Verify a certificate signed by a PQC CA key

[Dechen2333]

Hello,

I want to create my own CA and OCSP server to test a program with oqsprovider implementation.
I'm using the docker image provided by this link:
https://github.com/open-quantum-safe/oqs-provider/wiki/Interoperability#ietf-115-hackathon
In the container, I created a falcon1024 key and selfsigned certification for the CA, a dilithium2 key and then sign the dilithium2 key with the falcon CA key. If I verify the dilithium certification using the CAfile, it ends up with an error in asn1 encoding routines. If I use a rsa 2048 key as root CA key instead, everything will be fine.

Step to reproduce:

1. docker run -it openquantumsafe/oqs-ossl3:ietf115
2. mkdir -p demoCA/newcerts
3. touch demoCA/index.txt
4. echo '01' > demoCA/serial
5. openssl req -x509 -new -newkey falcon1024 -keyout falc_rootCA.key -out falc_rootCA.crt -subj "/CN=test CA" -nodes
6. openssl req -new -newkey dilithium2 -keyout dilithium2.key -out dilithium2.csr -nodes -config openssl.cnf -subj "/CN=test Server"
7. openssl ca -batch -startdate 150123080000Z -enddate 250823090000Z -keyfile falc_rootCA.key -cert falc_rootCA.crt -policy policy_anything -config openssl.cnf -notext -out dilithium2.crt -infiles dilithium2.csr
8. openssl verify -CAfile falc_rootCA.crt dilithium2.crt

Then I receive the error codes:
error 7 at 0 depth lookup: certificate signature failure
error dilithium2.crt: verification failed
487BBAB4387F0000:error:4000000E:lib(128):oqs_sig_verify:reason(14):/opt/oqs-provider/oqsprov/oqs_sig.c:405:
487BBAB4387F0000:error:06880006:asn1 encoding routines:ASN1_item_verify_ctx:EVP lib:crypto/asn1/a_verify.c:215:

openssl version:
OpenSSL 3.2.0-dev-pr19312 (Library: OpenSSL 3.2.0-dev-pr19312 )

If I use the certification that signed by a PQC CA key in my program with oqsprovider implementation, the same error appear while the TLS handshake

oqsprovider version:
OQS Provider v.0.5.0-dev-nopub based on liboqs v.0.7.3-dev

openssl.cnf:
https://github.com/Dechen2333/opensslcnf/blob/main/openssl.cnf

[baentsch]

Thanks very much for this thorough bug report. I've got to admit the openssl ca command has not yet been tested with oqsprovider. Let me read up on this, reproduce and debug into the problem. Stay tuned.
If you feel like further checking the reason for the issue, can you correctly parse/verify the intermediate files, most notably "falc_rootCA.crt" and "dilithium2.csr"?

[baentsch]

OK -- that's a clear omission in the provider. See #113 .

[baentsch]

Issue fixed and integrated to docker image. Please retry, @Dechen2333

[Dechen2333]

Yes, the output from 'openssl req -text -in dilithium2.csr' is good. But I still get the same error from 'openssl verify -CAfile falc_rootCA.crt dilithium2.crt'

error 7 at 0 depth lookup: certificate signature failure
error dilithium2.crt: verification failed
40973DE10C7F0000:error:4000000E:lib(128):oqs_sig_verify:reason(14):/opt/oqs-provider/oqsprov/oqs_sig.c:404:
40973DE10C7F0000:error:06880006:asn1 encoding routines:ASN1_item_verify_ctx:EVP lib:crypto/asn1/a_verify.c:215:

[baentsch]

Sorry to have misunderstood you -- I thought the output error was the underlying problem. Will look further then (and change to an issue).

[baentsch]

@Dechen2333 Can you reproduce your problem still in the current "main" branch? If not, are you OK to close/consider answered this discussion then?