Skip to content

Commit

Permalink
remove external encoding lib option
Browse files Browse the repository at this point in the history
Signed-off-by: Michael Baentsch <[email protected]>
  • Loading branch information
baentsch committed Aug 3, 2024
1 parent 8a2b5bc commit 6032224
Show file tree
Hide file tree
Showing 13 changed files with 93 additions and 755 deletions.
100 changes: 0 additions & 100 deletions .circleci/config.yml
Original file line number Diff line number Diff line change
Expand Up @@ -54,32 +54,6 @@ jobs:
command: |
git clone --branch master https://github.com/openssl/openssl.git openssl &&
cd openssl && ./config --prefix=$(echo $(pwd)/../.local) && make -j 18 && make install_sw && cd ..
- run:
name: Build OQS-OpenSSL provider (<< parameters.CMAKE_ARGS >> with QSC encoding support)
command: |
oqsprovider_cmake_args="<< parameters.CMAKE_ARGS >>"
if << parameters.OQS_PROVIDER_BUILD_STATIC >> ; then
oqsprovider_cmake_args="${oqsprovider_cmake_args} -DOQS_PROVIDER_BUILD_STATIC=ON"
fi
mkdir _build && cd _build && cmake -GNinja ${oqsprovider_cmake_args} -DUSE_ENCODING_LIB=ON -DOPENSSL_ROOT_DIR=$(pwd)/../.local -DCMAKE_PREFIX_PATH=$(pwd)/../.local .. && ninja && cd ..
if << parameters.OQS_PROVIDER_BUILD_STATIC >> ; then
file _build/lib/oqsprovider.a
fi
- when:
condition:
equal: [ openssl@3, << parameters.OPENSSL_PREINSTALL >> ]
steps:
- run:
name: Build OQS-OpenSSL provider (<< parameters.CMAKE_ARGS >> with QSC encoding support)
command: |
oqsprovider_cmake_args="<< parameters.CMAKE_ARGS >>"
if << parameters.OQS_PROVIDER_BUILD_STATIC >> ; then
oqsprovider_cmake_args="${oqsprovider_cmake_args} -DOQS_PROVIDER_BUILD_STATIC=ON"
fi
mkdir _build && cd _build && cmake -GNinja ${oqsprovider_cmake_args} -DUSE_ENCODING_LIB=ON -DCMAKE_PREFIX_PATH=$(pwd)/../.local .. && ninja && cd ..
if << parameters.OQS_PROVIDER_BUILD_STATIC >> ; then
file _build/lib/oqsprovider.a
fi
- run:
name: Run tests
command: |
Expand All @@ -88,49 +62,6 @@ jobs:
else
./scripts/runtests.sh -V
fi
- run:
name: Run tests (with encodings, positive and negative test)
command: |
if ! << parameters.OQS_PROVIDER_BUILD_STATIC >> ; then
./scripts/runtests_encodings.sh -V > log
if [ grep "Skipping testing of buggy OpenSSL" -eq 1 ]; then
cat log
! OQS_ENCODING_DILITHIUM2=foo OQS_ENCODING_DILITHIUM2_ALGNAME=bar ./scripts/runtests.sh -V
else
cat log
fi
fi
- run:
name: Build OQS-OpenSSL provider (<< parameters.CMAKE_ARGS >>) with NOPUBKEY_IN_PRIVKEY and QSC encoding support
command: |
oqsprovider_cmake_args="<< parameters.CMAKE_ARGS >>"
if << parameters.OQS_PROVIDER_BUILD_STATIC >> ; then
oqsprovider_cmake_args="${oqsprovider_cmake_args} -DOQS_PROVIDER_BUILD_STATIC=ON"
fi
rm -rf _build && mkdir _build && cd _build && cmake -GNinja ${oqsprovider_cmake_args} -DNOPUBKEY_IN_PRIVKEY=ON -DUSE_ENCODING_LIB=ON -DOPENSSL_ROOT_DIR=$(pwd)/../.local -DCMAKE_PREFIX_PATH=$(pwd)/../.local .. && ninja
if << parameters.OQS_PROVIDER_BUILD_STATIC >> ; then
file _build/lib/oqsprovider.a
fi
- run:
name: Run tests (-DNOPUBKEY_IN_PRIVKEY=ON)
command: |
if << parameters.OQS_PROVIDER_BUILD_STATIC >> ; then
ctest --test-dir _build/
else
./scripts/runtests.sh -V
fi
- run:
name: Run tests (-DNOPUBKEY_IN_PRIVKEY=ON, with encodings, positive and negative test)
command: |
if ! << parameters.OQS_PROVIDER_BUILD_STATIC >> ; then
./scripts/runtests_encodings.sh -V
if [ grep "Skipping testing of buggy OpenSSL" -eq 1 ]; then
cat log
! OQS_ENCODING_DILITHIUM2=foo OQS_ENCODING_DILITHIUM2_ALGNAME=bar ./scripts/runtests.sh -V
else
cat log
fi
fi
macOS:
description: A template for running tests on macOS
Expand Down Expand Up @@ -208,37 +139,6 @@ jobs:
else
./scripts/runtests.sh -V
fi
- run:
name: Build OQS-OpenSSL provider with QSC encoding support
command: |
oqsprovider_cmake_args="<< parameters.CMAKE_ARGS >>"
if << parameters.OQS_PROVIDER_BUILD_STATIC >> ; then
oqsprovider_cmake_args="${oqsprovider_cmake_args} -DOQS_PROVIDER_BUILD_STATIC=ON"
fi
rm -rf _build && mkdir _build && cd _build && cmake -GNinja -DUSE_ENCODING_LIB=ON -DOPENSSL_ROOT_DIR=$OPENSSL_INSTALL -DCMAKE_PREFIX_PATH=$(pwd)/../.local ${oqsprovider_cmake_args} .. && ninja
if << parameters.OQS_PROVIDER_BUILD_STATIC >> ; then
file _build/lib/oqsprovider.a
fi
- run:
name: Run tests
command: |
if << parameters.OQS_PROVIDER_BUILD_STATIC >> ; then
ctest --test-dir _build/ --output-on-failure
else
./scripts/runtests.sh -V
fi
- run:
name: Run tests (with encodings)
command: |
if ! << parameters.OQS_PROVIDER_BUILD_STATIC >> ; then
./scripts/runtests_encodings.sh -V > log
if [ grep "Skipping testing of buggy OpenSSL" -eq 1 ]; then
cat log
! OQS_ENCODING_DILITHIUM2=foo OQS_ENCODING_DILITHIUM2_ALGNAME=bar ./scripts/runtests.sh -V
else
cat log
fi
fi
trigger-downstream-ci:
docker:
Expand Down
37 changes: 0 additions & 37 deletions ALGORITHMS.md
Original file line number Diff line number Diff line change
Expand Up @@ -283,40 +283,3 @@ If [OQS_KEM_ENCODERS](CONFIGURE.md#OQS_KEM_ENCODERS) is enabled the following li
| p521_hqc256 | 1.3.9999.99.87 | OQS_OID_P521_HQC256
<!--- OQS_TEMPLATE_FRAGMENT_OIDS_END -->

# Key Encodings

By setting environment variables, oqs-provider can be configured to encode keys (subjectPublicKey and and privateKey ASN.1 structures) according to the following IETF drafts:

- https://datatracker.ietf.org/doc/draft-uni-qsckeys-dilithium/00/
- https://datatracker.ietf.org/doc/draft-uni-qsckeys-falcon/00/
- https://datatracker.ietf.org/doc/draft-uni-qsckeys-sphincsplus/00/

<!--- OQS_TEMPLATE_FRAGMENT_ENCODINGS_START -->
|Environment Variable | Permissible Values |
| --- | --- |
|`OQS_ENCODING_DILITHIUM2`|`draft-uni-qsckeys-dilithium-00/sk-pk`|
|`OQS_ENCODING_DILITHIUM3`|`draft-uni-qsckeys-dilithium-00/sk-pk`|
|`OQS_ENCODING_DILITHIUM5`|`draft-uni-qsckeys-dilithium-00/sk-pk`|
|`OQS_ENCODING_FALCON512`|`draft-uni-qsckeys-falcon-00/sk-pk`|
|`OQS_ENCODING_FALCONPADDED512`|`draft-uni-qsckeys-falcon-00/sk-pk`|
|`OQS_ENCODING_FALCON1024`|`draft-uni-qsckeys-falcon-00/sk-pk`|
|`OQS_ENCODING_FALCONPADDED1024`|`draft-uni-qsckeys-falcon-00/sk-pk`|
|`OQS_ENCODING_SPHINCSSHA2128FSIMPLE`|`draft-uni-qsckeys-sphincsplus-00/sk-pk`|
|`OQS_ENCODING_SPHINCSSHA2128SSIMPLE`|`draft-uni-qsckeys-sphincsplus-00/sk-pk`|
|`OQS_ENCODING_SPHINCSSHA2192FSIMPLE`|`draft-uni-qsckeys-sphincsplus-00/sk-pk`|
|`OQS_ENCODING_SPHINCSSHA2192SSIMPLE`|`draft-uni-qsckeys-sphincsplus-00/sk-pk`|
|`OQS_ENCODING_SPHINCSSHA2256FSIMPLE`|`draft-uni-qsckeys-sphincsplus-00/sk-pk`|
|`OQS_ENCODING_SPHINCSSHA2256SSIMPLE`|`draft-uni-qsckeys-sphincsplus-00/sk-pk`|
|`OQS_ENCODING_SPHINCSSHAKE128FSIMPLE`|`draft-uni-qsckeys-sphincsplus-00/sk-pk`|
|`OQS_ENCODING_SPHINCSSHAKE128SSIMPLE`|`draft-uni-qsckeys-sphincsplus-00/sk-pk`|
|`OQS_ENCODING_SPHINCSSHAKE192FSIMPLE`|`draft-uni-qsckeys-sphincsplus-00/sk-pk`|
|`OQS_ENCODING_SPHINCSSHAKE192SSIMPLE`|`draft-uni-qsckeys-sphincsplus-00/sk-pk`|
|`OQS_ENCODING_SPHINCSSHAKE256FSIMPLE`|`draft-uni-qsckeys-sphincsplus-00/sk-pk`|
|`OQS_ENCODING_SPHINCSSHAKE256SSIMPLE`|`draft-uni-qsckeys-sphincsplus-00/sk-pk`|
<!--- OQS_TEMPLATE_FRAGMENT_ENCODINGS_END -->

By setting `OQS_ENCODING_<ALGORITHM>_ALGNAME` environment variables, the corresponding algorithm names are set. The names are documented in the [`qsc_encoding.h`](https://github.com/Quantum-Safe-Collaboration/qsc-key-encoder/blob/main/include/qsc_encoding.h) header file of the encoder library.

If no environment variable is set, or if an unknown value is set, the default is 'no' encoding, meaning that key serialization uses the 'raw' keys of the crypto implementations. If unknown values are set as environment variables, a run-time error will be raised.

The test script `scripts/runtests_encodings.sh` (instead of `scripts/runtests.sh`) can be used for a test run with all supported encodings activated.
7 changes: 0 additions & 7 deletions CMakeLists.txt
Original file line number Diff line number Diff line change
Expand Up @@ -38,13 +38,6 @@ if(${NOPUBKEY_IN_PRIVKEY})
else()
message(STATUS "Build will store public keys in PKCS#8 structures")
endif()
option(USE_ENCODING_LIB "Build with external encoding library for SPKI/PKCS#8 " OFF)
if(${USE_ENCODING_LIB})
message(STATUS "Build will include external encoding library for SPKI/PKCS#8")
add_compile_definitions( USE_ENCODING_LIB )
else()
message(STATUS "Build will not include external encoding library for SPKI/PKCS#8")
endif()

option(OQS_PROVIDER_BUILD_STATIC "Build a static library instead of a shared library" OFF)
if(OQS_PROVIDER_BUILD_STATIC AND BUILD_SHARED_LIBS)
Expand Down
7 changes: 0 additions & 7 deletions CONFIGURE.md
Original file line number Diff line number Diff line change
Expand Up @@ -39,13 +39,6 @@ location for the OS.
This uses the [`find_package`](https://cmake.org/cmake/help/latest/command/find_package.html)
command in `cmake`, which checks for local builds of a package at `<PackageName>_DIR`

### USE_ENCODING_LIB

By setting `-DUSE_ENCODING_LIB=<ON/OFF>` at compile-time, oqs-provider can be
compiled with with an an external encoding library `qsc-key-encoder`.
Configuring the encodings is done via environment as described in [ALGORITHMS.md](ALGORITHMS.md).
The default value is `OFF`.

### NOPUBKEY_IN_PRIVKEY

By setting this to "ON", it can be specified to omit explicitly serializing
Expand Down
13 changes: 0 additions & 13 deletions oqs-template/ALGORITHMS.md/encodings.fragment

This file was deleted.

21 changes: 0 additions & 21 deletions oqs-template/oqsprov/oqsprov.c/encoding_patching.fragment

This file was deleted.

21 changes: 0 additions & 21 deletions oqsprov/CMakeLists.txt
Original file line number Diff line number Diff line change
Expand Up @@ -5,20 +5,6 @@ execute_process(
OUTPUT_VARIABLE GIT_COMMIT_HASH
OUTPUT_STRIP_TRAILING_WHITESPACE
)
if (USE_ENCODING_LIB)
include(ExternalProject)
set(encoder_LIBRARY ${CMAKE_BINARY_DIR}/install/lib/${CMAKE_STATIC_LIBRARY_PREFIX}qsc_key_encoder${CMAKE_STATIC_LIBRARY_SUFFIX})
set(encoder_LIBRARY_INCLUDE ${CMAKE_BINARY_DIR}/install/include)
ExternalProject_Add(encoder
GIT_REPOSITORY https://github.com/Quantum-Safe-Collaboration/qsc-key-encoder.git
GIT_TAG main
CMAKE_ARGS -DCMAKE_INSTALL_PREFIX=${CMAKE_BINARY_DIR}/install -DCMAKE_BUILD_TYPE=Release
UPDATE_DISCONNECTED 1
BUILD_BYPRODUCTS ${encoder_LIBRARY}
)
add_library(qsc_key_encoder STATIC IMPORTED)
set_target_properties(qsc_key_encoder PROPERTIES IMPORTED_LOCATION ${encoder_LIBRARY})
endif()
add_definitions(-DOQSPROVIDER_VERSION_TEXT="${OQSPROVIDER_VERSION_TEXT}")
message(STATUS "Building commit ${GIT_COMMIT_HASH} in ${CMAKE_SOURCE_DIR}")
add_definitions(-DOQS_PROVIDER_COMMIT=" \(${GIT_COMMIT_HASH}\)")
Expand All @@ -38,9 +24,6 @@ if(OQS_PROVIDER_BUILD_STATIC)
endif()

add_library(oqsprovider ${OQS_LIBRARY_TYPE} ${PROVIDER_SOURCE_FILES})
if (USE_ENCODING_LIB)
add_dependencies(oqsprovider encoder)
endif()
set_target_properties(oqsprovider
PROPERTIES
PREFIX ""
Expand Down Expand Up @@ -87,10 +70,6 @@ else()
endif()

target_link_libraries(oqsprovider PUBLIC OQS::oqs ${OPENSSL_CRYPTO_LIBRARY} ${OQS_ADDL_SOCKET_LIBS})
if (USE_ENCODING_LIB)
target_link_libraries(oqsprovider PUBLIC qsc_key_encoder)
target_include_directories(oqsprovider PRIVATE ${encoder_LIBRARY_INCLUDE})
endif()

install(TARGETS oqsprovider
LIBRARY DESTINATION "${OPENSSL_MODULES_PATH}"
Expand Down
91 changes: 15 additions & 76 deletions oqsprov/oqs_encode_key2any.c
Original file line number Diff line number Diff line change
Expand Up @@ -512,40 +512,13 @@ static int oqsx_spki_pub_to_der(const void *vxkey, unsigned char **pder)
return 0;
}
if (oqsxkey->keytype != KEY_TYPE_CMP_SIG) {
#ifdef USE_ENCODING_LIB
if (oqsxkey->oqsx_encoding_ctx.encoding_ctx != NULL
&& oqsxkey->oqsx_encoding_ctx.encoding_impl != NULL) {
unsigned char *buf;
int buflen;
int ret = 0;
const OQSX_ENCODING_CTX *encoding_ctx = &oqsxkey->oqsx_encoding_ctx;
buflen = encoding_ctx->encoding_impl->crypto_publickeybytes;

buf = OPENSSL_secure_zalloc(buflen);
if (buf == NULL) {
ERR_raise(ERR_LIB_USER, ERR_R_MALLOC_FAILURE);
return -1;
}
ret = qsc_encode(encoding_ctx->encoding_ctx,
encoding_ctx->encoding_impl, oqsxkey->pubkey, &buf,
0, 0, 1);
if (ret != QSC_ENC_OK)
return -1;

*pder = buf;
return buflen;
} else {
#endif
keyblob = OPENSSL_memdup(oqsxkey->pubkey, oqsxkey->pubkeylen);
if (keyblob == NULL) {
ERR_raise(ERR_LIB_USER, ERR_R_MALLOC_FAILURE);
return 0;
}
*pder = keyblob;
return oqsxkey->pubkeylen;
#ifdef USE_ENCODING_LIB
keyblob = OPENSSL_memdup(oqsxkey->pubkey, oqsxkey->pubkeylen);
if (keyblob == NULL) {
ERR_raise(ERR_LIB_USER, ERR_R_MALLOC_FAILURE);
return 0;
}
#endif
*pder = keyblob;
return oqsxkey->pubkeylen;
} else {
if ((sk = sk_ASN1_TYPE_new_null()) == NULL)
return -1;
Expand Down Expand Up @@ -657,47 +630,16 @@ static int oqsx_pki_priv_to_der(const void *vxkey, unsigned char **pder)
privkeylen
-= (oqsxkey->evp_info->length_private_key - actualprivkeylen);
}
#ifdef USE_ENCODING_LIB
if (oqsxkey->oqsx_encoding_ctx.encoding_ctx != NULL
&& oqsxkey->oqsx_encoding_ctx.encoding_impl != NULL) {
const OQSX_ENCODING_CTX *encoding_ctx = &oqsxkey->oqsx_encoding_ctx;
int ret = 0;
# ifdef NOPUBKEY_IN_PRIVKEY
int withoptional = (encoding_ctx->encoding_ctx
->raw_private_key_encodes_public_key
? 1
: 0);
# else
int withoptional = 1;
# endif
buflen = (withoptional
? encoding_ctx->encoding_impl->crypto_secretkeybytes
: encoding_ctx->encoding_impl
->crypto_secretkeybytes_nooptional);
buf = OPENSSL_secure_zalloc(buflen);
if (buf == NULL) {
ERR_raise(ERR_LIB_USER, ERR_R_MALLOC_FAILURE);
return -1;
}

ret = qsc_encode(encoding_ctx->encoding_ctx,
encoding_ctx->encoding_impl,
oqsxkey->comp_pubkey[oqsxkey->numkeys - 1], 0,
oqsxkey->privkey, &buf, withoptional);
if (ret != QSC_ENC_OK)
return -1;
} else {
#endif
#ifdef NOPUBKEY_IN_PRIVKEY
buflen = privkeylen;
buf = OPENSSL_secure_malloc(buflen);
if (buf == NULL) {
ERR_raise(ERR_LIB_USER, ERR_R_MALLOC_FAILURE);
return -1;
}
OQS_ENC_PRINTF2("OQS ENC provider: saving privkey of length %zu\n",
buflen);
memcpy(buf, oqsxkey->privkey, privkeylen);
buflen = privkeylen;
buf = OPENSSL_secure_malloc(buflen);
if (buf == NULL) {
ERR_raise(ERR_LIB_USER, ERR_R_MALLOC_FAILURE);
return -1;
}
OQS_ENC_PRINTF2("OQS ENC provider: saving privkey of length %zu\n",
buflen);
memcpy(buf, oqsxkey->privkey, privkeylen);
#else
buflen = privkeylen + oqsx_key_get_oqs_public_key_len(oqsxkey);
buf = OPENSSL_secure_malloc(buflen);
Expand All @@ -711,9 +653,6 @@ static int oqsx_pki_priv_to_der(const void *vxkey, unsigned char **pder)
memcpy(buf + privkeylen, oqsxkey->comp_pubkey[oqsxkey->numkeys - 1],
oqsx_key_get_oqs_public_key_len(oqsxkey));
#endif
#ifdef USE_ENCODING_LIB
}
#endif

oct.data = buf;
oct.length = buflen;
Expand Down
Loading

0 comments on commit 6032224

Please sign in to comment.