diff --git a/providers/kris/artifacts_certs_r4.zip b/providers/kris/artifacts_certs_r4.zip index 9c718d8f..872a42ec 100644 Binary files a/providers/kris/artifacts_certs_r4.zip and b/providers/kris/artifacts_certs_r4.zip differ diff --git a/providers/kris/compatMatrices/artifacts_certs_r4/bc_kris.csv b/providers/kris/compatMatrices/artifacts_certs_r4/bc_kris.csv new file mode 100644 index 00000000..a92f8dc9 --- /dev/null +++ b/providers/kris/compatMatrices/artifacts_certs_r4/bc_kris.csv @@ -0,0 +1,6 @@ +key_algorithm_oid,test_result +2.16.840.1.101.3.4.3.17,Y +2.16.840.1.101.3.4.3.18,Y +2.16.840.1.101.3.4.3.19,Y +1.3.9999.3.6,N +1.3.9999.3.9,N diff --git a/providers/kris/compatMatrices/artifacts_certs_r4/cht_kris.csv b/providers/kris/compatMatrices/artifacts_certs_r4/cht_kris.csv new file mode 100644 index 00000000..0214457c --- /dev/null +++ b/providers/kris/compatMatrices/artifacts_certs_r4/cht_kris.csv @@ -0,0 +1,4 @@ +key_algorithm_oid,test_result +2.16.840.1.101.3.4.3.17,Y +2.16.840.1.101.3.4.3.18,Y +2.16.840.1.101.3.4.3.19,Y diff --git a/providers/kris/compatMatrices/artifacts_certs_r4/cryptonext-cnsprovider_kris.csv b/providers/kris/compatMatrices/artifacts_certs_r4/cryptonext-cnsprovider_kris.csv new file mode 100644 index 00000000..a92f8dc9 --- /dev/null +++ b/providers/kris/compatMatrices/artifacts_certs_r4/cryptonext-cnsprovider_kris.csv @@ -0,0 +1,6 @@ +key_algorithm_oid,test_result +2.16.840.1.101.3.4.3.17,Y +2.16.840.1.101.3.4.3.18,Y +2.16.840.1.101.3.4.3.19,Y +1.3.9999.3.6,N +1.3.9999.3.9,N diff --git a/providers/kris/compatMatrices/artifacts_certs_r4/cryptonext_kris.csv b/providers/kris/compatMatrices/artifacts_certs_r4/cryptonext_kris.csv new file mode 100644 index 00000000..a92f8dc9 --- /dev/null +++ b/providers/kris/compatMatrices/artifacts_certs_r4/cryptonext_kris.csv @@ -0,0 +1,6 @@ +key_algorithm_oid,test_result +2.16.840.1.101.3.4.3.17,Y +2.16.840.1.101.3.4.3.18,Y +2.16.840.1.101.3.4.3.19,Y +1.3.9999.3.6,N +1.3.9999.3.9,N diff --git a/providers/kris/compatMatrices/artifacts_certs_r4/entrust_kris.csv b/providers/kris/compatMatrices/artifacts_certs_r4/entrust_kris.csv new file mode 100644 index 00000000..229eff35 --- /dev/null +++ b/providers/kris/compatMatrices/artifacts_certs_r4/entrust_kris.csv @@ -0,0 +1,3 @@ +key_algorithm_oid,test_result +1.3.9999.3.6,N +1.3.9999.3.9,N diff --git a/providers/kris/compatMatrices/artifacts_certs_r4/kris_kris.csv b/providers/kris/compatMatrices/artifacts_certs_r4/kris_kris.csv new file mode 100644 index 00000000..1b1ab5b6 --- /dev/null +++ b/providers/kris/compatMatrices/artifacts_certs_r4/kris_kris.csv @@ -0,0 +1,6 @@ +key_algorithm_oid,test_result +2.16.840.1.101.3.4.3.17,Y +2.16.840.1.101.3.4.3.18,Y +2.16.840.1.101.3.4.3.19,Y +1.3.9999.3.6,Y +1.3.9999.3.9,Y diff --git a/providers/kris/scripts/check_r4.sh b/providers/kris/scripts/check_r4.sh new file mode 100755 index 00000000..850c28a8 --- /dev/null +++ b/providers/kris/scripts/check_r4.sh @@ -0,0 +1,105 @@ +#!/bin/bash +# This script must be run from the root directory of pqc-certificates +# Stolen from seventhsense.ai and retrofitted to work with OpenSSL and +# anti-atlas. + +certszipr4="artifacts_certs_r4.zip" +inputdir="./providers" +outputdir="./output/certs" +logfile=$outputdir/kris.log + +# Start the results CSV file +mkdir -p $outputdir +printf "Build time: %s\n\n" "$(date)" > $logfile + +source providers/kris/scripts/oids.sh + +supported_ta_oids=("${PQSP_OID_MLDSA44}" "${PQSP_OID_MLDSA65}" "${PQSP_OID_MLDSA87}" "${FALCON_512}" "${FALCON_1024}") + + +function convert_to_pem { + # We want to check that the needed structures + # are all in place + certfile=$1 + pemfile=$2 + + echo $certfile + # Checks if we have the PEM version of the RootCA + if [ -f "$certfile" ]; then + openssl x509 -inform DER -in "$certfile" -out "$pemfile" + if [ $? -gt 0 ] ; then + echo + echo "ERROR: Cannot convert $certfile into PEM format" + echo + exit 1 + fi + fi +} + +check() { + # Extracts the argument + pemfile=$1 + + # Baseline test whether TA cert is well formed + openssl x509 -in $pemfile -text -noout 2>/dev/null > /dev/null + if [ $? -ne 0 ]; then + echo "${pemfile} not suitable." + return 0 + fi + + # Baseline test whether TA cert is self-signed + openssl verify -CAfile $pemfile $pemfile 2>/dev/null >/dev/null + if [ $? -ne 0 ]; then + echo "${pemfile} not self-signed." + return 0 + fi + + # Checking for some parsing errors + openssl x509 -in $pemfile -text -noout | grep error 2>/dev/null > /dev/null + if [ $? -ne 0 ]; then + #echo "No error parsing TA certificate in $1"; + # Extracting algorithm name + openssl x509 -in $pemfile -text -noout | grep "Public Key Algorithm" 2>&1 > /dev/null + if [ $? -ne 0 ]; then + echo "Can't extract the algorithm name" + echo "N" + return + fi + else + echo "Error parsing ${PEM}" + return 0 + fi + return 1 +} + +# First, recurse into any provider dir +for providerdir in $(ls -d $inputdir/*/); do + provider=$(basename $providerdir) + + # process certs + zip=${providerdir}$certszipr4 + unzipdir=${providerdir}"artifacts_certs_r4" + unzip -o $zip -d $unzipdir 2> /dev/null + if [ $? -ne 0 ]; then + echo "$provider: artifacts not found" + continue + else + echo "Processing $provider" + fi + + resultsfile=${outputdir}/${provider}_kris.csv + echo "key_algorithm_oid,test_result" > $resultsfile # CSV header row + + for oid in ${supported_ta_oids[@]}; do + for certfile in `ls ${unzipdir}/artifacts_certs_r4/*-${oid}_ta.der`; do + pemfile=`dirname $certfile`/`basename $certfile .der`.pem + convert_to_pem $certfile $pemfile + check $pemfile + if [ $? -eq 1 ]; then + echo "${oid},Y" >> $resultsfile + else + echo "${oid},N" >> $resultsfile + fi + done + done +done