baentsch
commented
3 months ago Thanks for this report. Unfortunately, oqsprovider does not modify any key representation but simply "shuffles around" (the openssl provider APIs) completely opaque binary blobs/what's provided by liboqs (APIs). And that in turn takes its code from the pqcrystals repository. So tagging @bhess as the contact person to that code base for comment as to whether it's permissible to retain an unused parameter as NULL or whether it indeed has to be left away. What might be helpful is a reference to the specifications (pertaining to Dilithium and its key representation format) that you have been using when implementing your CA code, @stauro79 such as to compare the relevant parts.
danvangeest
Describe the bug I am unable to use/export Dilithium2 Certificates created by our CA software. When openssl tries to decode the public key, it fails.
C:\Users\v918770\Documents\pqc\openssldebug\openssl\apps>openssl x509 -pubkey -noout -in 1.crt Error getting public key 802D0000:error:03000072:digital envelope routines:X509_PUBKEY_get0:decode error:crypto\x509\x_pubkey.c:464:
When i create a dilithium2 cert with openssl, I am able to load it correctly.
The different i see is in the public key encoding.
When we ASN.1 encode the public key, the public key parameter is kept as NULL. The public key encoding done in oqs completely omits the parameter.
asn1 parse of our cert,, the public key has null in it. 147:d=2 hl=4 l=1334 cons: SEQUENCE 151:d=3 hl=2 l= 15 cons: SEQUENCE 153:d=4 hl=2 l= 11 prim: OBJECT :dilithium2 166:d=4 hl=2 l= 0 prim: NULL 168:d=3 hl=4 l=1313 prim: BIT STRING
This is the sample certificate that fails to load.
-----BEGIN CERTIFICATE----- MIIPwzCCBjWgAwIBAgIUVwKX7F9YprcOaHTKDJdyN/dFxpgwDwYLKwYBBAECggsHBAQFADAVMRMw EQYDVQQDDApvcXN0ZXN0IENBMB4XDTI0MDYyNDEyNTgxNFoXDTI1MDUyMzA2NDA1NFowJjELMAkG A1UEBhMCVVMxFzAVBgNVBAMMDm9xc3Rlc3Qgc2VydmVyMIIFNjAPBgsrBgEEAQKCCwcEBAUAA4IF IQDvunXoP6goC2mP1d5ZQdW3nuVewtlTD/aRD91cIqpzzb1RiIyQz3Axap2x/gpuipEc5JN8fAPf xuEfmv1TdgRxtSqm1MQ6KD6fOMm0eqYYCNKha+WbNTB9euSUwRsKKXjxYOkTxZ8tQWzLh48YWusz /Mrs0p4sIGPeHC8THy4JLnBRj34L4ucWbNcjUHGJPp89LkwA6nLiBZzrWt2f2RuTAhno76HwwyaX HPzmvD0TSr/NXmzuj2OanjkdCz9prUIMV/rzSBacyGtW32ZUjK3SL7OJfPJg90NmjcmatO9iddSo 7Kn/MsXt6Y3riI2XuNurePNW06+1PhJYIWv+0PmHQK4HGUdhhT3bih/VfcZqeFoPZuyQ8+qPrSqS IsDfI6HVM4Ka3QSEHq9+CgLwOtTmrxrNZhBFX7QD1PaT9iq4Q3eh+mhOTVTSooXA5MnkIXEqKbF6 ZGvqZfCAhyLhQOqjBNFqdf3/fthwVB+pDEwlZ2D4K+FBMtSgri8fEbEAkO6IOSvLagog1d0Tbsic NeRT4sepikNH3y3sfqg4LeL5K7xm2PQK1UBK3tFlBwQTS/Rsu01/0olP4f0/dhvw7bdHP7phv6Tn RrWxk4DR37Ytj7FvEd69hEYYALen5Go8taX8zd5hIISqp2ewECJBlhq3K18Qf2AMLwE/1xgkaK0T KqyX+izz4hdV8OEepAnuzBeAOehSX7ObmK9+h+U8YHJta95lsxPM2qm2eOxNzYnhGNMDBm1q7GBs EKVMFEsvjzxgOXAb2gOHeboxHibCvujAF95nybkOwTTLg5GUKXwj40gAaN6BtMDVsEYC7IFkWWUE FhC3MqcMA3Q6GL8IrHfhZ6xqAbzlkW5sLt1HNzeH0KA/l00n7C5gZIza1Ksjh4YYWJALo3Nbiwf4 dDSuI2Ot3WXpxfpWclHzC9MOpe1f3hYqaIYUlc7XAl2vqcKn9+8wTZ4gJdggu1T1KaK/Wwgq4BqA 6jO26WIk0hBOOILaazgiOAAMp2e/k7xSN0pfI45uwBmjhLXKfd0dIkzbJH9lwuZJsbtsIl3PLNdO cqO0ydUY6Q3MxCtT40XeK6DP74txhnydN8kUsK/upU01jlWWIep/SW+kD98viYxpEVqXMpsrE3+6 GJrw3/C8RxaAm7howKYBhIFzPRl6Kg3PMLZzwoypYOSictOkxiJx9DONBttq99UNRSRsIDC40xVA 1MZy1MBsVR2lkvQVv/4e75Gfy2pMHsqSW7LK6eadfSf6fvfDkZHFkbbsCMqPPbb4Nvky+Zy9NuiT d0fEg+wUIfT7jqSNO+/AqRwXnYH0JfbfxB6CdkIbl7bmOZEkdJieQWDgxlAJTC3QWQoau32Vmtiy XMpiNIVG1kWbGcTs6o9k5bHq3PwcK5X+zn6ED6bpYu1mAo/AdGQhpp9ckTqKmktZpllVWMmbDs2n +gLS0NK2SOyUN4ZKmQOaQTArMeqiPrn4gKl06CfHyFg/yuOKaTzcmPWg+buIeKUz+KrQhJMio/HT d2ifvJbHa4zlStCnR/g8ZsXmn8b5FavMfUpS34++GVvxTC1dGEJMdBZyenSpc/6QIspftJMGJkeD Di140629/NUYqwBqN7hBFRm7b9i8yLPNJl25JgO/Wglhu1s9gBic1kiMb54K1BvJWGxb7eabGlm1 NoQVwkoxtEjvIg158wd2zxU4ITmuTMER9fjCZqf8J/Au2zfzZ9qTWjEsh2g+Y3shiOYw/XqAw7K/ KR/Vo24wbDAJBgNVHRMEAjAAMA4GA1UdDwEB/wQEAwIHgDATBgNVHSUEDDAKBggrBgEFBQcDAjA6 BgNVHSMEMzAxoRmkFzAVMRMwEQYDVQQDDApvcXN0ZXN0IENBghR50hGXEwdhGyia7/gtjyAcUCww bTAPBgsrBgEEAQKCCwcEBAUAA4IJdQC5L16hFconHxouSTVZuNGJGdyCmecXyhcWRj6en+V4yWMC /cyUPgb7k/r/NXz0D6zukpHJpR36nYIGrhM3B/tX9QY2oiNlroSwma/i6gm7iI+YPmrJMre9/2JI OtkXZ8gb9wHt/svp6OBasPJOXP1svyE7ceplbwFySfaJalPgl+lZgnO9IbN8cIaxnzBnTuh5Hd7L HvD8lDxbElzURuZyhhFekUlI9psaHLuChAuLu5+0Hzns8o97t3bkNfSubIVCQm4z3tajUJSRNpfO h6k5MJQy/ogYhCbGFNJsbepDAb/ohlnA4VzeDx1U/hrKOkF3mNiRqEqzL+EaVtEKWT9My3BKBy1B uPgLQyT9D/M9DfWeqgtKJL0CqEAhyWYcEZLVdNV1i6QPM7goKEHorqZ3tkPY7BIMBSR9rI9/eP+c abGr7w8mHldxuafV2PiZTwOC/q2alzBdM1KnjslFIDuGLZTkSBXH84C8eKgw1DiYf64KtTYSgt5P 64wMySXN9Socdyxaw3u1BayrPUSRaEErSOCwS4J0pTQC3nrXoS5zDOOyLu2TBjjSBMIJ18pKVzR4 1mSiFdsWMGZUvrVfqBOn765buymYCJTRubrNF+ZUnff/laEuam7uNsZ2oUEOaYWvV91tbkfDxK46 JqV0l/EzVM6Hb7Q5Y8l4cPfUnR81jt/D2ZX2BwXnb8w6BAKtu7PMoU49abiUED5Tdpz8K1iWUYUd vGzGGddN5FRCIJX7EDHEG+WNDHlaSpXq+6G40llzbSNEeHEqJwDXf6KQ5l9XfSYX68lc+qFBLnmp LHGDkybm46HeeGXITg1t6yAOll9JSTsByy/nTTQigJtBaT8lwMdWCk3RUutsIf15HX8MLWAtkzzu V4kU8kRhwkYOE6LQzZkHW3IlezPKpUbfil7iIv8ZYVlNf4jL+1hn1sYys2F6pDrv4HxSt6s0A0ZL ME/qcQzSDnGf+r2dHwBh53WGOjFAPFWrnPIjSNF4UR/nU+zO1fmGuD0l7KdaiZCqMZFn8o7lQ/Jg ga1nt12NKnMf3vPaGMAdXWqoCIARsU+yrbqGRLG2qMtkftLYYrDToSmybeSVmqE2vop5ViXGPyXP rJA09mqekfC9kJObH3Qh3lC9Aqj9AQOLXeJrcbjVwbEILLQWXbLwlZwSc15PjPUGs+OUcnp0r4QF R/VC7irE/KcZUnrRvv3PjwqHeg4O15FMlBmNYaMrI6kv32hKeHRweI68ePu2cGofQWUMFAcbfMDU +L9mKwHK3nEJ10wGB0YL+NKWoBZXUKNomVVMbIU5Gf6oXueCIbUa92knCxWC4AmSm0MKw2D1Cw+w ZruUYe1Bp74SJ8CW6Nr2GjFDRM/9pny+buwOjpPGozQx0FhS4xQVluhDnzxnAxsqXzLiBLo3YjrO u9+nmem+VSSJ6oGed61rTAVqnaC1QATlg703GEq7MosCa9a2JnQio2+6RH3C0eEVUVO3EluYioZw 11kTy2EtH6l3RhlTwDMYajjTi7s7uN3mLNRzEifxdPL4aQpv4QL3AaKf+CFmFsxGrNTvXlF2QADi 2+irkDnquwCTfOhnvoRc3lOOL9caYqFrB/8dCiMP1jU6fTS+JBPBGmgIATeseY/CNLlRxQNakvDP gLiknGVF7a6zOt8Mg6L043k69DHsLC13RZvUPTizf5mGO2JkhOed2upP6Fd2hMpLlna9gQrvMRHB n/5f1Q2eKOzdLEzeOlD5MuIwKx/gniSAV/9cfhe3xPvAMhjN/aXdue+u5Mg//O+UPGIc2kac/LNO +vDkeSaQ85wBC6d3aZstHUiN/7O5ZDrVWxPFR0HmoVfFueAiWttzHWhX0hZitvi10sLe96zFXi0h TuDB6hJg8IVZ41sgFdxFi/YrAsFReK/aPMeIWvqjSumZu7GJ0eAl3nKsiexlNNxr/WEhDk3dRfCf iR2bCNQx6jyE8+w9Ku2/3gD1CQGmCnBLIEqsgDMFpgfVUeAUEmnsP7jA/TojwH/MUeaOvraFB65M 2r1gbqzdD2ZsqnDyDlHgiFBQOR5Bz8PdlycySH4JPQT9c3Frzvb7W1b5P1uAubDN9WvdiFHLbg07 kN1SOKO1qIf7bOeyA+2eFmL0yVayyTi7yiETDC1YXAR399PWFMp3GqoFgUUr04sHhM6AnuwiVF+S qFDgtmMKo3mwFXssPvAxWmIQzbG0ec5imYQDPZ2pnzxFzh7eB+t4rbolWoE+hG/58lAfpGCRVN1f Wtd/8e3LyNDJWNIpMY2knuX7Tqj7oTGYI8v4Ruar1+B/prp6tXas9zsVIZ24h0azRlHjWlAG1fCi CFWOwPGtuVukkUlyfcvbrQbupGDSVI1bL+KPBc2Q/jgo2xweUr/NwaJAyC0akq4RfC/wEHpAIZ16 N+/CNCqq3UpYe7i71DB2zp0AiFyBVj3XAKetUNSpGvI2ogH/nLWUxkm7DnkFvScOa3LRFWpLu0bQ jF2CAFhGOZaREMElo/TtyBaBPoDfpxbr+3OvAdrSv0om09qQj7JJq1iHSTSjD73uR3sp2KuHjmOI 7eX0un/2XkjGGAKl5w9hjupjHxQ91tJcapenheWUw751x4cQEw36jL690AWdMDOK6ZvXCaDEagje X/fxyC/1iG+xG6/41LTtaldeJdUT4UndjeFcIcJJcJ1E9/Yz63AyRE7PnaEa9jnAgm56hA9jMySj S1gI5TlQ8lubt5dFzYEuJvmFbQdlk7THXcoZhG8hlFgnCQ0p9LJGwuUVrIqRbVII0o+QUMugZq5E YjdyeU4JwwEC2q4FLU9WkZPJ03O/K5M8OAGCCpQI4N6Lkheteu+LG7gR+BWQ12hQTI2Pr6anVNML CWZVOL8lowRgGH4OeVt4XUVUTiwMrvOM0K0qsQmm6lqqRELMvsA2wevPDpTTJKPcJFtJ7sCh/B32 RilLVjcwfBTKYGzSsui1Tsed/+MZr9VwyIxsA78lJIca9pcJzbLCWYvWEkqDVZb9su9aWCuDPjud 02Uq7o2GwQDOz9b9ts3zKH0iQA0ZrJJU0lkzY5TdDRqnO2kkbid4OsOAsmDTc6usBvuJz3/KmhPe khaqYwKarBn0QGGmLoUJdf3W2tXk0w8gUlVjdZmfrsfU1djfAAIHDQ8UGCRKT2tsi42So6esscDF 8PP3/QQaSE9UVXyHqqy4vsnjDg8SMENSY2xvc3uLkqGwuMjW3t8AAAAAAAAADic1SQ== -----END CERTIFICATE-----To Reproduce Steps to reproduce the behavior:
$openssl x509 -pubkey -noout -in 1.crt Error getting public key 802D0000:error:03000072:digital envelope routines:X509_PUBKEY_get0:decode error:crypto\x509\x_pubkey.c:464:
Expected behavior The above command should export the public key to console. Screenshots If applicable, add screenshots to help explain your problem.
Environment (please complete the following information): C:\Users\v918770\Documents\pqc\openssldebug\openssl\apps>.\openssl version OpenSSL 3.4.0-dev (Library: OpenSSL 3.4.0-dev )
C:\Users\v918770\Documents\pqc\openssldebug\openssl\apps>.\openssl list -providers Providers: default name: OpenSSL Default Provider version: 3.4.0 status: active oqsprovider name: OpenSSL OQS Provider version: 0.6.1-dev status: active