Your analysis is correct. However the library is still correct in
regards to refcounting even for an SSL BIO in the chain. The reason is
that the decrement of refcount of the BIOs underlying the SSL BIO is
handled through the actual freeing of the SSL BIO. If the refcount for
the SSL BIO in the cha
Yes I used the PQ openssl based on liboqs
Since you were not specific on what the use case, and I was not certain
why you wanted a Kyber Public/Private key pair when other algorithms
are better suited to PQ authentication, I supplied the TLS example.
Regards
Mark Hack
On Mon, 2022-10-03 at 21:08
Thank you - and it’s great to see that 100% PQ Key Exchange is working with the
existing code (I assume - based on liboqs?).
But generating signature is not acceptable in my use case, which is why we
settled on a KEMTLS-like approach. Or, conceptually, like MQV/HMQV.
Authenticating the peer im
In this case you need to look at certificate / signature generation
separately from the key exchange. In classical terms, I can have anRSA
key with a RSA-SHA256 signature and use DHE elliptic curves to exchange
a secret without knowing the elliptic curve public private key pair.
For example to use
My pleasure!
OpenSSL supports CRMF and CMP since version 3.0.
EJBCA supports these since long, and there are also other CAs that support CMP
and thus CRMF., such as the Insta CA.
Yet the support for encryption-based PoP by now likely is not strong - mostly
because so far there was not much intere
David,
Thank you! That’s a great answer. It looks like OpenSSL does support CRMF?
Would you or somebody else have an example of how to work with CRMF (to create
it, and to process/sign it)?
Do you happen to know if CRMF is accepted by the “big players” in the CA field?
Thank you agai
Requesting a cert in a CSR for a key pair that cannot be used for signing is
indeed impossible in the widely used PKCS#10 format
(except if one break sthe PKCS#10 requirement of a self-signature, e.g., by
applying a dummy signature).
A viable solution is to use a different CSR format, such as CR
Your response makes sense. I am a bit puzzled by the BIO reference
counting. For example
BIO_new() (or BIO_new_socket() which calls BIO_new()) produces a
BIO with a reference count of 1.
BIO_free() drops 1 reference and if the reference count is 0, frees
the BIO.
BIO_push() con
TLDR;
Need to create a CSR for a key pair whose algorithm does not allow signing
(either because it’s something like Kyber, or because restriction enforced by
HSM). How to do it?
There are several use cases that require certifying long-term asymmetric keys
that are only capable of encrypti
> From: openssl-users On Behalf Of Dmitrii
> Odintcov
> Sent: Sunday, 2 October, 2022 21:15
>
> This is where the confusion begins: if ‘bar’, the certificate requestor,
> itself
> wants to be a CA (basicConstraints = CA:true),
I assume here you mean bar is going to be a subordinate CA for foo,
10 matches
Mail list logo
