codespree
commented
3 weeks ago For simplicity, and to avoid combinatorial explosion, should we just stick to the MUSTs for CMS artifacts?
Open codespree opened 3 weeks ago
codespree
commented
3 weeks ago For simplicity, and to avoid combinatorial explosion, should we just stick to the MUSTs for CMS artifacts?
carl-wallace
commented
3 weeks ago Not sure. Having test artifacts beyond the MTIs isn't necessarily a bad thing.
codespree
commented
3 weeks ago @carl-wallace sure. But I think the above description is clearer right?
The file names etc. and the MTI artifacts which MUST be present.
We can also verify anything else submitted as well, no harm.
But the test should fail if an MTI is not present.
carl-wallace
commented
3 weeks ago I don't think anything MUST be present for any provider in this repo. To my eye, the utility of this endeavor is in teasing out spec bugs, making sure there is interoperability where there are common algorithms between implementations, etc.
The above description seems useful to me, but is brainpool actually an MTI for composite KEM?
codespree
commented
3 weeks ago @carl-wallace the musts are from the drafts. For example,
A compliant implementation MUST support the following algorithm
combinations for the KEMRecipientInfo kdf and wrap fields when the
corresponding Composite ML-KEM algorithm is listed in the
KEMRecipientInfo kem field. The KDFs listed below align with the KDF
used internally within the KEM combiner. An implementation MAY also
support other key-derivation functions and other key-encryption
algorithms within CMS KEMRecipientInfo and SHOULD use algorithms of
equivalent strength or greater.https://datatracker.ietf.org/doc/draft-ietf-lamps-pq-composite-kem/
Section 8.1
carl-wallace
commented
3 weeks ago Thanks for the reference (the current data tracker outage impeded my loading the draft). Be that as it may, I don't see "failing a test" because one only submitted a subset of artifacts. But that's just, like, my opinion:-) But, it's also only a draft at present. I wonder if these MTIs will all stick.
codespree
commented
3 weeks ago @carl-wallace
@jethrolow created an automation: https://jethrolow.github.io/pqc-certificates/pqc_hackathon_results_certs_r4_automated_tests.html
I was thinking we could do something similar for CMS artifacts.
So, from that point of view, what would be the rows? Just MTI artifacts?
If not just MTI artifacts, it would be difficult to list all possible combinations as rows right?
codespree
commented
2 weeks ago This is not a comment about the draft. Nor does it express an opinion on what MTI artifacts should be. This is a comment about the language in the README.md file and about its clarity to, at least, developers like me.
And, how we can create an automation to test CMS artifacts.
Perhaps we can test the MTI artifacts as rows in an automation page.
And have one extra row as Others which tests the rest and shows pass/fail in that row.
Perhaps the following can weigh in here: [✅] @carl-wallace [❓] @dghgit [❓] @ounsworth
CMS -- artifacts_cms_v2.zip
This is version 2 of the CMS artifacts format. It may change, if it needs to change.
Within
providers/<provider_name>/[implementation_name/]artifacts_cms_v2/subfolder which will contain the artifactsartifacts_cms_v2/expected_plaintext.txt# The message which was encrypted and can be compared against the decrypted artifacts.artifacts_cms_v2/ukm.txt# The User Keying Material (UKM) included in some of the enveloped messages.artifacts_cms_v2/<ta oid>_<ta friendly name>_ta.der# ML-DSA trust anchor used to sign the KEM end-entity certificates:artifacts_cms_v2/<oid>_<friendly>_ee.der# The KEM certificate that the message is enveloped to.artifacts_cms_v2/<oid>_<friendly>_priv.der# The private key to decrypt the enveloped messages.artifacts_cms_v2/<oid>_<friendly>_kemri_ukm_<kdf>.der# An Enveloped artifact using KEMRI’s UKM field and one of the Mandatory to Implement (MTI) KDFs for the KEM algorithm.artifacts_cms_v2/<oid>_<friendly>_kemri_auth_<kdf>.der# An AuthEnveloped artifact using KEMRI without UKM and one of the MTI KDFs for the KEM algorithm.artifacts_cms_v2/<oid>_<friendly>_kemri_<kdf>.der# Enveloped artifacts using KEMRI without UKM and the specified KDF.Friendly
Per https://github.com/IETF-Hackathon/pqc-certificates/issues/96 we would like a text description of the algorithm in the artifact names to make artifacts directory listings easier to read. Stick something same in there, for example the appropriate name from oid_mapping.md.
Trust Anchor
A trust anchor isn't necessary to verify the KEMRecipientInfo artifacts, but if you provide it, we can test that the EE certificate is signed by the TA. If it is not provided, this test will be skipped.
DER vs PEM
We picked DER encoding so there's not an extra layer to mess up. You probably have a DER<->PEM re-encoding tool.
Encryption Algorithms
Use
id-aes<size>wrapfor KEK algorithm where<size>is appropriate for your<oid>. Each I-D/RFC should specify this.Use
aes-<size>-gcmfor the CEK algorithm in the<oid>_kemri_auth_<kdf>.derartifact. Useaes-<size>-cbcfor all others.MTI KDFs
Each RFC will specify MTI KDFs, and allow for others as well.
You MUST have a
<oid>_<friendly>_kemri_<kdf>,<oid>_<friendly>_kemri_ukm_<kdf>.der, and<oid>_<friendly>_kemri_auth_<kdf>.derartifacts for all MTI KDFs.You MAY provider artifacts for other KDFs with the following caveats:- Pure ML-KEM (
draft-ietf-lamps-cms-kyber-05Section 2.2.2):Composite ML-KEM (
draft-ietf-lamps-pq-composite-kem-05Section 8.1):<kdf> string<kdf> string* Based on draft-ietf-lamps-cms-kyber-05 ** Based on draft-ietf-lamps-pq-composite-kem-05 *** Based on draft draft-ietf-lamps-rfc5990bis-10
The markdown for the above is: