search

open-quantum-safe / liboqs-go

Go bindings for liboqs
https://openquantumsafe.org/
MIT License
71 stars 25 forks source link

How to use x509 Certificate Signer on golang #34

Closed ShubhamTatvamasi closed 8 months ago

ShubhamTatvamasi commented 10 months ago

Hi, is there any way to use my code with custom signer from OQS library?

I am getting the following error:

Error creating certificate: x509: certificate private key does not implement crypto.Signer

Here is my code:

package main

import (
    "crypto/rand"
    "crypto/x509"
    "crypto/x509/pkix"
    "encoding/pem"
    "fmt"
    "math/big"
    "os"
    "time"

    "github.com/open-quantum-safe/liboqs-go/oqs"
)

func generateDilithium2KeyPair() ([]byte, []byte, error) {
    // Initialize liboqs
    quantumKeys := oqs.Signature{}
    defer quantumKeys.Clean()

    // Initialize liboqs-go
    err := quantumKeys.Init("Dilithium2", nil)
    if err != nil {
        return nil, nil, fmt.Errorf("Error initializing liboqs-go: %v", err)
    }

    // Generate key pair
    publicKey, err := quantumKeys.GenerateKeyPair()
    if err != nil {
        return nil, nil, fmt.Errorf("Error generating key pair: %v", err)
    }

    // Export private key
    privateKey := quantumKeys.ExportSecretKey()

    return publicKey, privateKey, nil
}

func generateCertificate(publicKey []byte, privateKey []byte) ([]byte, error) {

    // Create a self-signed certificate
    template := x509.Certificate{
        SerialNumber:          big.NewInt(1),
        Subject:               pkix.Name{CommonName: "Dilithium Cert"},
        NotBefore:             time.Now(),                           // Valid from the start
        NotAfter:              time.Now().Add(365 * 24 * time.Hour), // Valid for 1 year
        KeyUsage:              x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature,
        ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
        BasicConstraintsValid: true,
    }

    fmt.Println("Getting error at this step.")
    certDER, err := x509.CreateCertificate(rand.Reader, &template, &template, publicKey, privateKey)
    if err != nil {
        return nil, fmt.Errorf("Error creating certificate: %v", err)
    }

    return certDER, nil
}

func main() {
    // Step 1: Generate Dilithium2 Key Pair
    publicKey, privateKey, err := generateDilithium2KeyPair()
    if err != nil {
        fmt.Println(err)
        return
    }

    // Step 2: Generate X.509 Certificate
    certDER, err := generateCertificate(publicKey, privateKey)
    if err != nil {
        fmt.Println(err)
        return
    }

    // Step 3: Save Certificate to a file
    certFile, err := os.Create("example.crt")
    if err != nil {
        fmt.Println("Error creating certificate file:", err)
        return
    }
    defer certFile.Close()

    pem.Encode(certFile, &pem.Block{Type: "CERTIFICATE", Bytes: certDER})

    fmt.Println("Certificate generated successfully.")
}
ShubhamTatvamasi commented 10 months ago

Hello @dstebila, I'm developing a Kubernetes Operator for OQS, aiming to encompass all the features offered by the OQS library to enhance the security of Kubernetes environments and applications. I would greatly appreciate your guidance in this endeavour. Thank you.

dstebila commented 8 months ago

Sorry for the slow reply here. In case it's still relevant to know, this issue would be out of scope of what liboqs-go achieves. liboqs-go exposes the post-quantum KEM and signature algorithms from liboqs as basic functions in Go, but does not try to add those algorithms to various cryptographic protocols implemented within Go, such as X.509 or TLS. One would have to dive into the Go X.509 code to figure out how to add these extra algorithms, including providing all the relevant X.509 algorithm identifiers, which the barebones liboqs-go wrapper does not do.