-
Notifications
You must be signed in to change notification settings - Fork 32
Add generating Chimera certs #182
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
JacobBarthelmeh
merged 12 commits into
wolfSSL:main
from
Yu-Ma28051503:create-chimera-certs
Sep 2, 2025
Merged
Changes from 9 commits
Commits
Show all changes
12 commits
Select commit
Hold shift + click to select a range
fbd1e82
Add genkey ML-DSA key pair
Yu-Ma28051503 e89e2a4
Add generating ca chimera cert
Yu-Ma28051503 7bb281c
Add generating server chimera cert
Yu-Ma28051503 4952dc4
output Chimera cert PEM form
Yu-Ma28051503 1fedb9c
Add Chimera cert usage to README.md
Yu-Ma28051503 b4e5f0c
fix error and format
Yu-Ma28051503 a932517
fix unused arguments
Yu-Ma28051503 4ae2fd7
fixed value check and comments
Yu-Ma28051503 a0ada78
Merge branch 'main' into create-chimera-certs
Yu-Ma28051503 03afee6
add chimera cert test script
Yu-Ma28051503 43c8370
fix README command and output logs
Yu-Ma28051503 080b37b
fix test error
Yu-Ma28051503 File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -157,6 +157,45 @@ wolfssl verify -CAfile A.cert B.cert | |
| wolfssl verify -CAfile A.cert C.cert | ||
| ``` | ||
|
|
||
| ### Creating Chimera Certificates | ||
|
|
||
| Following is a scenario creating Chimera (dual algorithms) certificates for PQC(Post Quantum Cryptography). | ||
|
|
||
| The following demonstrates how to create a root CA and use it to sign other certificates. This example uses ECC and ML-DSA. In this scenario there are three entities A, B, and C, where A is meant to function as a root CA. | ||
|
|
||
| Before running the commands below, ensure you have the `ml-dsa` option enabled in wolfSSL. This can be done by configuring wolfSSL with `--enable-dilithium`, `--enable-dual-alg-certs` and `--enable-experimental`. | ||
|
|
||
| The following steps demonstrate how to generate keys and certificates for A, B, and C, where A is self-signed and B and C are signed by A | ||
|
|
||
| 1. Create private ECC and ML-DSA keys for A, B, and C | ||
| ``` | ||
| wolfssl genkey -ecc -out ecc-key-A -output priv -outform PEM | ||
Yu-Ma28051503 marked this conversation as resolved.
Outdated
Show resolved
Hide resolved
|
||
| wolfssl genkey -ecc -out ecc-key-B -output priv -outform PEM | ||
| wolfssl genkey -ecc -out ecc-key-C -output priv -outform PEM | ||
| wolfssl genkey -ml-dsa -out ml-dsa-key-A -output keypair -outform PEM | ||
| wolfssl genkey -ml-dsa -out ml-dsa-key-B -output keypair -outform PEM | ||
| wolfssl genkey -ml-dsa -out ml-dsa-key-C -output keypair -outform PEM | ||
| ``` | ||
|
|
||
| 2. Create a self-signed conventional certificate for A, root CA certificate. | ||
| ``` | ||
| wolfssl req -new -key ecc-key-A.priv -subj O=org-A/C=US/ST=WA/L=Seattle/CN=A/OU=org-unit-A -x509 -out A.cert -outform PEM | ||
| wolfssl ca -altextend -in A.cert -keyfile ecc-key-A.priv -altkey ml-dsa-key-A.priv -altpub ml-dsa-key-A.pub -out A-chimera.cert | ||
| ``` | ||
|
|
||
| 3. Create certificates for B and C. | ||
| ``` | ||
| # first create conventional certificate signing request (CSR) for B and C | ||
| wolfssl req -new -key ecc-key-B.priv -subj O=org-B/C=US/ST=WA/L=Seattle/CN=B/OU=org-unit-B -out B.csr -outform PEM | ||
| wolfssl req -new -key ecc-key-C.priv -subj O=org-C/C=US/ST=WA/L=Seattle/CN=C/OU=org-unit-C -out C.csr -outform PEM | ||
|
|
||
| # now have conventional signed certs, then add a pub key and Chimera signs the B and C to generate Chimera certificates | ||
| wolfssl ca -in B.csr -keyfile ecc-key-A.priv -cert A.cert -out B.cert | ||
| wolfssl ca -in C.csr -keyfile ecc-key-B.priv -cert B.cert -out C.cert | ||
| wolfssl ca -altextend -in B.cert -keyfile ecc-key-A.priv -altkey ml-dsa-key-A.priv -altpub ml-dsa-key-B.pub -subjkey ecc-key-B.priv -cert A-chimera.cert -out B-chimera.cert | ||
| wolfssl ca -altextend -in C.cert -keyfile ecc-key-B.priv -altkey ml-dsa-key-B.priv -altpub ml-dsa-key-C.pub -subjkey ecc-key-C.priv -cert B-chimera.cert -out C-chimera.cert | ||
| ``` | ||
|
|
||
| ## Contacts | ||
|
|
||
| Please contact [email protected] with any questions or comments. | ||
|
|
||
Oops, something went wrong.
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.