes:      []byte{4, 0, 127, 0, 15, 6, 9, 1},
		FullBytes:  []byte{6, 8, 4, 0, 127, 0, 15, 6, 9, 1},
	}

	OidDilithium_IV_SHAKE_r2 = asn1.RawValue{
		Class:      0,
		Tag:        6,
		IsCompound: false,
		Bytes:      []byte{4, 0, 127, 0, 15, 6, 9, 2},
		FullBytes:  []byte{6, 8, 4, 0, 127, 0, 15, 6, 9, 2},
	}
)
View Source
var IQR_HASHALGO_SHA2_256 = 2

IQR_HASHALGO_SHA2_256 SHA2-256 algorithm type identifier.

View Source
var IQR_HASHALGO_SHA2_384 = 3

IQR_HASHALGO_SHA2_384 SHA2-384 algorithm type identifier.

View Source
var IQR_HASHALGO_SHA2_512 = 4

IQR_HASHALGO_SHA2_512 SHA2-512 algorithm type identifier.

View Source
var IQR_HASHALGO_SHA3_256 = 5

IQR_HASHALGO_SHA3_256 SHA3-256 algorithm type identifier.

View Source
var IQR_HASHALGO_SHA3_512 = 6

IQR_HASHALGO_SHA3_512 SHA3-512 algorithm type identifier.

View Source
var IQR_HASH_DEFAULT_SHA2_256 C.iqr_HashCallbacks = C.IQR_HASH_DEFAULT_SHA2_256

IQR_HASH_DEFAULT_SHA2_256 Internal SHA2-256 implementation.

View Source
var IQR_HASH_DEFAULT_SHA2_384 C.iqr_HashCallbacks = C.IQR_HASH_DEFAULT_SHA2_384

IQR_HASH_DEFAULT_SHA2_384 Internal SHA2-384 implementation.

View Source
var IQR_HASH_DEFAULT_SHA2_512 C.iqr_HashCallbacks = C.IQR_HASH_DEFAULT_SHA2_512

IQR_HASH_DEFAULT_SHA2_512 Internal SHA2-512 implementation.

View Source
var IQR_HASH_DEFAULT_SHA3_256 C.iqr_HashCallbacks = C.IQR_HASH_DEFAULT_SHA3_256

IQR_HASH_DEFAULT_SHA3_256 Internal SHA3-256 implementation.

View Source
var IQR_HASH_DEFAULT_SHA3_512 C.iqr_HashCallbacks = C.IQR_HASH_DEFAULT_SHA3_512

IQR_HASH_DEFAULT_SHA3_512 Internal SHA3-512 implementation.

View Source
var IqrDILITHIUM128 = &C.IQR_DILITHIUM_128

IqrDILITHIUM128 128 bit quantum security (138 bit classical security) variant.

View Source
var IqrDILITHIUM160 = &C.IQR_DILITHIUM_160

IqrDILITHIUM160 160 bit quantum security (176 bit classical security) variant.

View Source
var (
	// OidDilithiumSignatureScheme Dilithium-Signature-Scheme
	OidDilithiumSignatureScheme = asn1.ObjectIdentifier{0, 4, 0, 127, 0, 15, 1, 1, 9, 0}
)
View Source
var (
	// OidHSSSignatureScheme Hierarchical-Signature-Scheme
	OidHSSSignatureScheme = asn1.ObjectIdentifier{1, 2, 840, 113549, 1, 9, 16, 3, 17}
)

Functions

func CheckAltReqSignature

func CheckAltReqSignature(c *x509.CertificateRequest) error

CheckAltReqSignature check that hybrid CSR has a valid alternative signature. Currently only support Dilithium key

func CheckAltSignature

func CheckAltSignature(c *x509.Certificate, signed, signature []byte) error

CheckAltSignature verifies that the alternative signature is a valid signature over signed from c's alternative public key. It is assumed that the certificate has been verified by x509.Certificate.CheckSignature.

func CheckAltSignatureFrom

func CheckAltSignatureFrom(c *x509.Certificate, parent *x509.Certificate) error

CheckAltSignatureFrom verifies that the alternative signature of the given certificate is valid from parent. It is assumed that the certificate has been verified by the conventional signature.

func CheckQSSignatureFrom

func CheckQSSignatureFrom(c *x509.Certificate, parent *x509.Certificate) error

CheckQSSignatureFrom verifies that the Quantum-Safe (Dilithium or HSS) signature of the given certificate is valid from parent.

func CreateHybridCertificateRequest

func CreateHybridCertificateRequest(rand io.Reader, template *x509.CertificateRequest, priv interface{},
	qspriv QSPrivateKey) (csr []byte, err error)

CreateHybridCertificateRequest creates a new hybrid certificate request based on a classic one.

The returned slice is a hybrid certificate request in ASN.1 encoding.

func CreateQSCertificateRequest

func CreateQSCertificateRequest(rand io.Reader, template *x509.CertificateRequest, priv interface{}) (csr []byte, err error)

CreateQSCertificateRequest creates a new certificate request based on a template. It is similar to x509.CreateCertificateRequest except it also support Dilithium key. It does not create classic and quantum-safe hybird certificate request. To do that, use the CreateHybridCertificateRequest function.

The returned slice is the certificate request in ASN.1 encoding.

func ExtendCertificateReqAlt

func ExtendCertificateReqAlt(csrDER []byte, classicPriv interface{}, qsPriv QSPrivateKey) (csrqs []byte, err error)

ExtendCertificateReqAlt Extend a CSR to add a Quantum-Safe algorithm to the Alt extensions.

func IqrCreateContext

func IqrCreateContext(ctx **IqrContext) error

IqrCreateContext creates and initializes a Context object.

func IqrDestroyContext

func IqrDestroyContext(ctx **IqrContext) error

IqrDestroyContext destroys a context object.

func IqrDilithiumCreateKeyPair

func IqrDilithiumCreateKeyPair(params *IqrDilithiumParams, rng *IqrRNG, pub **IqrDilithiumPublicKey, priv **IqrDilithiumPrivateKey) error

IqrDilithiumCreateKeyPair Golang wrapper for iqr_DilithiumCreateKeyPair

func IqrDilithiumCreateParams

func IqrDilithiumCreateParams(ctx *IqrContext, variant *IqrDilithiumVariant, params **IqrDilithiumParams) error

IqrDilithiumCreateParams creates Dilithium's domain parameters.

func IqrDilithiumDestroyParams

func IqrDilithiumDestroyParams(params **IqrDilithiumParams) error

IqrDilithiumDestroyParams destroys Dilithium's domain parameters.

func IqrDilithiumDestroyPrivateKey

func IqrDilithiumDestroyPrivateKey(privateKey **IqrDilithiumPrivateKey) error

IqrDilithiumDestroyPrivateKey destroys a Dilithium private key.

func IqrDilithiumDestroyPublicKey

func IqrDilithiumDestroyPublicKey(publicKey **IqrDilithiumPublicKey) error

IqrDilithiumDestroyPublicKey destroys a Dilithium public key.

func IqrDilithiumExportPrivateKey

func IqrDilithiumExportPrivateKey(privKey *IqrDilithiumPrivateKey, buf []byte, size int64) error

IqrDilithiumExportPrivateKey exports a Dilithium private key.

func IqrDilithiumExportPrivateKeyPKCS8

func IqrDilithiumExportPrivateKeyPKCS8(key *DilithiumPrivateKey) (der []byte, err error)

IqrDilithiumExportPrivateKeyPKCS8 exports a Dilithium private key into PKCS8 format.

func IqrDilithiumExportPublicKey

func IqrDilithiumExportPublicKey(pubKey *IqrDilithiumPublicKey, buf []byte, size int64) error

IqrDilithiumExportPublicKey exports the Dilithium private key's data into a buffer.

func IqrDilithiumGetPrivateKeySize

func IqrDilithiumGetPrivateKeySize(params *IqrDilithiumParams, privateKeySize *int64) error

IqrDilithiumGetPrivateKeySize Golang wrapper for iqr_DilithiumGetPrivateKeySize

func IqrDilithiumGetPublicKeySize

func IqrDilithiumGetPublicKeySize(params *IqrDilithiumParams, publicKeySize *int64) error

IqrDilithiumGetPublicKeySize gets the Dilithium public key size.

func IqrDilithiumGetSignatureSize

func IqrDilithiumGetSignatureSize(params *IqrDilithiumParams, sigSize *int64) error

IqrDilithiumGetSignatureSize gets the Dilithium signature size.

func IqrDilithiumImportPrivateKey

func IqrDilithiumImportPrivateKey(params *IqrDilithiumParams, buf []byte, size int64, privateKey **IqrDilithiumPrivateKey) error

IqrDilithiumImportPrivateKey imports a Dilithium private key object from a buffer. This function only accepts data that has been generated by IqrDilithiumExportPrivateKey(). There is currently no standard for saving Dilithium private keys.

func IqrDilithiumImportPrivateKeyFromPKCS8

func IqrDilithiumImportPrivateKeyFromPKCS8(ctx *IqrContext, der []byte, size int64, privateKey **IqrDilithiumPrivateKey,
	variant **IqrDilithiumVariant, params **IqrDilithiumParams) error

IqrDilithiumImportPrivateKeyFromPKCS8

func IqrDilithiumImportPublicKey

func IqrDilithiumImportPublicKey(params *IqrDilithiumParams, buf []byte, size int64, publicKey **IqrDilithiumPublicKey) error

IqrDilithiumImportPublicKey imports a Dilithium private key object from a buffer. This function only accepts data that has been generated by iqr_DilithiumExportPrivateKey(). There is currently no standard for saving Dilithium private keys.

func IqrDilithiumImportPublicKeyFromASN1

func IqrDilithiumImportPublicKeyFromASN1(ctx *IqrContext, der []byte, size int64, publicKey **IqrDilithiumPublicKey,
	variant **IqrDilithiumVariant, params **IqrDilithiumParams) error

IqrDilithiumImportPublicKeyFromASN1 imports public key from a asn.1 encoded public key buffer.

func IqrDilithiumSign

func IqrDilithiumSign(privKey *IqrDilithiumPrivateKey, message []byte, messageSize int64, sig []byte, sigSize int64) error

IqrDilithiumSign signs a message using a Dilithium private key. sigSize must be exact the same value returned by iqrDilithiumGetSingatureSize

func IqrDilithiumVerify

func IqrDilithiumVerify(pubKey *IqrDilithiumPublicKey, message []byte, messageSize int64, sig []byte, sigSize int64) error

IqrDilithiumVerify verifies the signature of a message using a Dilithium public key. sigSize must be exact the same value returned by iqrDilithiumGetSingatureSize

func IqrError

func IqrError(ret IqrRetval) error

IqrError converts Iqr return value to Go error object.

func IqrHSSCreateParamsFromSignature

func IqrHSSCreateParamsFromSignature(ctx *IqrContext, sig []byte, sigSize int64, params **IqrHSSParams) error

IqrHSSCreateParamsFromSignature Create an HSS Parameters object using a signature.

func IqrHSSDestroyParams

func IqrHSSDestroyParams(params **IqrHSSParams) error

IqrHSSDestroyParams destroys HSS parameters and release it from memory.

func IqrHSSDestroyPublicKey

func IqrHSSDestroyPublicKey(publicKey **IqrHSSPublicKey) error

IqrHSSDestroyPublicKey destroys the HSS public key and releases it from memory.

func IqrHSSExportPublicKey

func IqrHSSExportPublicKey(pubKey *IqrHSSPublicKey, buf []byte, size int64) error

IqrHSSExportPublicKey exports HSS public key.

func IqrHSSGetPublicKeySize

func IqrHSSGetPublicKeySize(params *IqrHSSParams, publicKeySize *int64) error

IqrHSSGetPublicKeySize gets HSS public key size.

func IqrHSSImportPublicKey

func IqrHSSImportPublicKey(params *IqrHSSParams, buf []byte, size int64, publicKey **IqrHSSPublicKey) error

IqrHSSImportPublicKey imports HSS public key.

func IqrHSSImportPublicKeyFromASN1

func IqrHSSImportPublicKeyFromASN1(ctx *IqrContext, der []byte, size int64, publicKey **IqrHSSPublicKey,
	params *IqrHSSParams) error

IqrHSSImportPublicKeyFromASN1 imports public key from asn.1 encode public key.

func IqrHSSVerify

func IqrHSSVerify(pubKey *IqrHSSPublicKey, message []byte, messageSize int64, sig []byte, sigSize int64) error

IqrHSSVerify verifies HSS signature. sigSize must be exact the same value returned by IqrHSSGetSingatureSize

func IqrHashRegisterCallbacks

func IqrHashRegisterCallbacks(ctx *IqrContext, hashAlgoType int, cb C.iqr_HashCallbacks) error

IqrHashRegisterCallbacks registers a hashing implementation.

func IqrInitRNG

func IqrInitRNG(ctx **IqrContext, rng **IqrRNG, rand io.Reader) error

IqrInitRNG Convenient function to create a RNG. The returned RNG must be destroyed using the IqrRNGDestroy function.

func IqrRNGCreateHMACDRBG

func IqrRNGCreateHMACDRBG(ctx *IqrContext, hashAlgoType int, rng **IqrRNG) error

IqrRNGCreateHMACDRBG creates an HMAC-DRBG Random Number Generator.

func IqrRNGDestroy

func IqrRNGDestroy(rng **IqrRNG) error

IqrRNGDestroy destroys a Random Number Generator.

func IqrRNGInitialize

func IqrRNGInitialize(rng **IqrRNG, seed []byte) error

IqrRNGInitialize creates and initializes a Random Number Generator.

func IqrStrError

func IqrStrError(ret IqrRetval) string

IqrStrError converts Iqr return value to readable string.

func IqrToolkitLinked

func IqrToolkitLinked() bool

Types

type DilithiumPrivateKey

type DilithiumPrivateKey struct {
	Variant *IqrDilithiumVariant
	Params  *IqrDilithiumParams
	PubKey  *IqrDilithiumPublicKey
	PrivKey *IqrDilithiumPrivateKey
}

A DilithiumPrivateKey represents a Dilithium key It also implements the crypto.Signer interface.

func GenerateDilithiumPrivateKey

func GenerateDilithiumPrivateKey(variant *IqrDilithiumVariant, rand io.Reader) (*DilithiumPrivateKey, error)

GenerateDilithiumPrivateKey generates a new dilithium private key using the vaiant specified Call IqrDilithiumDestroyPrivateKey if the returned private key no longer used. variant: one of IqrDILITHIUM128 and IqrDILITHIUM160

func (*DilithiumPrivateKey) Destroy

func (priv *DilithiumPrivateKey) Destroy() error

Destroy destroy the private and its public key and release the memory

func (*DilithiumPrivateKey) Public

func (priv *DilithiumPrivateKey) Public() crypto.PublicKey

Public returns the public key corresponding to priv.

func (*DilithiumPrivateKey) QSKeyType

func (priv *DilithiumPrivateKey) QSKeyType() string

QSKeyType returns wether is the key is Quantum-Safe.

func (*DilithiumPrivateKey) Sign

func (priv *DilithiumPrivateKey) Sign(rand io.Reader, digest []byte, opts crypto.SignerOpts) ([]byte, error)

Sign signs digest with priv, reading randomness from rand.

type IqrContext

type IqrContext = C.iqr_Context

IqrContext The Context object

type IqrDilithiumParams

type IqrDilithiumParams = C.iqr_DilithiumParams

IqrDilithiumParams the Dilithium domain parameter.

type IqrDilithiumPrivateKey

type IqrDilithiumPrivateKey = C.iqr_DilithiumPrivateKey

IqrDilithiumPrivateKey the Dilithium private key.

type IqrDilithiumPublicKey

type IqrDilithiumPublicKey = C.iqr_DilithiumPublicKey

IqrDilithiumPublicKey the Dilithium public key.

type IqrDilithiumVariant

type IqrDilithiumVariant = C.iqr_DilithiumVariant

IqrDilithiumVariant the Dilithium variant, one of IqrDILITHIUM128 and IqrDILITHIUM160

type IqrHSSParams

type IqrHSSParams = C.iqr_HSSParams

IqrHSSParams the HSS algorithm's domain parameters.

type IqrHSSPublicKey

type IqrHSSPublicKey = C.iqr_HSSPublicKey

IqrHSSPublicKey handle to HSS public key.

type IqrRNG

type IqrRNG = C.iqr_RNG

IqrRNG Random Number Generator object.

type IqrRetval

type IqrRetval = C.iqr_retval

IqrRetval return value of Iqr function.

type QSPrivateKey

type QSPrivateKey interface {
	QSKeyType() string
	Destroy() error
}

QSPrivateKey is an interface for an opaque QS private key that can be used for signing operations.

type SignatureAlgorithmQS

type SignatureAlgorithmQS int

SignatureAlgorithmQS Quantum-Safe algorithms.

const (
	UnknownSignatureAlgorithm SignatureAlgorithmQS = iota
	DILITHIUM
	HSS
)

List of supported Quantum-Safe algorithms

Directories

Path Synopsis
compatibility_test
certificate Module
dilithium Module
hss Module

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL