Implement Hybrid SSH Keys

This finishes the work in PR open-quantum-safe#160 which applied the upstream `sshkey.c` refactor to the OQS fork by adding support for hybrid SSH keys. More importantly, this brings the `OQS-v9` branch up to parity with `OQS-v8` in terms of supported algorithms and functionality. Therefore, we can do more in depth and thorough validation to increase confidence in cutting over to this newer branch. Speaking to the code changes for hybrid SSH key support, this works by adding logic to `ssh-oqs` which branches on hybrid SSH key implementations to handle the classical portion of the key and combine it with the PQ portion as-appropriate. The main trick is to introduce a small lookup table for the RSA/ECDSA implementation and exposing the symbols to `ssh-oqs` via an extern declaration. One notable oddity is that upstream OpenSSH multiplexes the underlying EC curves by placing a generic implementation behind the P-256 struct and allowing the implementation to fork based on the `bits` or `key->type` parameters. Depending on the context, this is how `sshkey` does things so I followed their convention. Related to issue open-quantum-safe#135 Asserted that Circle CI jobs pass. These tests run through a subset of the OpenSSH unit tests that have been documented to pass against the OQS fork and skip tests that depend on missing/broken functionality. This demonstrates internal consistency and parity with the testing bar set by `OQS-v8`. Performed interop testing between `OQS-v8` and `OQS-v9` to assert that we have no regressions from pulling in 2 years of upstream changes and re-implementing PQ+Hybrid SSH Keys. This was done by modifying `try_connection.py` which tests all PQ+Hybrid signatures and key exchanges by connecting the built SSH client to the SSHD server and explicitly specifying each algorithm. By adding CLI flags to override this test to use an SSH or SSHD binary from somewhere else, we can perform thorough interop testing between an `OQS-v8` server and `OQS-v9` client or vice versa. Detailed process/commands outlined below. ``` git clone [email protected]:open-quantum-safe/openssh.git oqs-openssh-clean cd oqs-openssh-clean git checkout OQS-v8 ./oqs-scripts/clone_liboqs.sh ./oqs-scripts/build_liboqs.sh ./oqs-scripts/build_openssh.sh python3 oqs-test/try_connection.py --sshd `readlink -f ../oqs-openssh-clean/sshd` doall Success! Key Exchange Algorithm: frodokem-640-aes-sha256. Signature Algorithm: ssh-falcon512. Success! Key Exchange Algorithm: frodokem-640-aes-sha256. Signature Algorithm: ssh-rsa3072-falcon512. Success! Key Exchange Algorithm: frodokem-640-aes-sha256. Signature Algorithm: ssh-ecdsa-nistp256-falcon512. Success! Key Exchange Algorithm: frodokem-640-aes-sha256. Signature Algorithm: ssh-falcon1024. Success! Key Exchange Algorithm: frodokem-640-aes-sha256. Signature Algorithm: ssh-ecdsa-nistp521-falcon1024. Success! Key Exchange Algorithm: frodokem-640-aes-sha256. Signature Algorithm: ssh-dilithium2. ... python3 oqs-test/try_connection.py --ssh `readlink -f ../oqs-openssh-clean/ssh` doall Success! Key Exchange Algorithm: frodokem-640-aes-sha256. Signature Algorithm: ssh-falcon512. Success! Key Exchange Algorithm: frodokem-640-aes-sha256. Signature Algorithm: ssh-rsa3072-falcon512. Success! Key Exchange Algorithm: frodokem-640-aes-sha256. Signature Algorithm: ssh-ecdsa-nistp256-falcon512. Success! Key Exchange Algorithm: frodokem-640-aes-sha256. Signature Algorithm: ssh-falcon1024. Success! Key Exchange Algorithm: frodokem-640-aes-sha256. Signature Algorithm: ssh-ecdsa-nistp521-falcon1024. Success! Key Exchange Algorithm: frodokem-640-aes-sha256. Signature Algorithm: ssh-dilithium2. ... ``` Signed-off-by: Gerardo Ravago <[email protected]>
geedo0 · Jul 23, 2024 · 8f86cfe · 8f86cfe
1 parent 1173ecc
commit 8f86cfe
Show file tree

Hide file tree

Showing 12 changed files with 599 additions and 158 deletions.
diff --git a/oqs-template/oqs-test/try_connection.py/list_all_kexs.fragment b/oqs-template/oqs-test/try_connection.py/list_all_kexs.fragment
@@ -1,7 +1,7 @@
 {%- for kex in config['kexs'] %}
     "{{ kex['pretty_name'] }}",
     {%- for curve in kex['mix_with'] %}
-    # "{{ curve['pretty_name'] }}",
+    "{{ curve['pretty_name'] }}",
     {%- endfor -%}
 {%- endfor %}
 
diff --git a/oqs-template/oqs-test/try_connection.py/list_all_sigs.fragment b/oqs-template/oqs-test/try_connection.py/list_all_sigs.fragment
@@ -1,7 +1,7 @@
 {%- for sig in config['sigs'] %}
     "ssh-{{ sig['name']|replace('_','') }}",
     {%- for alg in sig['mix_with'] %}
-    # "ssh-{{ alg['name']|replace('_','-') }}-{{ sig['name']|replace('_','') }}",
+    "ssh-{{ alg['name']|replace('_','-') }}-{{ sig['name']|replace('_','') }}",
     {%- endfor -%}
 {%- endfor %}
 
diff --git a/oqs-template/ssh-keygen.c/define_key_types.fragment b/oqs-template/ssh-keygen.c/define_key_types.fragment
@@ -4,13 +4,13 @@
 #ifdef WITH_OPENSSL
 {%- for sig in config['sigs'] %}
     {%- for alg in sig['mix_with'] if alg['rsa'] %}
-		// { "{{ alg['name'] }}_{{ sig['name']|replace('_','') }}", "{{ alg['name']|upper }}_{{ sig['name']|upper }}", _PATH_HOST_{{ alg['name']|upper }}_{{ sig['name']|upper }}_KEY_FILE },
+		{ "{{ alg['name'] }}_{{ sig['name']|replace('_','') }}", "{{ alg['name']|upper }}_{{ sig['name']|upper }}", _PATH_HOST_{{ alg['name']|upper }}_{{ sig['name']|upper }}_KEY_FILE },
     {%- endfor %}
 {%- endfor %}
 #ifdef OPENSSL_HAS_ECC
 {%- for sig in config['sigs'] %}
     {%- for alg in sig['mix_with'] if not alg['rsa'] %}
-		// { "{{ alg['name'] }}_{{ sig['name']|replace('_','') }}", "{{ alg['name']|upper }}_{{ sig['name']|upper }}", _PATH_HOST_{{ alg['name']|upper }}_{{ sig['name']|upper }}_KEY_FILE },
+		{ "{{ alg['name'] }}_{{ sig['name']|replace('_','') }}", "{{ alg['name']|upper }}_{{ sig['name']|upper }}", _PATH_HOST_{{ alg['name']|upper }}_{{ sig['name']|upper }}_KEY_FILE },
     {%- endfor %}
 {%- endfor %}
 #endif /* OPENSSL_HAS_ECC */

diff --git a/oqs-template/ssh-keygen.c/handle_ecdsa_hybrids.fragment b/oqs-template/ssh-keygen.c/handle_ecdsa_hybrids.fragment
diff --git a/oqs-template/ssh-oqs.c/define_sig_functions.fragment b/oqs-template/ssh-oqs.c/define_sig_functions.fragment
@@ -15,7 +15,7 @@ static int ssh_{{ symbol_base_name }}_generate(struct sshkey *k, int bits)
   return OQS_SIG_{{ sig['name'] }}_keypair(k->oqs_pk, k->oqs_sk);
 }
 
-int ssh_{{ symbol_base_name }}_sign(const struct sshkey *key,
+int ssh_{{ symbol_base_name }}_sign(struct sshkey *key,
                      u_char **sigp,
                      size_t *lenp,
                      const u_char *data,
@@ -29,7 +29,7 @@ int ssh_{{ symbol_base_name }}_sign(const struct sshkey *key,
     if (sig == NULL) {
         return SSH_ERR_ALLOC_FAIL;
     }
-    int r = ssh_generic_sign(sig, "{{ symbol_base_name }}", key, sigp, lenp, data, datalen, compat);
+    int r = oqs_sign(sig, "{{ symbol_base_name }}", key, sigp, lenp, data, datalen, compat);
     OQS_SIG_free(sig);
     return r;
 }
@@ -40,13 +40,14 @@ int ssh_{{ symbol_base_name }}_verify(const struct sshkey *key,
                        const u_char *data,
                        size_t datalen,
                        const char *alg,
-                       u_int compat)
+                       u_int compat,
+                       struct sshkey_sig_details **detailsp)
 {
     OQS_SIG *sig = OQS_SIG_new(OQS_SIG_alg_{{ sig['name'] }});
     if (sig == NULL) {
         return SSH_ERR_ALLOC_FAIL;
     }
-    int r = ssh_generic_verify(sig, "{{ symbol_base_name }}", key, signature, signaturelen, data, datalen, compat);
+    int r = oqs_verify(sig, "{{ symbol_base_name }}", key, signature, signaturelen, data, datalen, compat);
     OQS_SIG_free(sig);
     return r;
 }
@@ -79,8 +80,7 @@ const struct sshkey_impl sshkey_{{ symbol_base_name }}_impl = {
 };
 {%- endfor %}
 
-#ifdef HYBRID_IMPLEMENTATION_EXISTS
-// #ifdef WITH_OPENSSL
+#ifdef WITH_OPENSSL
 {%- for sig in config['sigs'] %}
 {%- for alg in sig['mix_with'] if alg['rsa'] %}
 {%- set symbol_base_name = alg['name']|replace('_','') + '_' + sig['name']|replace('_','') %}
@@ -93,17 +93,17 @@ static const struct sshkey_impl_funcs sshkey_{{ symbol_base_name }}_funcs = {
   /* .ssh_deserialize_public = */ ssh_generic_deserialize_public,
   /* .ssh_serialize_private = */ ssh_generic_serialize_private,
   /* .ssh_deserialize_private = */ ssh_generic_deserialize_private,
-  /* .generate = */ ssh_{{ symbol_base_name }}_generate,
+  /* .generate = */ ssh_generic_generate,
   /* .copy_public = */ ssh_generic_copy_public,
-  /* .sign = */ ssh_{{ symbol_base_name }}_sign,
-  /* .verify = */ ssh_{{ symbol_base_name }}_verify,
+  /* .sign = */ ssh_generic_sign,
+  /* .verify = */ ssh_generic_verify,
 };
 
 const struct sshkey_impl sshkey_{{ symbol_base_name }}_impl = {
-  /* .name = */ "ssh-{{ symbol_base_name }}",
+  /* .name = */ "ssh-{{ alg['name']|replace('_','') + '-' + sig['name']|replace('_','') }}",
   /* .shortname = */ "{{ symbol_base_name|upper }}",
   /* .sigalg = */ NULL,
-  /* .type = */ KEY_{{ sig['name']|upper }},
+  /* .type = */ KEY_{{ alg['name']|upper }}_{{ sig['name']|upper }},
   /* .nid = */ 0,
   /* .cert = */ 0,
   /* .sigonly = */ 0,
@@ -112,5 +112,38 @@ const struct sshkey_impl sshkey_{{ symbol_base_name }}_impl = {
 };
 {%- endfor %}
 {%- endfor %}
+#ifdef OPENSSL_HAS_ECC
+{%- for sig in config['sigs'] %}
+{%- for alg in sig['mix_with'] if not alg['rsa'] %}
+{%- set symbol_base_name = alg['name']|replace('_','') + '_' + sig['name']|replace('_','') %}
+static const struct sshkey_impl_funcs sshkey_{{ symbol_base_name }}_funcs = {
+  /* .size = */ ssh_generic_size,
+  /* .alloc = */ ssh_generic_alloc,
+  /* .cleanup = */ ssh_generic_cleanup,
+  /* .equal = */ ssh_generic_equal,
+  /* .ssh_serialize_public = */ ssh_generic_serialize_public,
+  /* .ssh_deserialize_public = */ ssh_generic_deserialize_public,
+  /* .ssh_serialize_private = */ ssh_generic_serialize_private,
+  /* .ssh_deserialize_private = */ ssh_generic_deserialize_private,
+  /* .generate = */ ssh_generic_generate,
+  /* .copy_public = */ ssh_generic_copy_public,
+  /* .sign = */ ssh_generic_sign,
+  /* .verify = */ ssh_generic_verify,
+};
+
+const struct sshkey_impl sshkey_{{ symbol_base_name }}_impl = {
+  /* .name = */ "ssh-{{ alg['name']|replace('_','-') + '-' + sig['name']|replace('_','') }}",
+  /* .shortname = */ "{{ symbol_base_name|upper }}",
+  /* .sigalg = */ NULL,
+  /* .type = */ KEY_{{ alg['name']|upper }}_{{ sig['name']|upper }},
+  /* .nid = */ {{ alg['openssl_nid'] }},
+  /* .cert = */ 0,
+  /* .sigonly = */ 0,
+  /* .keybits = */ 256, // TODO - What should be here?
+  /* .funcs = */ &sshkey_{{ symbol_base_name }}_funcs,
+};
+{%- endfor %}
+{%- endfor %}
+#endif /* OPENSSL_HAS_ECC */
 #endif /* WITH_OPENSSL */
 
diff --git a/oqs-template/ssh-oqs.c/impl_lookup_cases.fragment b/oqs-template/ssh-oqs.c/impl_lookup_cases.fragment
@@ -0,0 +1,9 @@
+{% for sig in config['sigs'] %}
+    case KEY_{{ sig['name']|upper }}:
+  {%- for alg in sig['mix_with'] %}
+    case KEY_{{ alg['name']|upper }}_{{ sig['name']|upper }}:
+  {%- endfor %}
+      impl = &sshkey_{{ sig['name']|replace('_','') }}_impl;
+      break;
+{%- endfor %}
+
diff --git a/oqs-template/sshkey.c/define_keytypes.fragment b/oqs-template/sshkey.c/define_keytypes.fragment
@@ -1,8 +1,7 @@
 {%- for sig in config['sigs'] %}
 	&sshkey_{{ sig['name']|replace('_','') }}_impl,
 {%- endfor %}
-#ifdef HYBRID_IMPLEMENTATION_EXISTS
-// #ifdef WITH_OPENSSL
+#ifdef WITH_OPENSSL
 {%- for sig in config['sigs'] %}
 	{%- for alg in sig['mix_with'] if alg['rsa'] %}
 	&sshkey_{{ alg['name']|replace('_','') }}_{{ sig['name']|replace('_','') }}_impl,

diff --git a/oqs-template/sshkey.c/extern_key_impls.fragment b/oqs-template/sshkey.c/extern_key_impls.fragment
@@ -2,8 +2,7 @@
 extern const struct sshkey_impl sshkey_{{ sig['name']|replace('_','') }}_impl;
 {%- endfor %}
 
-#ifdef HYBRID_IMPLEMENTATION_EXISTS
-// #ifdef WITH_OPENSSL
+#ifdef WITH_OPENSSL
 {%- for sig in config['sigs'] %}
   {%- for alg in sig['mix_with'] if alg['rsa'] %}
 extern const struct sshkey_impl sshkey_{{ alg['name']|replace('_','') }}_{{ sig['name']|replace('_','') }}_impl;

diff --git a/oqs-test/try_connection.py b/oqs-test/try_connection.py
@@ -2,6 +2,7 @@
 # and signature algorithm, and checks whether the stock BoringSSL
 # client and server can establish a handshake with the choices.
 
+import argparse
 import os
 import random
 import subprocess
@@ -13,75 +14,75 @@
 kexs = [
 ##### OQS_TEMPLATE_FRAGMENT_LIST_ALL_KEXS_START
     "frodokem-640-aes-sha256",
-    # "[email protected]",
+    "[email protected]",
     "frodokem-976-aes-sha384",
-    # "[email protected]",
+    "[email protected]",
     "frodokem-1344-aes-sha512",
-    # "[email protected]",
+    "[email protected]",
     "frodokem-640-shake-sha256",
-    # "[email protected]",
+    "[email protected]",
     "frodokem-976-shake-sha384",
-    # "[email protected]",
+    "[email protected]",
     "frodokem-1344-shake-sha512",
-    # "[email protected]",
+    "[email protected]",
     "kyber-512-sha256",
-    # "[email protected]",
+    "[email protected]",
     "kyber-768-sha384",
-    # "[email protected]",
+    "[email protected]",
     "kyber-1024-sha512",
-    # "[email protected]",
+    "[email protected]",
     "bike-l1-sha512",
-    # "[email protected]",
+    "[email protected]",
     "bike-l3-sha512",
-    # "[email protected]",
+    "[email protected]",
     "classic-mceliece-348864-sha256",
-    # "ecdh-nistp256-classic-mceliece-348864r4-sha256@openquantumsafe.org",
+    "ecdh-nistp256-classic-mceliece-348864r4-sha256@openquantumsafe.org",
     "classic-mceliece-348864f-sha256",
-    # "ecdh-nistp256-classic-mceliece-348864fr4-sha256@openquantumsafe.org",
+    "ecdh-nistp256-classic-mceliece-348864fr4-sha256@openquantumsafe.org",
     "classic-mceliece-460896-sha512",
-    # "ecdh-nistp384-classic-mceliece-460896r4-sha512@openquantumsafe.org",
+    "ecdh-nistp384-classic-mceliece-460896r4-sha512@openquantumsafe.org",
     "classic-mceliece-460896f-sha512",
-    # "ecdh-nistp384-classic-mceliece-460896fr4-sha512@openquantumsafe.org",
+    "ecdh-nistp384-classic-mceliece-460896fr4-sha512@openquantumsafe.org",
     "classic-mceliece-6688128-sha512",
-    # "ecdh-nistp521-classic-mceliece-6688128r4-sha512@openquantumsafe.org",
+    "ecdh-nistp521-classic-mceliece-6688128r4-sha512@openquantumsafe.org",
     "classic-mceliece-6688128f-sha512",
-    # "ecdh-nistp521-classic-mceliece-6688128fr4-sha512@openquantumsafe.org",
+    "ecdh-nistp521-classic-mceliece-6688128fr4-sha512@openquantumsafe.org",
     "classic-mceliece-6960119-sha512",
-    # "ecdh-nistp521-classic-mceliece-6960119r4-sha512@openquantumsafe.org",
+    "ecdh-nistp521-classic-mceliece-6960119r4-sha512@openquantumsafe.org",
     "classic-mceliece-6960119f-sha512",
-    # "ecdh-nistp521-classic-mceliece-6960119fr4-sha512@openquantumsafe.org",
+    "ecdh-nistp521-classic-mceliece-6960119fr4-sha512@openquantumsafe.org",
     "classic-mceliece-8192128-sha512",
-    # "ecdh-nistp521-classic-mceliece-8192128r4-sha512@openquantumsafe.org",
+    "ecdh-nistp521-classic-mceliece-8192128r4-sha512@openquantumsafe.org",
     "classic-mceliece-8192128f-sha512",
-    # "ecdh-nistp521-classic-mceliece-8192128fr4-sha512@openquantumsafe.org",
+    "ecdh-nistp521-classic-mceliece-8192128fr4-sha512@openquantumsafe.org",
     "hqc-128-sha256",
-    # "[email protected]",
+    "[email protected]",
     "hqc-192-sha384",
-    # "[email protected]",
+    "[email protected]",
     "hqc-256-sha512",
-    # "[email protected]",
+    "[email protected]",
 ##### OQS_TEMPLATE_FRAGMENT_LIST_ALL_KEXS_END
 ]
 
 sigs = [
 ##### OQS_TEMPLATE_FRAGMENT_LIST_ALL_SIGS_START
     "ssh-falcon512",
-    # "ssh-rsa3072-falcon512",
-    # "ssh-ecdsa-nistp256-falcon512",
+    "ssh-rsa3072-falcon512",
+    "ssh-ecdsa-nistp256-falcon512",
     "ssh-falcon1024",
-    # "ssh-ecdsa-nistp521-falcon1024",
+    "ssh-ecdsa-nistp521-falcon1024",
     "ssh-dilithium2",
-    # "ssh-rsa3072-dilithium2",
-    # "ssh-ecdsa-nistp256-dilithium2",
+    "ssh-rsa3072-dilithium2",
+    "ssh-ecdsa-nistp256-dilithium2",
     "ssh-dilithium3",
-    # "ssh-ecdsa-nistp384-dilithium3",
+    "ssh-ecdsa-nistp384-dilithium3",
     "ssh-dilithium5",
-    # "ssh-ecdsa-nistp521-dilithium5",
+    "ssh-ecdsa-nistp521-dilithium5",
     "ssh-sphincssha2128fsimple",
-    # "ssh-rsa3072-sphincssha2128fsimple",
-    # "ssh-ecdsa-nistp256-sphincssha2128fsimple",
+    "ssh-rsa3072-sphincssha2128fsimple",
+    "ssh-ecdsa-nistp256-sphincssha2128fsimple",
     "ssh-sphincssha2256fsimple",
-    # "ssh-ecdsa-nistp521-sphincssha2256fsimple",
+    "ssh-ecdsa-nistp521-sphincssha2256fsimple",
 ##### OQS_TEMPLATE_FRAGMENT_LIST_ALL_SIGS_END
 ]
 
@@ -131,8 +132,11 @@ def try_handshake(ssh, sshd, dorandom="random"):
        do_handshake(ssh, sshd, test_sig, test_kex)
 
 if __name__ == '__main__':
-    if len(sys.argv)==1:
-        try_handshake(os.path.abspath('ssh'), os.path.abspath('sshd'))
-    else:
-        try_handshake(os.path.abspath('ssh'), os.path.abspath('sshd'), dorandom=sys.argv[1])
+    parser = argparse.ArgumentParser(description="Test connections between ssh and sshd using PQ algorithms.")
+    parser.add_argument("--ssh", default=os.path.abspath('ssh'), type=str, help="Override the ssh binary.")
+    parser.add_argument("--sshd", default=os.path.abspath('sshd'), type=str, help="Override the sshd binary.")
+    parser.add_argument("dorandom", type=str, default="random", choices=["doall", "doone", "random"],
+                        help="Slice of test cases to run.")
+    args = parser.parse_args()
+    try_handshake(args.ssh, args.sshd, args.dorandom)
 
diff --git a/ssh-keygen.c b/ssh-keygen.c
@@ -206,32 +206,6 @@ type_bits_valid(int type, const char *name, u_int32_t *bitsp)
 			break;
 		}
 #endif
-	  /* OQS note: different parameter sets for one PQ scheme are identified
-	   * by different types (unlike ECDSA which uses one key type and a 2nd
-	   * 'nid' value to identify the curve. We need this special processing
-	   * for ECDSA hybrid of levels 3+ to avoid defaulting to P256 when
-	   * name is NULL (like when called from do_gen_all_hostkeys) or when the
-	   * -t parameter is provided with a shortname, which sshkey_ecdsa_nid_from_name
-	   * doesn't check.
-	   */
-		if (oqs_utils_is_ecdsa_hybrid(type)) {
-		  switch (type) {
-///// OQS_TEMPLATE_FRAGMENT_HANDLE_ECDSA_HYBRIDS_START
-		  case KEY_ECDSA_NISTP521_FALCON_1024:
-		    *bitsp = 521;
-		    break;
-		  case KEY_ECDSA_NISTP384_DILITHIUM_3:
-		    *bitsp = 384;
-		    break;
-		  case KEY_ECDSA_NISTP521_DILITHIUM_5:
-		    *bitsp = 521;
-		    break;
-		  case KEY_ECDSA_NISTP521_SPHINCS_SHA2_256F_SIMPLE:
-		    *bitsp = 521;
-		    break;
-///// OQS_TEMPLATE_FRAGMENT_HANDLE_ECDSA_HYBRIDS_END
-		  }
-		}
 	}
 #ifdef WITH_OPENSSL
 	switch (type) {
@@ -1170,17 +1144,17 @@ do_gen_all_hostkeys(struct passwd *pw)
 		{ "sphincssha2128fsimple", "SPHINCS_SHA2_128F_SIMPLE", _PATH_HOST_SPHINCS_SHA2_128F_SIMPLE_KEY_FILE },
 		{ "sphincssha2256fsimple", "SPHINCS_SHA2_256F_SIMPLE", _PATH_HOST_SPHINCS_SHA2_256F_SIMPLE_KEY_FILE },
 #ifdef WITH_OPENSSL
-		// { "rsa3072_falcon512", "RSA3072_FALCON_512", _PATH_HOST_RSA3072_FALCON_512_KEY_FILE },
-		// { "rsa3072_dilithium2", "RSA3072_DILITHIUM_2", _PATH_HOST_RSA3072_DILITHIUM_2_KEY_FILE },
-		// { "rsa3072_sphincssha2128fsimple", "RSA3072_SPHINCS_SHA2_128F_SIMPLE", _PATH_HOST_RSA3072_SPHINCS_SHA2_128F_SIMPLE_KEY_FILE },
+		{ "rsa3072_falcon512", "RSA3072_FALCON_512", _PATH_HOST_RSA3072_FALCON_512_KEY_FILE },
+		{ "rsa3072_dilithium2", "RSA3072_DILITHIUM_2", _PATH_HOST_RSA3072_DILITHIUM_2_KEY_FILE },
+		{ "rsa3072_sphincssha2128fsimple", "RSA3072_SPHINCS_SHA2_128F_SIMPLE", _PATH_HOST_RSA3072_SPHINCS_SHA2_128F_SIMPLE_KEY_FILE },
 #ifdef OPENSSL_HAS_ECC
-		// { "ecdsa_nistp256_falcon512", "ECDSA_NISTP256_FALCON_512", _PATH_HOST_ECDSA_NISTP256_FALCON_512_KEY_FILE },
-		// { "ecdsa_nistp521_falcon1024", "ECDSA_NISTP521_FALCON_1024", _PATH_HOST_ECDSA_NISTP521_FALCON_1024_KEY_FILE },
-		// { "ecdsa_nistp256_dilithium2", "ECDSA_NISTP256_DILITHIUM_2", _PATH_HOST_ECDSA_NISTP256_DILITHIUM_2_KEY_FILE },
-		// { "ecdsa_nistp384_dilithium3", "ECDSA_NISTP384_DILITHIUM_3", _PATH_HOST_ECDSA_NISTP384_DILITHIUM_3_KEY_FILE },
-		// { "ecdsa_nistp521_dilithium5", "ECDSA_NISTP521_DILITHIUM_5", _PATH_HOST_ECDSA_NISTP521_DILITHIUM_5_KEY_FILE },
-		// { "ecdsa_nistp256_sphincssha2128fsimple", "ECDSA_NISTP256_SPHINCS_SHA2_128F_SIMPLE", _PATH_HOST_ECDSA_NISTP256_SPHINCS_SHA2_128F_SIMPLE_KEY_FILE },
-		// { "ecdsa_nistp521_sphincssha2256fsimple", "ECDSA_NISTP521_SPHINCS_SHA2_256F_SIMPLE", _PATH_HOST_ECDSA_NISTP521_SPHINCS_SHA2_256F_SIMPLE_KEY_FILE },
+		{ "ecdsa_nistp256_falcon512", "ECDSA_NISTP256_FALCON_512", _PATH_HOST_ECDSA_NISTP256_FALCON_512_KEY_FILE },
+		{ "ecdsa_nistp521_falcon1024", "ECDSA_NISTP521_FALCON_1024", _PATH_HOST_ECDSA_NISTP521_FALCON_1024_KEY_FILE },
+		{ "ecdsa_nistp256_dilithium2", "ECDSA_NISTP256_DILITHIUM_2", _PATH_HOST_ECDSA_NISTP256_DILITHIUM_2_KEY_FILE },
+		{ "ecdsa_nistp384_dilithium3", "ECDSA_NISTP384_DILITHIUM_3", _PATH_HOST_ECDSA_NISTP384_DILITHIUM_3_KEY_FILE },
+		{ "ecdsa_nistp521_dilithium5", "ECDSA_NISTP521_DILITHIUM_5", _PATH_HOST_ECDSA_NISTP521_DILITHIUM_5_KEY_FILE },
+		{ "ecdsa_nistp256_sphincssha2128fsimple", "ECDSA_NISTP256_SPHINCS_SHA2_128F_SIMPLE", _PATH_HOST_ECDSA_NISTP256_SPHINCS_SHA2_128F_SIMPLE_KEY_FILE },
+		{ "ecdsa_nistp521_sphincssha2256fsimple", "ECDSA_NISTP521_SPHINCS_SHA2_256F_SIMPLE", _PATH_HOST_ECDSA_NISTP521_SPHINCS_SHA2_256F_SIMPLE_KEY_FILE },
 #endif /* OPENSSL_HAS_ECC */
 #endif /* WITH_OPENSSL */
 ///// OQS_TEMPLATE_FRAGMENT_DEFINE_KEY_TYPES_END