qiss

package module

v0.0.0-...-a291819 Latest Latest Go to latest Published: Dec 14, 2021 License: Apache-2.0 Imports: 14 Imported by: 0

Details

Valid go.mod file

The Go module system was introduced in Go 1.11 and is the official dependency management solution for Go.
Redistributable license

Redistributable licenses place minimal restrictions on how software can be used, modified, and redistributed.
Tagged version

Modules with tagged versions give importers more predictable builds.
Stable version

When a project reaches major version v1 it is considered stable.
Learn more about best practices

Repository

github.com/sgtcodfish/qiss

Links

Open Source Insights

README ¶

qiss

qiss is a toy application exploring the integration of post-quantum cryptography into certificate verification during a TLS connection.

It adds a TLS server which embed a post-quantum signature into the cert it generates, and a client which validates the post-quantum signatures in the certs after the regular TLS handshake is complete.

Security

The techniques used here aren't suitable for public use; they're not fully thought through, need to be rearchitected, and could be entirely wrong. The post-quantum signatures used here don't really assert anything useful.

The certificate extensions used for post-quantum crypto are also entirely arbitrary and unstandardized. Nothing else will (or should) understand them. The final design for post-quantum TLS will almost certainly look nothing like this.

qiss doesn't attempt to use a post-quantum KEM and as such the TLS handshake used here isn't post-quantum; only the signatures on the generated server certificate are post-quantum.

Running the Example

Every artifact - including the required C library, liboqs - is placed into bin/. Everything can be build and controlled through the Makefile.

# Run the server (will download and build liboqs first, which will require a C compiler and CMake to be installed)
make runqiss_server

# The server writes bin/ca.crt which has both an ECDSA and post-quantum signature

# Run the client, which loads bin/ca.crt for verification.
make runqiss_client

Documentation ¶

Index ¶

func ServerCertificateValidator(base *tls.Config, verbose bool) *tls.Config
func SignCSR(csr *x509.CertificateRequest, signingBundle *MultiKeyCertBundle) ([]byte, error)
func ValidateMultiKeyCSR(csr *x509.CertificateRequest) (*x509.CertificateRequest, error)
func ValidateMultiKeyDERCSR(derCSR []byte) (*x509.CertificateRequest, error)
type MultiKeyCertBundle
- func GenerateMultiKeyRootCert() (*MultiKeyCertBundle, error)
- func (m *MultiKeyCertBundle) OQSSignature() (*oqs.Signature, error)
type PQKeyBundle
- func GenerateMultiKeyCSR(commonName string, dnsNames []string) ([]byte, PQKeyBundle, error)
- func (p *PQKeyBundle) LegacyKeyPEM() ([]byte, error)

Constants ¶

This section is empty.

Variables ¶

This section is empty.

Functions ¶

func ServerCertificateValidator ¶

func ServerCertificateValidator(base *tls.Config, verbose bool) *tls.Config

ServerCertificateValidator returns a tls.Config which validates post-quantum signatures on all verified chains (i.e., chains which have had their legacy signatures verified), based on the given base config. The returned value is an augmented clone of the base; base is not modified

func SignCSR ¶

func SignCSR(csr *x509.CertificateRequest, signingBundle *MultiKeyCertBundle) ([]byte, error)

SignCSR takes a parsed certificate request, validates it and signs it using both legacy and post-quantum signatures

func ValidateMultiKeyCSR ¶

func ValidateMultiKeyCSR(csr *x509.CertificateRequest) (*x509.CertificateRequest, error)

ValidateMultiKeyCSR validates that the pq key and signature extensions are present and valid in the given CSR. Returns the same CSR on success.

func ValidateMultiKeyDERCSR ¶

func ValidateMultiKeyDERCSR(derCSR []byte) (*x509.CertificateRequest, error)

ValidateMultiKeyCSR parses the given DER encoded CSR, and then validates that the pq key and signature extensions are present and valid. Returns the parsed csr on success.

Types ¶

type MultiKeyCertBundle ¶

type MultiKeyCertBundle struct {
	ParsedCert *x509.Certificate

	CertPEM string
	CertDER []byte

	LegacyPublicKey crypto.PublicKey
	PQPublicKey     []byte

	PQKeyBundle
}

MultiKeyCertBundle wraps a certificate along with its keys, both post-quantum and legacy.

func GenerateMultiKeyRootCert ¶

func GenerateMultiKeyRootCert() (*MultiKeyCertBundle, error)

GenerateMultiKeyRootCert creates a new root certificate with a Ed25519 legacy signature and a falcon-1024 post-quantum signature

func (*MultiKeyCertBundle) OQSSignature ¶

func (m *MultiKeyCertBundle) OQSSignature() (*oqs.Signature, error)

OQSSignature returns a OQS signature object which can be used for signing, based on the key embedded in the bundle.

type PQKeyBundle ¶

type PQKeyBundle struct {
	LegacyPrivateKey *ecdsa.PrivateKey
	PQPrivateKey     []byte
}

PQKeyBundle holds both a legacy and post-quantum key

func GenerateMultiKeyCSR ¶

func GenerateMultiKeyCSR(commonName string, dnsNames []string) ([]byte, PQKeyBundle, error)

GenerateMultiKeyCSR creates an ecdsa/pq multi-key CSR, returning the DER-encoded CSR and the generated keys

func (*PQKeyBundle) LegacyKeyPEM ¶

func (p *PQKeyBundle) LegacyKeyPEM() ([]byte, error)

LegacyKeyPEM returns the legacy key, encoded in PEM format

Source Files ¶

View all Source files

Directories ¶

Path	Synopsis
cmd
qiss-client
qiss-server

?	: This menu
/	: Search site
f or F	: Jump to
y or Y	: Canonical URL