qiss

package module
v0.0.0-...-a291819 Latest Latest
Warning

This package is not in the latest version of its module.

Go to latest
Published: Dec 14, 2021 License: Apache-2.0 Imports: 14 Imported by: 0

README

qiss

qiss is a toy application exploring the integration of post-quantum cryptography into certificate verification during a TLS connection.

It adds a TLS server which embed a post-quantum signature into the cert it generates, and a client which validates the post-quantum signatures in the certs after the regular TLS handshake is complete.

Security

The techniques used here aren't suitable for public use; they're not fully thought through, need to be rearchitected, and could be entirely wrong. The post-quantum signatures used here don't really assert anything useful.

The certificate extensions used for post-quantum crypto are also entirely arbitrary and unstandardized. Nothing else will (or should) understand them. The final design for post-quantum TLS will almost certainly look nothing like this.

qiss doesn't attempt to use a post-quantum KEM and as such the TLS handshake used here isn't post-quantum; only the signatures on the generated server certificate are post-quantum.

Running the Example

Every artifact - including the required C library, liboqs - is placed into bin/. Everything can be build and controlled through the Makefile.

# Run the server (will download and build liboqs first, which will require a C compiler and CMake to be installed)
make runqiss_server

# The server writes bin/ca.crt which has both an ECDSA and post-quantum signature

# Run the client, which loads bin/ca.crt for verification.
make runqiss_client

Documentation

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func ServerCertificateValidator

func ServerCertificateValidator(base *tls.Config, verbose bool) *tls.Config

ServerCertificateValidator returns a tls.Config which validates post-quantum signatures on all verified chains (i.e., chains which have had their legacy signatures verified), based on the given base config. The returned value is an augmented clone of the base; base is not modified

func SignCSR

func SignCSR(csr *x509.CertificateRequest, signingBundle *MultiKeyCertBundle) ([]byte, error)

SignCSR takes a parsed certificate request, validates it and signs it using both legacy and post-quantum signatures

func ValidateMultiKeyCSR

func ValidateMultiKeyCSR(csr *x509.CertificateRequest) (*x509.CertificateRequest, error)

ValidateMultiKeyCSR validates that the pq key and signature extensions are present and valid in the given CSR. Returns the same CSR on success.

func ValidateMultiKeyDERCSR

func ValidateMultiKeyDERCSR(derCSR []byte) (*x509.CertificateRequest, error)

ValidateMultiKeyCSR parses the given DER encoded CSR, and then validates that the pq key and signature extensions are present and valid. Returns the parsed csr on success.

Types

type MultiKeyCertBundle

type MultiKeyCertBundle struct {
	ParsedCert *x509.Certificate

	CertPEM string
	CertDER []byte

	LegacyPublicKey crypto.PublicKey
	PQPublicKey     []byte

	PQKeyBundle
}

MultiKeyCertBundle wraps a certificate along with its keys, both post-quantum and legacy.

func GenerateMultiKeyRootCert

func GenerateMultiKeyRootCert() (*MultiKeyCertBundle, error)

GenerateMultiKeyRootCert creates a new root certificate with a Ed25519 legacy signature and a falcon-1024 post-quantum signature

func (*MultiKeyCertBundle) OQSSignature

func (m *MultiKeyCertBundle) OQSSignature() (*oqs.Signature, error)

OQSSignature returns a OQS signature object which can be used for signing, based on the key embedded in the bundle.

type PQKeyBundle

type PQKeyBundle struct {
	LegacyPrivateKey *ecdsa.PrivateKey
	PQPrivateKey     []byte
}

PQKeyBundle holds both a legacy and post-quantum key

func GenerateMultiKeyCSR

func GenerateMultiKeyCSR(commonName string, dnsNames []string) ([]byte, PQKeyBundle, error)

GenerateMultiKeyCSR creates an ecdsa/pq multi-key CSR, returning the DER-encoded CSR and the generated keys

func (*PQKeyBundle) LegacyKeyPEM

func (p *PQKeyBundle) LegacyKeyPEM() ([]byte, error)

LegacyKeyPEM returns the legacy key, encoded in PEM format

Directories

Path Synopsis
cmd

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL