From ef52d97382ec7d0e2b7d078a5567a50ece31ed5d Mon Sep 17 00:00:00 2001 From: Michael Baentsch <57787676+baentsch@users.noreply.github.com> Date: Tue, 3 Oct 2023 06:36:47 +0200 Subject: [PATCH] fix for txt output length of plain PQ key material (#268) * fix for txt output length of plain PQ key material * clarify use of hybrids in txt encoder * add txt/DER/PEM test and make key output dependent on tool availability Signed-off-by: Felipe Ventura --- oqsprov/oqs_encode_key2any.c | 77 +++++++++++++++++++--------------- scripts/oqsprovider-certgen.sh | 10 +++++ 2 files changed, 54 insertions(+), 33 deletions(-) diff --git a/oqsprov/oqs_encode_key2any.c b/oqsprov/oqs_encode_key2any.c index 100c9704..5c136819 100644 --- a/oqsprov/oqs_encode_key2any.c +++ b/oqsprov/oqs_encode_key2any.c @@ -1241,7 +1241,6 @@ static int print_labeled_buf(BIO *out, const char *label, static int oqsx_to_text(BIO *out, const void *key, int selection) { OQSX_KEY *okey = (OQSX_KEY *)key; - int is_hybrid = 0; if (out == NULL || okey == NULL) { ERR_raise(ERR_LIB_USER, ERR_R_PASSED_NULL_PARAMETER); @@ -1263,7 +1262,6 @@ static int oqsx_to_text(BIO *out, const void *key, int selection) case KEY_TYPE_ECP_HYB_KEM: case KEY_TYPE_ECX_HYB_KEM: case KEY_TYPE_HYB_SIG: - is_hybrid = 1; if (BIO_printf(out, "%s hybrid private key:\n", okey->tls_name) <= 0) return 0; @@ -1287,7 +1285,6 @@ static int oqsx_to_text(BIO *out, const void *key, int selection) case KEY_TYPE_ECP_HYB_KEM: case KEY_TYPE_ECX_HYB_KEM: case KEY_TYPE_HYB_SIG: - is_hybrid = 1; if (BIO_printf(out, "%s hybrid public key:\n", okey->tls_name) <= 0) return 0; break; @@ -1298,40 +1295,54 @@ static int oqsx_to_text(BIO *out, const void *key, int selection) } if ((selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0) { - int classic_key_len = 0; - - if (okey->numkeys > 1) { - char classic_label[200]; - sprintf(classic_label, - "%s key material:", OBJ_nid2sn(okey->evp_info->nid)); - DECODE_UINT32(classic_key_len, okey->privkey); - if (!print_labeled_buf(out, classic_label, okey->comp_privkey[0], - classic_key_len)) - return 0; + if (okey->privkey) { + if (okey->numkeys > 1) { // hybrid key + char classic_label[200]; + int classic_key_len = 0; + sprintf(classic_label, + "%s key material:", OBJ_nid2sn(okey->evp_info->nid)); + DECODE_UINT32(classic_key_len, okey->privkey); + if (!print_labeled_buf(out, classic_label, + okey->comp_privkey[0], classic_key_len)) + return 0; + /* finally print pure PQ key */ + if (!print_labeled_buf(out, "PQ key material:", + okey->comp_privkey[okey->numkeys - 1], + okey->privkeylen - classic_key_len + - SIZE_OF_UINT32)) + return 0; + } else { // plain PQ key + if (!print_labeled_buf(out, "PQ key material:", + okey->comp_privkey[okey->numkeys - 1], + okey->privkeylen)) + return 0; + } } - /* finally print pure PQ key */ - if (!print_labeled_buf( - out, "PQ key material:", okey->comp_privkey[okey->numkeys - 1], - okey->privkeylen - classic_key_len - SIZE_OF_UINT32)) - return 0; } if ((selection & OSSL_KEYMGMT_SELECT_PUBLIC_KEY) != 0) { - int classic_key_len = 0; - - if (okey->numkeys > 1) { - char classic_label[200]; - DECODE_UINT32(classic_key_len, okey->pubkey); - sprintf(classic_label, - "%s key material:", OBJ_nid2sn(okey->evp_info->nid)); - if (!print_labeled_buf(out, classic_label, okey->comp_pubkey[0], - classic_key_len)) - return 0; + if (okey->pubkey) { + if (okey->numkeys > 1) { // hybrid key + char classic_label[200]; + int classic_key_len = 0; + DECODE_UINT32(classic_key_len, okey->pubkey); + sprintf(classic_label, + "%s key material:", OBJ_nid2sn(okey->evp_info->nid)); + if (!print_labeled_buf(out, classic_label, okey->comp_pubkey[0], + classic_key_len)) + return 0; + /* finally print pure PQ key */ + if (!print_labeled_buf(out, "PQ key material:", + okey->comp_pubkey[okey->numkeys - 1], + okey->pubkeylen - classic_key_len + - SIZE_OF_UINT32)) + return 0; + } else { // PQ key only + if (!print_labeled_buf(out, "PQ key material:", + okey->comp_pubkey[okey->numkeys - 1], + okey->pubkeylen)) + return 0; + } } - /* finally print pure PQ key */ - if (!print_labeled_buf( - out, "PQ key material:", okey->comp_pubkey[okey->numkeys - 1], - okey->pubkeylen - classic_key_len - SIZE_OF_UINT32)) - return 0; } return 1; diff --git a/scripts/oqsprovider-certgen.sh b/scripts/oqsprovider-certgen.sh index e642bedd..6f607bd1 100755 --- a/scripts/oqsprovider-certgen.sh +++ b/scripts/oqsprovider-certgen.sh @@ -1,6 +1,10 @@ #!/bin/bash +set -e +set -x + # Use newly built oqsprovider to generate certs for alg $1 +# Tests use of openssl req genpkey x509 verify pkey commands if [ $# -ne 1 ]; then echo "Usage: $0 . Exiting." @@ -31,6 +35,12 @@ $OPENSSL_APP genpkey -algorithm $1 -out tmp/$1_srv.key && \ $OPENSSL_APP req -new -newkey $1 -keyout tmp/$1_srv.key -out tmp/$1_srv.csr -nodes -subj "/CN=oqstest server" && \ $OPENSSL_APP x509 -req -in tmp/$1_srv.csr -out tmp/$1_srv.crt -CA tmp/$1_CA.crt -CAkey tmp/$1_CA.key -CAcreateserial -days 365 && \ $OPENSSL_APP verify -CAfile tmp/$1_CA.crt tmp/$1_srv.crt +# test PEM/DER/TEXT encoder/decoder logic: +$OPENSSL_APP pkey -text -in tmp/$1_CA.key +$OPENSSL_APP pkey -in tmp/$1_CA.key -outform DER -out tmp/$1_CA.der +if command -v xxd &> /dev/null; then +xxd -i tmp/$1_CA.der +fi #fails: #$OPENSSL_APP verify -CAfile tmp/$1_CA.crt tmp/$1_srv.crt -provider oqsprovider -provider default