-
Notifications
You must be signed in to change notification settings - Fork 72
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
get encoder library from smaller repo, avoid silently failing if enco… #131
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the fixes. But I fail to see a behavioural change in the code, so am I assuming right that it will fail in the same way if the OIDs between qsc-encoding lib and oqs-provider go out of sync again? Also, wouldn't it be more professional to have tests for this (both good and negative expected behaviour)? Finally, is such duplication of OIDs between oqs-provider and qsc-encoder really necessary (or at the very least cannot be overruled at the API level)? It creates an undue dependency that we've just fallen into -- and can fall into again if I read Quantum-Safe-Collaboration/qsc-key-encoder@d7970ea correctly.
It is understood this is a quick fix to help Goutam this weekend, but I'd like to bring this PR to a proper completion.
@xvzcf: Please take this branch as a hotfix if you can still need it in tomorrows testing session. I also published a docker image at openquantumsafe/oqs-ossl3:ietf116-hotfix[-dev] to make your life easier.
It will not silently fail anymore. Good point with the test, I can add a negative test (show that the tests fail if a unknown encoding is set via env var).
I'm not sure what's the best solution. How would you overrule at API level? Thanks for preparing the docker hotfix! |
Client (
Only when there are different encodings for the same algorithm name, right? Are there already different encoding for the same algorithm (name)? If it were coming to that, what about a SHA(256) over an (agreed upon) KAT to identify algs with the same name (but different versions/KATs)?
"There's no problem in computer science that cannot be solved by ... a lookup table" (or so :) You could leave that to the client -- just document the naming approach (and stick to it) in the encoder. |
Hm ok, just using names might indeed be the better option given how OIDs are in flux (and configurable via env vars). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for explanations and update. I presume testing (good/bad cases) and documentation for these changes (env vars) will be added in further commits to this PR (?)
Added a commit with both. |
Thanks. Then what am I doing wrong here (after the tests ran, using the resultant .crt files): As expected:
Not quite expected:
Trying with
yields the same result. What did I do? Changed the Falcon512 OID. --> Is there still some dependency on it? |
I could reproduce the error, however, I get an error even without changing the OID (Falcon1024 looks fine, Falcon512 shows the error). I will need to investigate why. There shouldn't be any OID dependency. (another issue described earlier here wasn't one) |
I didn't set all env variables correctly when testing this. Trying again, it seems to all work ok, including changing the OID. Testing Falcon with changed OIDs:
After
@baentsch looking at your test command a |
Nope. I changed |
Fixed a bug in 1089c76 that checked a wrong index, with the effect that the encoding was not always applied (if env vars for other/unrelated algorithms were not set).
Checked this case as well, seems to work now with the fix above. |
Thanks for these fixes. I hope you can forgive me now being a "bit nervous" about the robustness of all this -- my question thus: Does IETF-Hackathon/pqc-certificates#43 contain proper (proper in the sense of "in line with your RFC") certificates? Or should this data set be re-done after landing this PR to permit others to test "the right stuff"? Last question: Are you going to rebase the PR to remove the conflict? |
The certs produced with the "hotfix" docker image are equivalent with the ones now in this PR. Thanks for being extra cautious!
Done. |
Thanks for checking (and re-basing). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for the various fixes, @bhess: All works as desired. And in one instance better than I thought possible: After changing an OID via env var during cert gen, it is even possible to read certs generated that way without explicitly setting the changed OID as env var also to the openssl x509 -text
command. Hmm. Would you know why this works? Some redundancy in the SPKI info?
open-quantum-safe#131) * get encoder library from smaller repo, avoid silently failing if encoder/algorithm not found * Call encoder algorithms by name, configurable via env vars. * add negative tests, add docs * UPDATE_DISCONNECTED * fix encoding lookup Signed-off-by: Felipe Ventura <felipe.ventura@entrust.com>
UPDATE_DISCONNECTED 1
to allow offline build (Re-enable offline build #139)Fixes #129
Fixes #130