Skip to content

Latest commit

 

History

History
48 lines (41 loc) · 2.78 KB

README.md

File metadata and controls

48 lines (41 loc) · 2.78 KB
Raw
Trust chain overview

Overview

This tools in this repo can be used to:

  1. pqsetup.sh
    Can be used to install LibOQS and the accompanying OpenSSL fork, typically for research & testing with post-quantum cryptographic algorithms.
  2. mkcerts.sh
    Can be used to quickly create CA infrastructure & accompanying certificates:
    • Root CA
    • Intermediate CA
    • OCSP signing
    • TLS Server
    • TLS Client
      For several different algorithms:
    • RSA
    • ECDSA
    • EdDSA
    • Falcon512
    • Falcon1024
    • Dilithium2
    • Dilithium3
    • Dilithium5
    • SPHINCS+-Haraka
    • SPHINCS+-SHA256
    • SPHINCS+-SHAKE256
  3. openssl.cnf
    Is the accompanying config file for proper execution of #2. You can modify as needed if necessary. Key sections are listed below: 
    [RootCA]
    [InterCA]
    [v3_ca]
    [v3_ocsp]
    [v3_server]*
    [v3_client]*
    * - It is particularly important to edit the authorityInfoAccess attribute under these sections, as this defines the OCSP URL for certs signed with these extensions.

Requirements

pqsetup.sh is written only for the Ubuntu operating system, and will likely fail on any other OS. It should be fairly simple to manipulate the script to consider other OSes though, as the restriction is primarily due to the use of the apt package manager for installing packages. There is also a version check at the beginning of the main function that will need to be omitted to facilitate this bypass.

mkcerts.sh should work fine on any Linux OS, provided the variables have been appropriately configured.

Usage

BEFORE running anything, open the script in your editor of choice, look for the below section at the top of the script:

###############################################################################
################################## IMPORTANT ##################################
###############################################################################

This section has parameters that MUST be appropriately set for proper execution. The default values should work fine, but you will likely want to customize certain attributes, such as the certificate subject details, passphrase, etc.

Once you are satisfied with the configuration, simply ./<script name> to run the script

Notes

  • The scripts in this repo may not be executable by default. This is intentional to maybe stop people from just running things without reading first, and is fixable with the standard chmod +x <script name>