IETF-Hackathon · romen · Nov 2, 2024 · Nov 2, 2024 · Nov 2, 2024 · Nov 3, 2024
diff --git a/.github/workflows/artifact_validation.yaml b/.github/workflows/artifact_validation.yaml
@@ -1,6 +1,7 @@
 name: Artifact validation
 
 on:
+  pull_request:
   push:
     branches: [ '*' ]
 

diff --git a/providers/oqs-provider/Makefile b/providers/oqs-provider/Makefile
@@ -11,11 +11,11 @@ PROVIDER_NAME := OQS
 DIRS := oqsprovider
 
 # Script for Generating the artifacts (if any)
-GEN_SCRIPT := ./gen.sh
+GEN_SCRIPT := ./gen_r4.sh
 GEN_LOGFILE := logs/generate_log.txt
 
 # Script for Verifying the artifacts (if any)
-VERIFY_SCRIPT := ./check.sh
+VERIFY_SCRIPT := ./check_r4.sh
 VERIFY_LOGFILE := logs/verify_log.txt
 
 # Time
@@ -98,8 +98,8 @@ verify: requirements/verify
 			echo "[ $(PROVIDER_NAME) ] Product: $$i" ; \
 			echo "PRODUCT : $$i" >> "$(VERIFY_LOGFILE)" ; \
 			echo >> "$(VERIFY_LOGFILE)" ; \
-			result=`$(VERIFY_SCRIPT) "$$i" 2>&1 >> "$(VERIFY_LOGFILE)" `; \
-			echo $$result >> "$(VERIFY_LOGFILE)" ; \
+			result=`$(VERIFY_SCRIPT) "$$i" 2>>"$(VERIFY_LOGFILE)" | tee -a "$(VERIFY_LOGFILE)"`; \
+			echo "$$result" >> "$(VERIFY_LOGFILE)" ; \
 			echo >> "$(VERIFY_LOGFILE)"; \
 		done ; \
 		echo "----- END PROVIDER $(PROVIDER_NAME) -----" >> $(VERIFY_LOGFILE); \

diff --git a/providers/oqs-provider/artifacts_certs_r4.zip b/providers/oqs-provider/artifacts_certs_r4.zip
diff --git a/providers/oqs-provider/ca.cnf b/providers/oqs-provider/ca.cnf
@@ -0,0 +1,82 @@
+#
+# OpenSSL example configuration file.
+# See doc/man5/config.pod for more info.
+#
+# This is mostly being used for generation of certificate requests,
+# but may be used for auto loading of providers
+
+# Note that you can include other files from the main configuration
+# file using the .include directive.
+.include oqsprov.cnf
+
+####################################################################
+[ ca ]                           # The default CA section
+default_ca = CA_default          # The default CA name
+
+[ CA_default ]                                           # Default settings for the intermediate CA
+dir               = /root/oqsCA/intermediateCA            # Intermediate CA directory
+certs             = $dir/certs                           # Certificates directory
+crl_dir           = $dir/crl                             # CRL directory
+new_certs_dir     = $dir/newcerts                        # New certificates directory
+database          = $dir/index.txt                       # Certificate index file
+serial            = $dir/serial                          # Serial number file
+RANDFILE          = $dir/private/.rand                   # Random number file
+private_key       = $dir/private/intermediate.key.pem    # Intermediate CA private key
+certificate       = $dir/certs/intermediate.cert.pem     # Intermediate CA certificate
+crl               = $dir/crl/intermediate.crl.pem        # Intermediate CA CRL
+crlnumber         = $dir/crlnumber                       # Intermediate CA CRL number
+crl_extensions    = crl_ext                              # CRL extensions
+default_crl_days  = 30                                   # Default CRL validity days
+default_md        = sha256                               # Default message digest
+preserve          = no                                   # Preserve existing extensions
+email_in_dn       = no                                   # Exclude email from the DN
+name_opt          = ca_default                           # Formatting options for names
+cert_opt          = ca_default                           # Certificate output options
+policy            = policy_loose                         # Certificate policy
+
+[ policy_loose ]                                         # Policy for less strict validation
+countryName             = optional                       # Country is optional
+stateOrProvinceName     = optional                       # State or province is optional
+localityName            = optional                       # Locality is optional
+organizationName        = optional                       # Organization is optional
+organizationalUnitName  = optional                       # Organizational unit is optional
+commonName              = supplied                       # Must provide a common name
+emailAddress            = optional                       # Email address is optional
+
+[ req ]                                                  # Request settings
+default_bits        = 2048                               # Default key size
+distinguished_name  = req_distinguished_name             # Default DN template
+string_mask         = utf8only                           # UTF-8 encoding
+default_md          = sha256                             # Default message digest
+x509_extensions     = v3_intermediate_ca                 # Extensions for intermediate CA certificate
+
+[ req_distinguished_name ]                               # Template for the DN in the CSR
+countryName                     = CH
+stateOrProvinceName             = State or Province Name
+localityName                    = Locality Name
+0.organizationName              = Organization Name
+organizationalUnitName          = Organizational Unit Name
+commonName                      = Common Name
+emailAddress                    = Email Address
+
+[ v3_intermediate_ca ]                                      # Intermediate CA certificate extensions
+subjectKeyIdentifier = hash                                 # Subject key identifier
+authorityKeyIdentifier = keyid:always,issuer                # Authority key identifier
+basicConstraints = critical, CA:true, pathlen:0             # Basic constraints for a CA
+keyUsage = critical, digitalSignature, cRLSign, keyCertSign # Key usage for a CA
+
+[ crl_ext ]                                                 # CRL extensions
+authorityKeyIdentifier=keyid:always                         # Authority key identifier
+
+[ server_cert ]                                             # Server certificate extensions
+basicConstraints = CA:FALSE                                 # Not a CA certificate
+nsCertType = server                                         # Server certificate type
+keyUsage = critical, digitalSignature, keyEncipherment      # Key usage for a server cert
+extendedKeyUsage = serverAuth                               # Extended key usage for server authentication purposes (e.g., TLS/SSL servers).
+authorityKeyIdentifier = keyid,issuer                       # Authority key identifier linking the certificate to the issuer's public key.
+authorityInfoAccess = OCSP;URI:http://ocsp.openquantumsafe.org
+
+[ ocsp ]
+basicConstraints = CA:FALSE
+keyUsage = nonRepudiation, digitalSignature, keyEncipherment
+extendedKeyUsage = OCSPSigning
diff --git a/providers/oqs-provider/check.sh b/providers/oqs-provider/check.sh
@@ -0,0 +1,193 @@
+#!/bin/bash
+
+set -eux
+
+function check_dir() {
+
+	# We want to check that the needed structures
+	# are all in place
+	DIR=$1
+
+	# Checks if we have the PEM version of the RootCA
+	if ! [ -f "$DIR/ta/ta.pem" ]; then
+
+		# Checks for the RootCA in DER format
+		if [ -f "$DIR/ta/ta.der" ] ; then
+
+		    # Providing the PEM version of the RootCA
+		    echo "Converting $DIR/ta/ta.der to $DIR/ta/ta.pem ... "
+		    openssl x509 -inform DER -in "$DIR/ta/ta.der" -out "$DIR/ta/ta.pem"
+		    if [ $? -gt 0 ] ; then
+			    echo
+			    echo "ERROR: Cannot convert $DIR/ta/ta.der into PEM format"
+			    echo
+			    exit 1
+		    fi
+		fi
+	fi
+
+	# Checks if we have the PEM version of the
+	# Intermediate CA
+	if ! [ -f "$DIR/ca/ca.pem" ]; then
+
+		# Checks for the RootCA in DER format
+		if [ -f "$DIR/ca/ca.der" ] ; then
+		    # Converts the DER into PEM
+		    openssl x509 -inform DER -in "$DIR/ca/ca.der" -out "$DIR/ca/ca.pem"
+		    if [ $? -gt 0 ] ; then
+			    echo
+			    echo "ERROR: Cannot convert $DIR/ca/ca.der into PEM format"
+			    echo
+			    exit 1
+		    fi
+		fi
+	fi
+
+	# Checks if we have the PEM version of the
+	# EE cert
+	if ! [ -f "$DIR/ee/cert.pem" ]; then
+		# Checks for the EE cert in DER format
+		if [ -f "$DIR/ee/cert.der" ] ; then
+		   # Converts the DER into PEM
+		   openssl x509 -inform DER -in "$DIR/ee/cert.der" -out "$DIR/ee/cert.pem"
+		   if [ $? -gt 0 ] ; then
+	   		   echo
+			   echo "ERROR: Cannot convert $DIR/ee/cert.der into PEM format"
+			   echo
+			   exit 1
+		   fi
+        fi
+    fi
+
+}
+
+check() {
+
+	# Extracts the argument
+	DIR=$1
+    result=""
+
+	# Change directory
+	if ! [ -d "$DIR" ] ; then
+		#echo "ERROR: missing dir $DIR"
+        echo "N,N,N,N,N,N"
+        return
+	fi
+
+	# Change Directory
+	cd "$DIR"
+
+	# Baseline test whether TA cert is well formed
+	openssl x509 -in ta/ta.pem -text -noout 2>/dev/null > /dev/null
+	if [ $? -ne 0 ]; then
+		#echo "No suitable ta/ta.pem found."
+        echo "N,N,N,N,N,N"
+		return
+	fi
+	# Baseline test whether TA cert is self-signed
+	openssl verify -CAfile ta/ta.pem ta/ta.pem 2>/dev/null >/dev/null
+	if [ $? -ne 0 ]; then
+		#echo "ta/ta.pem not self-signed."
+        echo "N,N,N,N,N,N"
+		return
+	fi
+	# Checking for some parsing errors
+	openssl x509 -in ta/ta.pem -text -noout | grep error 2>/dev/null > /dev/null
+	if [ $? -ne 0 ]; then
+		#echo "No error parsing TA certificate in $1";
+		# Extracting algorithm name
+		openssl x509 -in ta/ta.pem -text -noout | grep "Public Key Algorithm" 2>&1 > /dev/null
+        if [ $? -ne 0 ]; then
+           echo "N,N,N,N,N,N"
+           return
+        fi
+		# Verifying cert chain TA->CA
+		openssl verify -CAfile ta/ta.pem ca/ca.pem 2>/dev/null >/dev/null
+		if [ $? -ne 0 ]; then
+			#echo "Error verifying $1/ca/ca.pem"
+            echo "Y,N,N,N,N,N"
+            return
+		#else
+		#	echo "cert chain TA->CA verified for $1"
+		fi
+	else
+		#echo "Error parsing TA certificate in $1"
+        echo "N,N,N,N,N,N"
+        return
+	fi
+
+    # From this point on we know TA & CA are OK, so we collect specific test results
+    ee_csr="N"
+    ta_crl="N"
+    ca_crl="N"
+
+    # Now check EE
+    # First create cert chain
+    cat ca/ca.pem ta/ta.pem > ca-chain.pem
+    # then verify
+    openssl verify -CAfile ca-chain.pem ee/cert.pem 2>/dev/null > /dev/null
+	if [ $? -ne 0 ]; then
+			#echo "Error verifying $1/ee/cert.pem"
+            ee_crt="N"
+    else
+        ee_crt="Y"
+    fi
+
+    if [ -f ee/cert.csr ]; then
+        # EE CSR check
+        openssl req -verify -in ee/cert.csr 2>/dev/null > /dev/null
+	    if [ $? -eq 0 ]; then
+            ee_csr="Y"
+        fi
+    fi
+
+    if [ -f crl/crl_ta.crl ]; then
+        # TA CRL check
+        openssl crl -verify -in crl/crl_ta.crl -CAfile ta/ta.pem 2>/dev/null >/dev/null
+	    if [ $? -eq 0 ]; then
+            ta_crl="Y"
+        fi
+    fi
+
+    if [ -f crl/crl_ca.crl ]; then
+        # CA CRL check
+        openssl crl -verify -in crl/crl_ca.crl -CAfile ca-chain.pem 2>/dev/null >/dev/null
+	    if [ $? -eq 0 ]; then
+            ca_crl="Y"
+        fi
+    fi
+
+    # TODO: How to check OCSP artifact(s)??
+
+    echo "Y,Y,${ee_crt},${ee_csr},${ta_crl},${ca_crl}"
+	cd ..
+}
+
+    if [ $# -ne 1 ]; then
+       echo "No target directory to check provided. Exiting."
+       exit -1
+    else
+        pushd $1 >/dev/null 2>/dev/null
+    fi
+    #echo "Checking in $(pwd)"
+    if [ ! -d "artifacts" ]; then
+        echo "No artifacts found. Exiting."
+        exit -1
+    fi
+    cd artifacts
+    echo "key_algorithm_oid,ta,ca,ee,csr,crl_ta,crl_ca"
+    for oid_folder in *; do
+
+	   target=${oid_folder}
+
+   	   # Executing the Check Script
+	   check_dir "${target}"
+       if [ $? -ne 0 ]; then
+          echo "${target},N,N,N,N,N,N"
+       else
+       result=$(check "${target}")
+          echo "${target},${result}"
+	   fi
+
+    done
+    popd 2>/dev/null >/dev/null
diff --git a/providers/oqs-provider/check_r3.sh b/providers/oqs-provider/check_r3.sh
@@ -0,0 +1,88 @@
+#!/bin/bash
+
+set -eux
+
+function check_cert() {
+
+	# We want to check that the needed structures
+	# are all in place
+    CERT=$1
+
+	# Checks if we have the PEM version of the RootCA
+	if ! [ -f "$CERT.pem" ]; then
+
+		# Checks for the RootCA in DER format
+		if [ -f "$CERT.der" ] ; then
+
+		    # Providing the PEM version of the RootCA
+		    # echo "Converting $CERT.der to $CERT.pem ... "
+		    openssl x509 -inform DER -in "$CERT.der" -out "$CERT.pem"
+		    if [ $? -gt 0 ] ; then
+			    echo
+			    echo "ERROR: Cannot convert $CERT.der into PEM format"
+			    echo
+			    exit 1
+		    fi
+		fi
+	fi
+}
+
+check() {
+
+	# Extracts the argument
+	PEM=$1
+
+	# Baseline test whether TA cert is well formed
+	openssl x509 -in $PEM -text -noout 2>/dev/null > /dev/null
+	if [ $? -ne 0 ]; then
+		# echo "${PEM} not suitable."
+        echo "N"
+		return
+	fi
+	# Baseline test whether TA cert is self-signed
+	openssl verify -CAfile $PEM $PEM 2>/dev/null >/dev/null
+	if [ $? -ne 0 ]; then
+        echo "N"
+		# echo "${PEM} not self-signed."
+		return
+	fi
+	# Checking for some parsing errors
+	openssl x509 -in $PEM -text -noout | grep error 2>/dev/null > /dev/null
+	if [ $? -ne 0 ]; then
+		#echo "No error parsing TA certificate in $1";
+		# Extracting algorithm name
+		openssl x509 -in $PEM -text -noout | grep "Public Key Algorithm" 2>&1 > /dev/null
+        if [ $? -ne 0 ]; then
+           echo "N"
+           return
+        fi
+	else
+        echo "N"
+		# echo "Error parsing ${PEM}"
+        return
+	fi
+
+    echo "Y"
+	cd ..
+}
+
+    if [ $# -ne 1 ]; then
+       echo "No target directory to check provided. Exiting."
+       exit -1
+    else
+        pushd $1 >/dev/null 2>/dev/null
+    fi
+    #echo "Checking in $(pwd)"
+    if [ ! -d "artifacts" ]; then
+        echo "No artifacts found. Exiting."
+        exit -1
+    fi
+    cd artifacts
+    echo "key_algorithm_oid,test_result"
+    for oid_folder in 1*_ta.*; do
+	   target=$(echo $oid_folder | sed -r "s/(.*)_ta.*/\1/g")
+       check_cert "${target}_ta"
+       result=$(check "${target}_ta.pem")
+	   echo "${target},${result}"
+    done
+    popd 2>/dev/null >/dev/null