Skip to content

Commit

Permalink
Add quantum-safe certificate chain support (#242)
Browse files Browse the repository at this point in the history
  • Loading branch information
@pi-314159
pi-314159 authored Oct 27, 2023
1 parent f08c319 commit df3f779
Show file tree
Hide file tree
Showing 2 changed files with 41 additions and 5 deletions.
15 changes: 14 additions & 1 deletion nginx/fulltest-provider/ext-csr.conf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,9 +6,22 @@ prompt = no
[req_distinguished_name]
CN = test.openquantumsafe.org

[v3_intermediate_ca]
basicConstraints = critical, CA:true, pathlen:0
keyUsage = critical, digitalSignature, cRLSign, keyCertSign
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always
certificatePolicies = 2.5.29.32.0
extendedKeyUsage = clientAuth, serverAuth

[v3_req]
keyUsage = nonRepudiation, digitalSignature, keyEncipherment
basicConstraints = critical, CA:FALSE
keyUsage = critical, digitalSignature
extendedKeyUsage = serverAuth
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always
subjectAltName = @alt_names
certificatePolicies=2.23.140.1.2.1

[alt_names]
DNS.1 = test.openquantumsafe.org
31 changes: 27 additions & 4 deletions nginx/fulltest-provider/genconfig.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -63,14 +63,32 @@ def gen_cert(_sig_alg):
if not os.path.exists(PKIPATH):
os.mkdir(PKIPATH)

# now generate suitable server keys signed by that root; adapt algorithm names to std ossl
# now generate suitable server keys signed by that root; adapt algorithm names to std ossl
if sig_alg == 'rsa3072':
ossl_sig_alg_arg = 'rsa:3072'
elif sig_alg == 'ecdsap256':
common.run_subprocess([OPENSSL, "ecparam", "-name", "prime256v1", "-out", os.path.join(PKIPATH, "prime256v1.pem")])
ossl_sig_alg_arg = 'ec:{}'.format(os.path.join(PKIPATH, "prime256v1.pem"))
else:
ossl_sig_alg_arg = sig_alg
# generate intermediate CA key and CSR
common.run_subprocess([OPENSSL, 'req', '-new',
'-newkey', ossl_sig_alg_arg,
'-keyout', os.path.join(PKIPATH, '{}_interm.key'.format(sig_alg)),
'-out', os.path.join(PKIPATH, '{}_interm.csr'.format(sig_alg)),
'-nodes',
'-subj', '/CN=oqstest_intermediate_'+sig_alg,
'-config', OPENSSL_CNF])
# sign the intermediate CA using the root
common.run_subprocess([OPENSSL, 'x509', '-req',
'-in', os.path.join(PKIPATH, '{}_interm.csr'.format(sig_alg)),
'-out', os.path.join(PKIPATH, '{}_interm.crt'.format(sig_alg)),
'-CA', os.path.join(CAROOTDIR, 'CA.crt'),
'-CAkey', os.path.join(CAROOTDIR, 'CA.key'),
'-CAcreateserial',
'-extfile', 'ext-csr.conf',
'-extensions', 'v3_intermediate_ca',
'-days', '366'])
# generate server key and CSR
common.run_subprocess([OPENSSL, 'req', '-new',
'-newkey', ossl_sig_alg_arg,
Expand All @@ -83,12 +101,17 @@ def gen_cert(_sig_alg):
common.run_subprocess([OPENSSL, 'x509', '-req',
'-in', os.path.join(PKIPATH, '{}_srv.csr'.format(sig_alg)),
'-out', os.path.join(PKIPATH, '{}_srv.crt'.format(sig_alg)),
'-CA', os.path.join(CAROOTDIR, 'CA.crt'),
'-CAkey', os.path.join(CAROOTDIR, 'CA.key'),
'-CA', os.path.join(PKIPATH, '{}_interm.crt'.format(sig_alg)),
'-CAkey', os.path.join(PKIPATH, '{}_interm.key'.format(sig_alg)),
'-CAcreateserial',
'-extfile', 'ext-csr.conf',
'-extfile', 'ext-csr.conf',
'-extensions', 'v3_req',
'-days', '365'])
# append intermediate cert to server cert
with open(os.path.join(PKIPATH, '{}_srv.crt'.format(sig_alg)), 'a') as srv:
srv.write("\n")
with open(os.path.join(PKIPATH, '{}_interm.crt'.format(sig_alg))) as interm:
srv.write(interm.read())

def write_nginx_config(f, i, cf, port, _sig, k):
sig = _sig[0]
Expand Down

0 comments on commit df3f779

Please sign in to comment.