Skip to content

Commit 6b24ea8

Browse files
dgarskedgarske
authored
Merge pull request #326 from anhu/dilm
Add a script for generating dilithium cert chains.
2 parents 5d3b12b + fd7ad77 commit 6b24ea8

1 file changed

Lines changed: 170 additions & 0 deletions

File tree

pq/generate_dilithium_chains.sh

Lines changed: 170 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,170 @@
1+
#!/bin/bash
2+
3+
# Script to generate Dilithium NIST Level 2,3 and 5 certificate chains; both
4+
# SHAKE and AES variants.
5+
#
6+
# Copyright 2022 wolfSSL Inc. All rights reserved.
7+
# Original Author: Anthony Hu.
8+
#
9+
# Execute this script in the openssl directory after building OQS's fork of
10+
# OpenSSL. Please see the README.md file for more details.
11+
12+
if [ "$OPENSSL" = "" ]; then
13+
OPENSSL=./apps/openssl
14+
fi
15+
16+
# Generate conf files.
17+
printf "\
18+
[ req ]\n\
19+
prompt = no\n\
20+
distinguished_name = req_distinguished_name\n\
21+
\n\
22+
[ req_distinguished_name ]\n\
23+
C = CA\n\
24+
ST = ON\n\
25+
L = Waterloo\n\
26+
O = wolfSSL Inc.\n\
27+
OU = Engineering\n\
28+
CN = Root Certificate\n\
29+
emailAddress = root@wolfssl.com\n\
30+
\n\
31+
[ ca_extensions ]\n\
32+
subjectKeyIdentifier = hash\n\
33+
authorityKeyIdentifier = keyid:always,issuer:always\n\
34+
keyUsage = critical, keyCertSign\n\
35+
basicConstraints = critical, CA:true\n" > root.conf
36+
37+
printf "\
38+
[ req ]\n\
39+
prompt = no\n\
40+
distinguished_name = req_distinguished_name\n\
41+
\n\
42+
[ req_distinguished_name ]\n\
43+
C = CA\n\
44+
ST = ON\n\
45+
L = Waterloo\n\
46+
O = wolfSSL Inc.\n\
47+
OU = Engineering\n\
48+
CN = Entity Certificate\n\
49+
emailAddress = entity@wolfssl.com\n\
50+
\n\
51+
[ x509v3_extensions ]\n\
52+
subjectAltName = IP:127.0.0.1\n\
53+
subjectKeyIdentifier = hash\n\
54+
authorityKeyIdentifier = keyid:always,issuer:always\n\
55+
keyUsage = critical, digitalSignature\n\
56+
extendedKeyUsage = critical, serverAuth,clientAuth\n\
57+
basicConstraints = critical, CA:false\n" > entity.conf
58+
59+
###############################################################################
60+
# Dilithium NIST Level 2; SHAKE Variant
61+
###############################################################################
62+
63+
# Generate root key and entity private keys.
64+
${OPENSSL} genpkey -algorithm dilithium2 -outform pem -out dilithium_level2_root_key.pem
65+
${OPENSSL} genpkey -algorithm dilithium2 -outform pem -out dilithium_level2_entity_key.pem
66+
67+
# Generate the root certificate
68+
${OPENSSL} req -x509 -config root.conf -extensions ca_extensions -days 365 -set_serial 20 -key dilithium_level2_root_key.pem -out dilithium_level2_root_cert.pem
69+
70+
# Generate the entity CSR.
71+
${OPENSSL} req -new -config entity.conf -key dilithium_level2_entity_key.pem -out dilithium_level2_entity_req.pem
72+
73+
# Generate the entity X.509 certificate.
74+
${OPENSSL} x509 -req -in dilithium_level2_entity_req.pem -CA dilithium_level2_root_cert.pem -CAkey dilithium_level2_root_key.pem -extfile entity.conf -extensions x509v3_extensions -days 365 -set_serial 21 -out dilithium_level2_entity_cert.pem
75+
76+
###############################################################################
77+
# Dilithium NIST Level 3; SHAKE Variant
78+
###############################################################################
79+
80+
# Generate root key and entity private keys.
81+
${OPENSSL} genpkey -algorithm dilithium3 -outform pem -out dilithium_level3_root_key.pem
82+
${OPENSSL} genpkey -algorithm dilithium3 -outform pem -out dilithium_level3_entity_key.pem
83+
84+
# Generate the root certificate
85+
${OPENSSL} req -x509 -config root.conf -extensions ca_extensions -days 365 -set_serial 30 -key dilithium_level3_root_key.pem -out dilithium_level3_root_cert.pem
86+
87+
# Generate the entity CSR.
88+
${OPENSSL} req -new -config entity.conf -key dilithium_level3_entity_key.pem -out dilithium_level3_entity_req.pem
89+
90+
# Generate the entity X.509 certificate.
91+
${OPENSSL} x509 -req -in dilithium_level3_entity_req.pem -CA dilithium_level3_root_cert.pem -CAkey dilithium_level3_root_key.pem -extfile entity.conf -extensions x509v3_extensions -days 365 -set_serial 31 -out dilithium_level3_entity_cert.pem
92+
93+
###############################################################################
94+
# Dilithium NIST Level 5; SHAKE Variant
95+
###############################################################################
96+
97+
# Generate root key and entity private keys.
98+
${OPENSSL} genpkey -algorithm dilithium5 -outform pem -out dilithium_level5_root_key.pem
99+
${OPENSSL} genpkey -algorithm dilithium5 -outform pem -out dilithium_level5_entity_key.pem
100+
101+
# Generate the root certificate
102+
${OPENSSL} req -x509 -config root.conf -extensions ca_extensions -days 365 -set_serial 50 -key dilithium_level5_root_key.pem -out dilithium_level5_root_cert.pem
103+
104+
# Generate the entity CSR.
105+
${OPENSSL} req -new -config entity.conf -key dilithium_level5_entity_key.pem -out dilithium_level5_entity_req.pem
106+
107+
# Generate the entity X.509 certificate.
108+
${OPENSSL} x509 -req -in dilithium_level5_entity_req.pem -CA dilithium_level5_root_cert.pem -CAkey dilithium_level5_root_key.pem -extfile entity.conf -extensions x509v3_extensions -days 365 -set_serial 51 -out dilithium_level5_entity_cert.pem
109+
110+
###############################################################################
111+
# Dilithium NIST Level 2; AES Variant
112+
###############################################################################
113+
114+
# Generate root key and entity private keys.
115+
${OPENSSL} genpkey -algorithm dilithium2_aes -outform pem -out dilithium_aes_level2_root_key.pem
116+
${OPENSSL} genpkey -algorithm dilithium2_aes -outform pem -out dilithium_aes_level2_entity_key.pem
117+
118+
# Generate the root certificate
119+
${OPENSSL} req -x509 -config root.conf -extensions ca_extensions -days 365 -set_serial 20 -key dilithium_aes_level2_root_key.pem -out dilithium_aes_level2_root_cert.pem
120+
121+
# Generate the entity CSR.
122+
${OPENSSL} req -new -config entity.conf -key dilithium_aes_level2_entity_key.pem -out dilithium_aes_level2_entity_req.pem
123+
124+
# Generate the entity X.509 certificate.
125+
${OPENSSL} x509 -req -in dilithium_aes_level2_entity_req.pem -CA dilithium_aes_level2_root_cert.pem -CAkey dilithium_aes_level2_root_key.pem -extfile entity.conf -extensions x509v3_extensions -days 365 -set_serial 21 -out dilithium_aes_level2_entity_cert.pem
126+
127+
###############################################################################
128+
# Dilithium NIST Level 3; AES Variant
129+
###############################################################################
130+
131+
# Generate root key and entity private keys.
132+
${OPENSSL} genpkey -algorithm dilithium3_aes -outform pem -out dilithium_aes_level3_root_key.pem
133+
${OPENSSL} genpkey -algorithm dilithium3_aes -outform pem -out dilithium_aes_level3_entity_key.pem
134+
135+
# Generate the root certificate
136+
${OPENSSL} req -x509 -config root.conf -extensions ca_extensions -days 365 -set_serial 30 -key dilithium_aes_level3_root_key.pem -out dilithium_aes_level3_root_cert.pem
137+
138+
# Generate the entity CSR.
139+
${OPENSSL} req -new -config entity.conf -key dilithium_aes_level3_entity_key.pem -out dilithium_aes_level3_entity_req.pem
140+
141+
# Generate the entity X.509 certificate.
142+
${OPENSSL} x509 -req -in dilithium_aes_level3_entity_req.pem -CA dilithium_aes_level3_root_cert.pem -CAkey dilithium_aes_level3_root_key.pem -extfile entity.conf -extensions x509v3_extensions -days 365 -set_serial 31 -out dilithium_aes_level3_entity_cert.pem
143+
144+
###############################################################################
145+
# Dilithium NIST Level 5; AES Variant
146+
###############################################################################
147+
148+
# Generate root key and entity private keys.
149+
${OPENSSL} genpkey -algorithm dilithium5_aes -outform pem -out dilithium_aes_level5_root_key.pem
150+
${OPENSSL} genpkey -algorithm dilithium5_aes -outform pem -out dilithium_aes_level5_entity_key.pem
151+
152+
# Generate the root certificate
153+
${OPENSSL} req -x509 -config root.conf -extensions ca_extensions -days 365 -set_serial 50 -key dilithium_aes_level5_root_key.pem -out dilithium_aes_level5_root_cert.pem
154+
155+
# Generate the entity CSR.
156+
${OPENSSL} req -new -config entity.conf -key dilithium_aes_level5_entity_key.pem -out dilithium_aes_level5_entity_req.pem
157+
158+
# Generate the entity X.509 certificate.
159+
${OPENSSL} x509 -req -in dilithium_aes_level5_entity_req.pem -CA dilithium_aes_level5_root_cert.pem -CAkey dilithium_aes_level5_root_key.pem -extfile entity.conf -extensions x509v3_extensions -days 365 -set_serial 51 -out dilithium_aes_level5_entity_cert.pem
160+
161+
###############################################################################
162+
# Verify all generated certificates.
163+
###############################################################################
164+
${OPENSSL} verify -no-CApath -check_ss_sig -CAfile dilithium_level2_root_cert.pem dilithium_level2_entity_cert.pem
165+
${OPENSSL} verify -no-CApath -check_ss_sig -CAfile dilithium_level3_root_cert.pem dilithium_level3_entity_cert.pem
166+
${OPENSSL} verify -no-CApath -check_ss_sig -CAfile dilithium_level5_root_cert.pem dilithium_level5_entity_cert.pem
167+
${OPENSSL} verify -no-CApath -check_ss_sig -CAfile dilithium_aes_level2_root_cert.pem dilithium_aes_level2_entity_cert.pem
168+
${OPENSSL} verify -no-CApath -check_ss_sig -CAfile dilithium_aes_level3_root_cert.pem dilithium_aes_level3_entity_cert.pem
169+
${OPENSSL} verify -no-CApath -check_ss_sig -CAfile dilithium_aes_level5_root_cert.pem dilithium_aes_level5_entity_cert.pem
170+

0 commit comments

Comments
 (0)