-
Notifications
You must be signed in to change notification settings - Fork 1
Meeting notes 2022 06 29
Zoom meeting. Attendees: Mike Ounsworth, Serge Mister, John Gray, Felipe Ventura, Douglas Stebila, Michael Baentsch
The meeting was recorded; since this is a public repo; link / password was emailed by Douglas (I am not putting it in this public wiki).
Question: with openssl branch do we want to do this on? 1.1.1, and 3 (which is re-architected around a crypto provider interface which is complete for KEMs, but not yet for signatures).
1.1.1 is in maintenance mode; no new features.
In OpenSSL3, you can use the new provider interface to create signatures, create X.509 certificates, create CMS messages, but there is currently no hook in the TLS authentication layer (it still uses the old signatures).
Decision: implement in Openssl 3.
The goal is to replace the simple concatenation that currently exists by the composite mechanism compatible with our draft and demo with X.509 certs and CMS signed messages.
the goal of demonstrating composite X.509 certs in OpenSSL, the most straightforward and useful route would be to implement support for them in an OpenSSL 3 provider, building on the oqs-provider. This gives most of the desired functionality (although OpenSSL 3 doesn't yet support registering signature schemes from a provider into the TLS 1.3 implementation)
https://github.com/open-quantum-safe/oqs-provider/tree/main/oqsprov
The basic concatenation composite that OQS implemented is probably to be found in this file: https://github.com/open-quantum-safe/oqs-provider/blob/main/oqsprov/oqs_decode_der2key.c
Mappings between OID and functions https://github.com/open-quantum-safe/oqs-provider/blob/main/oqsprov/oqsprov.c#L55
which is programatically registered at :384 https://github.com/open-quantum-safe/oqs-provider/blob/main/oqsprov/oqsprov.c#L384
templating / code generation is done with jinja (which is a python templating language)
hybrid signatures is implemented here (search for "is_hybrid") https://github.com/open-quantum-safe/oqs-provider/blob/main/oqsprov/oqs_sig.c#L199
Build instructions are here: https://github.com/open-quantum-safe/oqs-provider It as really geared to ubuntu.
What about unit tests? There is a /test/ folder within the provider. We should add test cases to (at least) the oqs_test_endecode.c and oqs_test_signatures.c. To run them, there is a runtests.sh, and you can figure out how to run it by looking at the circleci setup scripts.
There is also integration testing between 1.1.1 and 3, so if we do not implement this in 1.1.1 then we should not add to these.