On Sun, Dec 29, 2024 at 04:29:32AM +0000, Blumenthal, Uri - 0553 - MITLL wrote:
> $ openssl pkeyutl -encap -pubin -inkey pubkey-kem.pem -secret ss1.dat -out ctext.dat
> $ openssl pkeyutl -decap -inkey prkey-kem.pem -out ss2.dat < ctext.dat
The encap/decap interface isn't quite right. I'm changing it in:
https://github.com/openssl/openssl/pull/26281
The "-decap" option will also write the shared-secret to the file
specified with "-secret", rather than "-out", and the "-secret" file
permissions will be owner-only for both encap and decap. The '-pubin'
option for '-encap' will become implicit.
For backwards compatibility, the "-decap" option will default to using
the "-out" file (which then may not have the right permissions). I am
not inclined to encourage the use of the fallback interface by
documenting its use.
> Question: could you help me, using the two key-pairs above, create
> (a) a self-signed certificate for the ML-DSA-87 pubkey with ML-DSA-87
> as signature algorithm, and SHA384 as hash, and
Presumably, (a) just works with in the usual way:
openssl req -x509 -new \
-key somekey.pem \
-out somecert.pem \
-subj "/CN=somehost" -days 60 \
-extfile <(printf '...extensions...\n')
> (b) a certificate for the above ML-KEM-1024 public key signed by the
> above ML-DSA-87 key? (Getting CSR and all the arguments seems to be a
> problem for me.)
It isn't possible to create a CSR for ML-KEM, because CSR's needs to be
signed by the subject key, but ML-KEM keys can't sign.
While you can create a certificate with an ML-KEM public key in it, you
probably don't want to. Since the key can't do any of the things that
one expects a public key in a certificate to do.
$ openssl x509 -new -key /tmp/ed.pem -force_pubkey /tmp/ml-512-pub.pem \
-out /tmp/ml-cert.pem -subj / -days 30 -extfile <(
printf "keyUsage = keyEncipherment\n'
printf "subjectKeyIdentifier = none\n"
)
Warning: Signature key and public key of cert do not match
$ openssl x509 -in /tmp/ml-cert.pem -noout -text \
-certopt no_sigdump,no_serial,no_validity,no_issuer,no_subject |
sed -ne '1,/pub:/p;/extensions/,$p'
Certificate:
Data:
Version: 3 (0x2)
Signature Algorithm: ED25519
Subject Public Key Info:
Public Key Algorithm: ML-KEM-512
ML-KEM-512 Public-Key:
pub:
X509v3 extensions:
X509v3 Key Usage:
Key Encipherment
X509v3 Authority Key Identifier:
F3:96:DE:29:A6:9B:71:A3:5F:B6:84:DF:6B:26:28:B5:FB:57:B2:75
Perhaps you're looking to implement KEMTLS "delegated credentials"?
For these the ML-DSA key signs a TLS "delegated credential" blob,
which is then only useful with KEMTLS, since again, the subject key
can't do signing.
What exactly is your use-case for an ML-KEM SPKI in an an X.509
certificate?
--
Viktor.
--
You received this message because you are subscribed to the Google Groups "openssl-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to openssl-users+unsubscribe@xxxxxxxxxxx.
To view this discussion visit https://groups.google.com/a/openssl.org/d/msgid/openssl-users/Z3F5vYCqqvvcA610%40chardros.imrryr.org.
