openquantumsafe/oqs-ossl3

Sponsored OSS

By Open Quantum Safe

Updated 6 days ago

OpenSSL provider adding quantum-safe cryptography to OpenSSL (3).

Image
Operating Systems
Security

50K+

OpenSSL3 OQS provider

This provides a ready-to-run build of the current master branch of OpenSSL (3) together with a provider implementing plain and hybrid OQS key exchange mechanisms according to draft-ietf-tls-hybrid-design-00 as well as plain and hybrid OQS signature algorithms for X.509 cert generation, CMS and DGST operations using the OpenSSL command line tools.

Overview

This docker image contains a version of OpenSSL3 built and extended with a provider enabling quantum-safe crypto (QSC) operations.

To this end, it contains liboqs as well as OpenSSL 3/master and oqs-provider from the OpenQuantumSafe project.

As different images providing the same base functionality may be available, e.g., for debug or performance-optimized operations, the image name oqs-ossl3 is consistently used in the description below. Be sure to adapt it to the image you want to use.

Quick start

  1. Use docker run -it openquantumsafe/oqs-ossl3 to start an OQS-enabled TLS test server.
  2. On the command prompt in the docker container resulting from the first comment, one can query that server by issuing the command openssl s_client -connect localhost -groups kyber512.

The latter command returns all TLS information documenting use of OQS-enabled TLS. The parameter to the -groups argument is any Kex Exchange algorithm supported by OQS-OpenSSL.

Retrieving data from other QSC-enabled TLS servers

Beyond interacting with the built-in test server (utilizing openssl s_server) the image can also be used to retrieve data from any OQS-enabled TLS (1.3) server with the command docker run -it oqs-ossl3 openssl s_client -connect <OQS-server address:port> --groups <suitable KEM>.

Querying algorithms

The usual OpenSSL commands can be used to query for algorithms supported, e.g., openssl list -signature-algorithms.

Generating certificates

The usual OpenSSL commands can be used to generate certificates, e.g., openssl req -x509 -new -newkey dilithium2 -keyout CA.key -out CA.crt -nodes -subj "/CN=test CA"

Interacting with certificates, CMS, dgest

The usual OpenSSL commands can be used to inspect certificates, perform CMD and dgst generation/verification as per the usual OpenSSL commands (x509, cms, dgst). See current oqsprovider documentation for more worked examples.

Limitations

This image is limited in functionality as per the open issues documented for oqs-provider. It also is not fit for productive use.

Docker Pull Command

docker pull openquantumsafe/oqs-ossl3