Announcing automated PQC certificate testing from the IETF PQC hackathon team

84 views
Skip to first unread message

Mike Ounsworth

unread,
12:03 AM (10 hours ago) 12:03 AM
to LAMPS, p...@ietf.org, pqc-forum, Douglas Stebila, Pravek Sharma, David Hook, Anthony Hu, Felipe Ventura, John Gray

Over the IETF 120 hackathon weekend, as part of the PQC Certificates hackathon team myself and my colleague Felipe Ventura built some github commit-hook automation to automatically test all uploaded certificate zip bundles against the latest OpenSSL/OpenQuantumSafe docker image, and then automatically re-build and publish the hackathon interop results page. We also publish the full log file from the most recent run so people can figure out why their certs fail (ex.: crypto problem, or just that the cert is expired?).

 

Compatibility matrix tables:

https://ietf-hackathon.github.io/pqc-certificates/

 

 

To contribute test artifacts, see the readme here:

https://github.com/IETF-Hackathon/pqc-certificates

 

 

Future work:

  • We hope to see more pull requests to the hackathon repo if people want an easy way to test their certs :)
  • We built it with OpenSSL/OQS for the hackathon, but with the idea that we would to add other open source crypto libraries to the pipeline as verifiers: NIST ACVP, BouncyCastle, and WolfSSL are the obvious ones to start with. One of our new hackathon members offered to do NIST ACVP. For BC / WolfSSL; we just need the owners of those libraries to publish a dockerized version of the binary on docker hub, shoot us some documentation about the command line invocation to verify an X.509 cert, and we can easily add it. Could consider rust crypto, go crypto, python crypto, and others if people want to help us build those out.
  • CMS: We are starting to collect a few PQ CMS artifacts in the hackathon repo. we can trivially extend what we’ve built to also run PQC CMS artifacts through Openssl/OQS, but I don’t think OQS supports KEMRecipientInfo yet, so it wasn’t high on our priority list for this weekend. @David Hook, @Roy this would a great reason to get BC hooked up; I think you’re fully up to date on the CMS drafts.

 

It’s been a very long and successful hackathon weekend. I’m now gonna go get some sleep :P

 

- - -

Mike Ounsworth

Software Security Architect

(pronouns: he/him)

 

 

 

image001.png
image002.png
Reply all
Reply to author
Forward
0 new messages