Last active
January 27, 2025 11:41
-
-
Save jaromil/5cdd0580c643d040d8cad0c026a98931 to your computer and use it in GitHub Desktop.
Post-Quantum x509 generation for MLDSA
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Needs OpenSSL 3 and openquantum-safe provider installed (oqs-provider) | |
| OpenSSL3 needs a custom configuration else is incapable of finding the provider | |
| Generation script: | |
| ```sh | |
| #!/bin/sh | |
| openssl genpkey -algorithm mldsa44 -out mldsa_private.pem | |
| openssl pkey -in mldsa_private.pem -pubout -out mldsa_public.pem | |
| openssl req -new -key mldsa_private.pem -keyform PEM -out csr.pem -subj "/CN=JaroPostQuantum" | |
| openssl x509 -req -in csr.pem -signkey mldsa_private.pem -out mldsa_certificate.pem | |
| awk ' | |
| /^--/ {next} | |
| {printf("\"%s\";\n",$1)} | |
| ' mldsa_certificate.pem | |
| ``` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| HOME = . | |
| # Use this in order to automatically load providers. | |
| openssl_conf = openssl_init | |
| config_diagnostics = 1 | |
| oid_section = new_oids | |
| [ new_oids ] | |
| tsa_policy1 = 1.2.3.4.1 | |
| tsa_policy2 = 1.2.3.4.5.6 | |
| tsa_policy3 = 1.2.3.4.5.7 | |
| [openssl_init] | |
| providers = provider_sect | |
| ssl_conf = ssl_sect | |
| [provider_sect] | |
| default = default_sect | |
| oqsprovider = oqsprovider_sect | |
| [default_sect] | |
| activate = 1 | |
| [oqsprovider_sect] | |
| activate = 1 | |
| [ ca ] | |
| default_ca = CA_default # The default ca section | |
| [ CA_default ] | |
| dir = ./demoCA # Where everything is kept | |
| certs = $dir/certs # Where the issued certs are kept | |
| crl_dir = $dir/crl # Where the issued crl are kept | |
| database = $dir/index.txt # database index file. | |
| # several certs with same subject. | |
| new_certs_dir = $dir/newcerts # default place for new certs. | |
| certificate = $dir/cacert.pem # The CA certificate | |
| serial = $dir/serial # The current serial number | |
| crlnumber = $dir/crlnumber # the current crl number | |
| # must be commented out to leave a V1 CRL | |
| crl = $dir/crl.pem # The current CRL | |
| private_key = $dir/private/cakey.pem# The private key | |
| x509_extensions = usr_cert # The extensions to add to the cert | |
| name_opt = ca_default # Subject Name options | |
| cert_opt = ca_default # Certificate field options | |
| default_days = 365 # how long to certify for | |
| default_crl_days= 30 # how long before next CRL | |
| default_md = default # use public key default MD | |
| preserve = no # keep passed DN ordering | |
| policy = policy_match | |
| [ policy_match ] | |
| countryName = match | |
| stateOrProvinceName = match | |
| organizationName = match | |
| organizationalUnitName = optional | |
| commonName = supplied | |
| emailAddress = optional | |
| [ policy_anything ] | |
| countryName = optional | |
| stateOrProvinceName = optional | |
| localityName = optional | |
| organizationName = optional | |
| organizationalUnitName = optional | |
| commonName = supplied | |
| emailAddress = optional | |
| [ req ] | |
| default_bits = 2048 | |
| default_keyfile = privkey.pem | |
| distinguished_name = req_distinguished_name | |
| attributes = req_attributes | |
| x509_extensions = v3_ca # The extensions to add to the self signed cert | |
| string_mask = utf8only | |
| [ req_distinguished_name ] | |
| countryName = Country Name (2 letter code) | |
| countryName_default = AU | |
| countryName_min = 2 | |
| countryName_max = 2 | |
| stateOrProvinceName = State or Province Name (full name) | |
| stateOrProvinceName_default = Some-State | |
| localityName = Locality Name (eg, city) | |
| 0.organizationName = Organization Name (eg, company) | |
| 0.organizationName_default = Internet Widgits Pty Ltd | |
| organizationalUnitName = Organizational Unit Name (eg, section) | |
| commonName = Common Name (e.g. server FQDN or YOUR name) | |
| commonName_max = 64 | |
| emailAddress = Email Address | |
| emailAddress_max = 64 | |
| [ req_attributes ] | |
| challengePassword = A challenge password | |
| challengePassword_min = 4 | |
| challengePassword_max = 20 | |
| unstructuredName = An optional company name | |
| [ usr_cert ] | |
| basicConstraints=CA:FALSE | |
| subjectKeyIdentifier=hash | |
| authorityKeyIdentifier=keyid,issuer | |
| [ v3_req ] | |
| basicConstraints = CA:FALSE | |
| keyUsage = nonRepudiation, digitalSignature, keyEncipherment | |
| [ v3_ca ] | |
| subjectKeyIdentifier=hash | |
| authorityKeyIdentifier=keyid:always,issuer | |
| basicConstraints = critical,CA:true | |
| [ crl_ext ] | |
| authorityKeyIdentifier=keyid:always | |
| [ proxy_cert_ext ] | |
| basicConstraints=CA:FALSE | |
| subjectKeyIdentifier=hash | |
| authorityKeyIdentifier=keyid,issuer | |
| proxyCertInfo=critical,language:id-ppl-anyLanguage,pathlen:3,policy:foo | |
| [ tsa ] | |
| default_tsa = tsa_config1 # the default TSA section | |
| [ tsa_config1 ] | |
| dir = ./demoCA # TSA root directory | |
| serial = $dir/tsaserial # The current serial number (mandatory) | |
| crypto_device = builtin # OpenSSL engine to use for signing | |
| signer_cert = $dir/tsacert.pem # The TSA signing certificate | |
| # (optional) | |
| certs = $dir/cacert.pem # Certificate chain to include in reply | |
| # (optional) | |
| signer_key = $dir/private/tsakey.pem # The TSA private key (optional) | |
| signer_digest = sha256 # Signing digest to use. (Optional) | |
| default_policy = tsa_policy1 # Policy if request did not specify it | |
| # (optional) | |
| other_policies = tsa_policy2, tsa_policy3 # acceptable policies (optional) | |
| digests = sha1, sha256, sha384, sha512 # Acceptable message digests (mandatory) | |
| accuracy = secs:1, millisecs:500, microsecs:100 # (optional) | |
| clock_precision_digits = 0 # number of digits after dot. (optional) | |
| ordering = yes # Is ordering defined for timestamps? | |
| # (optional, default: no) | |
| tsa_name = yes # Must the TSA name be included in the reply? | |
| # (optional, default: no) | |
| ess_cert_id_chain = no # Must the ESS cert id chain be included? | |
| # (optional, default: no) | |
| ess_cert_id_alg = sha1 # algorithm to compute certificate | |
| # identifier (optional, default: sha1) | |
| [insta] # CMP using Insta Demo CA | |
| server = pki.certificate.fi:8700 | |
| path = pkix/ | |
| recipient = "/C=FI/O=Insta Demo/CN=Insta Demo CA" # or set srvcert or issuer | |
| ignore_keyusage = 1 # potentially needed quirk | |
| unprotected_errors = 1 # potentially needed quirk | |
| extracertsout = insta.extracerts.pem | |
| ref = 3078 # user identification | |
| secret = pass:insta # can be used for both client and server side | |
| cmd = ir # default operation, can be overridden on cmd line with, e.g., kur | |
| subject = "/CN=openssl-cmp-test" | |
| newkey = insta.priv.pem | |
| out_trusted = insta.ca.crt | |
| certout = insta.cert.pem | |
| [pbm] # Password-based protection for Insta CA | |
| ref = $insta::ref # 3078 | |
| secret = $insta::secret # pass:insta | |
| [signature] # Signature-based protection for Insta CA | |
| trusted = insta.ca.crt # does not include keyUsage digitalSignature | |
| secret = # disable PBM | |
| key = $insta::newkey # insta.priv.pem | |
| cert = $insta::certout # insta.cert.pem | |
| [ir] | |
| cmd = ir | |
| [cr] | |
| cmd = cr | |
| [kur] | |
| cmd = kur | |
| oldcert = $insta::certout # insta.cert.pem | |
| [rr] | |
| cmd = rr | |
| oldcert = $insta::certout # insta.cert.pem | |
| [ssl_sect] | |
| system_default = system_default_sect | |
| [system_default_sect] | |
| CipherString = DEFAULT:@SECLEVEL=2 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment