DigiCert 的後量子加密 (PQC) 工具組含有建立混合式 TLS 憑證所需的一切。此混合式憑證使用與傳統加密演算法結合的後量子加密演算法。可讓您在測試部署後量子混合式 TLS 的可行性時,同時保有向後相容性。
關於此第一個反覆項目,後量子加密演算法與橢圓曲線加密演算法配對。
此設定指南讓您完全瞭解使用 DigiCert PQC 工具組可以:
s_server 和 s_client 公用桯式測試憑證。DigiCert PQC 工具組可下載用於所有的 Secure Site Pro 客戶。進一步瞭解使用每種 Secure Site Pro 憑證加入的內容。
DigiCert PQC 工具組包含這些檔案:
使用此指南前,確定符合這些先決條件:
下載修補檔案前,請準備您的環境。
首先,請安裝必需的依存性和工具。
sudo apt-get -y update
sudo apt-get -y upgrade
sudo apt-get -y install libssl-dev
sudo apt-get -y install curl unzip make cmake gcc wget zlib1g-dev libjansson-dev接著,建立您將下載和編輯資源檔案與工具組資源所在的目錄結構。
mkdir -p /app/digicert-pqc/connector
mkdir -p /app/digicert-pqc/certs/configs
mkdir /app/resources現在,下載 the DigiCert PQC 工具組和擷取其內容。
登入您的 CertCentral 帳戶。
在資訊看板功能表中,按一下憑證 > 訂單。
在「訂單」頁面上,尋找您的 Sucure Site Pro 憑證訂單,然後按其訂單編號。
在憑證的訂單詳細資料頁面上,按一下 PQC 工具組。
在「後量子加密 (PQC)」頁面上,按一下下載 ISARA PQC 工具組,然後將工具組儲存到 /app/resources 目錄中。
接著,從工具組中擷取內容。
cd /app/resources
unzip ./digicert-pqc-toolkit_2019-07-26.zipPQC 工具組包含 ISARA OpenSSL Connector 封存。將此擷取到 /app/digicert-pqc/connector。
cd /app/digicert-pqc/connector
tar xzvf /app/resources/digicert-pqc-toolkit_2019-07-26/openssl_connector-Linux-2019-05-27.tgz在您設定環境和擷取所有檔案後,修補和編譯 OpenSSL。
若要開始,請下載 1.0.2r 版 OpenSSL 到 /app/resources 目錄。
cd /app/resources
wget https://www.openssl.org/source/old/1.0.2/openssl-1.0.2r.tar.gz接著,請將來源檔案擷取到 /app/digicert-pqc 目錄。
cd /app/digicert-pqc
tar xzvf /app/resources/openssl-1.0.2r.tar.gz現在,套用 ISARA OpenSSL 補丁到擷取的來源檔案中。這會對 OpenSSL 做所有必需的修改,以產生和解譯對量子安全的加密演算法。
cd openssl-1.0.2r/
patch -p2 < ../connector/OpenSSL_1_0_2r_ISARA.patch在修補完成後,用工具組的經過改的版本取代現有的 openssl.cfg 檔案。經過修改的組態檔案包含一個動態引擎項目,指向 ISARA OpenSSL IQREngine (/app/digicert-pqc/connector/lib)。
cp /app/resources/digicert-pqc-toolkit_2019-07-26/openssl.cnf ./apps由於您正在建立共用的 OpenSSL 程式庫,您將需要在編譯來源檔案前設定非標準的路徑。
./config --prefix=/app/digicert-pqc/pqpki-openssl-1.0.2r --openssldir=/app/digicert-pqc/pqpki-openssl-1.0.2r shared接著,執行以下的每個命令,一次一個,以編譯經過修改的來源檔案。
make depend
make all
make test
sudo make install成功編譯經過修改的 OpenSSL 來源後,使用 LD_LIBRARY_PATH 變數指定兩個動態程式庫位置。這告訴您尋找您的經過修改的 OpenSSL 共用桯式庫,以及用於處理對量子安全的加密演算法的 ISARA PQC 引擎所在。
export LD_LIBRARY_PATH=/app/digicert-pqc/pqpki-openssl-1.0.2r:/app/digicert-pqc/connector/lib如果您的系統已經使用 LD_LIBRARY_PATH 變數,您可以附加 :$LD_LIBRARY_PATH 到上述命令中,非破壞性的新增新路徑。
現在,您擁有可以產生和解碼對量子安全的加密演算法的 OpenSSL 程式。您已準備好建立完整的混合式憑證鏈 (根、中繼和伺服器憑證),因此您可以測試其功能。
首先,複製納入到 PQC 工具組中的憑證組態檔案到 /app/digicert-pqc/certs 目錄中。這些組態檔案包含產生每個憑證要求和憑證所需的所有資料。
cd /app/digicert-pqc/certs
cp /app/resources/certificates/root_req.cfg ./configs
cp /app/resources/certificates/intermediate_req.cfg ./configs
cp /app/resources/certificates/server_req.cfg ./configs接著,為為憑證鏈中的每份憑證產生對量子安全的私密金鑰,確定使用經過修改的 OpenSSL 程式和 IQREngine。
Root (根) 憑證:
/app/digicert-pqc/pqpki-openssl-1.0.2r/bin/openssl genpkey -engine IQREngine -algorithm xmss -pkeyopt tree_height:10 -pkeyopt strategy:cpu_constrained -pkeyopt state_filename:xmss_catalyst_mixed_chain_root_private_key_state.bin -out xmss_catalyst_mixed_chain_root_private_key.pemIntermediate (中繼) 憑證:
/app/digicert-pqc/pqpki-openssl-1.0.2r/bin/openssl genpkey -engine IQREngine -algorithm dilithium -pkeyopt parameter_set:A -out dilithium_catalyst_mixed_chain_intermediate_private_key.pemServer (伺服器) 憑證:
/app/digicert-pqc/pqpki-openssl-1.0.2r/bin/openssl genpkey -engine IQREngine -algorithm rainbow -pkeyopt parameter_set:A -out rainbow_catalyst_mixed_chain_private_key.pem您一產生每份憑證的私密金鑰後,立刻擷取他們的公用金鑰。
Root (根) 憑證:
/app/digicert-pqc/pqpki-openssl-1.0.2r/bin/openssl pkey -engine IQREngine -in xmss_catalyst_mixed_chain_root_private_key.pem -pubout -out xmss_catalyst_mixed_chain_root_public_key.pemIntermediate (中繼) 憑證:
/app/digicert-pqc/pqpki-openssl-1.0.2r/bin/openssl pkey -engine IQREngine -in dilithium_catalyst_mixed_chain_intermediate_private_key.pem -pubout -out dilithium_catalyst_mixed_chain_intermediate_public_key.pemServer (伺服器) 憑證:
/app/digicert-pqc/pqpki-openssl-1.0.2r/bin/openssl pkey -engine IQREngine -in rainbow_catalyst_mixed_chain_private_key.pem -pubout -out rainbow_catalyst_mixed_chain_public_key.pem若要確認一切是否正確建立,請執行 ls 命令。如果成功,應該看到像這樣的輸出:
configs
dilithium_catalyst_mixed_chain_intermediate_private_key.pem
dilithium_catalyst_mixed_chain_intermediate_public_key.pem
dilithium_ecdsa_x509_catalyst_mixed_chain_intermediate_certificate.pem
dilithium_ecdsa_x509_catalyst_mixed_chain_intermediate_req.pem
ecdsa_catalyst_mixed_chain_parameters.pem
ecdsa_without_dilithium_catalyst_mixed_chain_intermediate_private_key.pem
ecdsa_without_dilithium_x509_catalyst_mixed_chain_intermediate_certificate.pem
ecdsa_without_dilithium_x509_catalyst_mixed_chain_intermediate_req.pem
ecdsa_without_rainbow_catalyst_mixed_chain_private_key.pem
ecdsa_without_rainbow_x509_catalyst_mixed_chain_certificate.pem
ecdsa_without_rainbow_x509_catalyst_mixed_chain_req.pem
ecdsa_without_xmss_catalyst_mixed_chain_root_private_key.pem
ecdsa_without_xmss_x509_catalyst_mixed_chain_root_certificate.pem
ecdsa_without_xmss_x509_catalyst_mixed_chain_root_req.pem
rainbow_catalyst_mixed_chain_private_key.pem
rainbow_catalyst_mixed_chain_public_key.pem
rainbow_ecdsa_x509_catalyst_mixed_chain_server_certificate.pem
rainbow_ecdsa_x509_catalyst_mixed_chain_server_req.pem
xmss_catalyst_mixed_chain_root_private_key.pem
xmss_catalyst_mixed_chain_root_private_key_state.bin
xmss_catalyst_mixed_chain_root_public_key.pem
xmss_ecdsa_x509_catalyst_mixed_chain_root_certificate.pem若要測試您的對量子安全的混合式憑證鏈,請使用 OpenSSL 的 s_server 和 s_client 公用程式。若要同時使用這兩種公用程式,請開啟兩個終端工作階段,一個用於伺服器,一個用於用戶端。
首先,加入伺服器憑證的 CN 值到您的主機檔案中。
echo "$(hostname -I) digicert.pqc" | sudo tee -a /etc/hosts接著,確定您在 /app/digicert-pqc/certs 目錄中。
cd /app/digicert-pqc/certs然後,在您開啟的其中一個終端中,啟動伺服器。
env LD_LIBRARY_PATH=/app/digicert-pqc/pqpki-openssl-1.0.2r:/app/digicert-pqc/connector/lib /app/digicert-pqc/pqpki-openssl-1.0.2r/bin/openssl s_server -engine IQREngine -cert dilithium_ecdsa_x509_catalyst_mixed_chain_intermediate_certificate.pem -certform PEM -key dilithium_catalyst_mixed_chain_intermediate_private_key.pem -keyform PEM -debug -tls1_2執行上述的命令後,您應該會看到此輸出:
engine "IQREngine" set.
Using default temp DH parameters
ACCEPT接著,切換到第二個終端視窗,確定您在 /app/digicert-pqc/certs 目錄中。
cd /app/digicert-pqc/certs然後使用 s_client 公用程式連線到執行中的伺服器。
env LD_LIBRARY_PATH=/app/digicert-pqc/pqpki-openssl-1.0.2r:/app/digicert-pqc/connector/lib /app/digicert-pqc/pqpki-openssl-1.0.2r/bin/openssl s_client -engine IQREngine -CAfile xmss_ecdsa_x509_catalyst_mixed_chain_root_certificate.pem -showcerts -tls1_2 -cipher 'ECDHE-NHDH-DILM-AES256-GCM-SHA384'如果一切設定正確,在執行 s_client 公用程式的終端視窗中,您應該會看到此輸出:
engine "IQREngine" set.
CONNECTED(00000003)
depth=1 C = US, ST = Utah, L = Lehi, O = "DigiCert, Inc.", OU = DigiCert PQC, CN = DigiCert PQC Root
verify return:1
depth=0 C = US, ST = Utah, L = Lehi, O = "DigiCert, Inc.", OU = DigiCert PQC, CN = DigiCert PQC Test Intermediate CA
verify return:1
---
Certificate chain
0 s:/C=US/ST=Utah/L=Lehi/O=DigiCert, Inc./OU=DigiCert PQC/CN=DigiCert PQC Test Intermediate CA
i:/C=US/ST=Utah/L=Lehi/O=DigiCert, Inc./OU=DigiCert PQC/CN=DigiCert PQC Root
-----BEGIN CERTIFICATE-----
[...]
-----END CERTIFICATE-----
---
Server certificate
subject=/C=US/ST=Utah/L=Lehi/O=DigiCert, Inc./OU=DigiCert PQC/CN=DigiCert PQC Test Intermediate CA
issuer=/C=US/ST=Utah/L=Lehi/O=DigiCert, Inc./OU=DigiCert PQC/CN=DigiCert PQC Root
---
No client certificate CA names sent
Peer signing digest: SHA512
Server Temp Key: ECDH, P-256, 256 bits
---
SSL handshake has read 9868 bytes and written 2331 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-NHDH-DILM-AES256-GCM-SHA384
Server public key is 521 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
No ALPN negotiated
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-NHDH-DILM-AES256-GCM-SHA384
Session-ID: {{Session-ID}}
Session-ID-ctx:
Master-Key: {{Master-Key}}
Key-Arg : None
PSK identity: None
PSK identity hint: None
SRP username: None
TLS session ticket lifetime hint: 7200 (seconds)
TLS session ticket:
[...]
Start Time: 1563994600
Timeout : 7200 (sec)
Verify return code: 0 (ok)
---在執行 s_server 公用程式的終端視窗中,您應該會看到此輸出:
read from 0x5581e0750b80 [0x5581e07656f3] (5 bytes => 5 (0x5))
0000 - 16 03 01 00 96 .....
read from 0x5581e0750b80 [0x5581e07656f8] (150 bytes => 150 (0x96))
0000 - 01 00 00 92 03 03 d9 c0-5a 73 35 d0 4e f2 31 f6 ........Zs5.N.1.
[...]
write to 0x5581e0750b80 [0x5581e076e100] (71 bytes => 71 (0x47))
0000 - 16 03 03 00 42 02 00 00-3e 03 03 c2 3b df 2f 01 ....B...>...;./.
[...]
write to 0x5581e0750b80 [0x5581e0769c43] (4953 bytes => 4953 (0x1359))
0000 - 16 03 03 13 54 0b 00 13-50 00 13 4d 00 13 4a 30 ....T...P..M..J0
[...]
write to 0x5581e0750b80 [0x5581e0769c43] (4609 bytes => 4609 (0x1201))
0000 - 16 03 03 11 fc 0c 00 11-f8 03 00 17 41 04 0d 97 ............A...
[...]
write to 0x5581e0750b80 [0x5581e076e100] (9 bytes => 9 (0x9))
0000 - 16 03 03 00 04 0e 00 00-00 .........
read from 0x5581e0750b80 [0x5581e07656f3] (5 bytes => 5 (0x5))
0000 - 16 03 03 08 48 ....H
read from 0x5581e0750b80 [0x5581e07656f8] (2120 bytes => 2120 (0x848))
0000 - 10 00 08 44 41 04 29 0a-07 84 0c f3 a4 e4 3e d1 ...DA.).......>.
[...]
read from 0x5581e0750b80 [0x5581e07656f3] (5 bytes => 5 (0x5))
0000 - 14 03 03 00 01 .....
read from 0x5581e0750b80 [0x5581e07656f8] (1 bytes => 1 (0x1))
0000 - 01 .
read from 0x5581e0750b80 [0x5581e07656f3] (5 bytes => 5 (0x5))
0000 - 16 03 03 00 28 ....(
read from 0x5581e0750b80 [0x5581e07656f8] (40 bytes => 40 (0x28))
0000 - e1 d7 30 8b 12 ef d1 dc-31 90 97 d0 0e 54 9c aa ..0.....1....T..
[...]
write to 0x5581e0750b80 [0x5581e076e100] (175 bytes => 175 (0xAF))
0000 - 16 03 03 00 aa 04 00 00-a6 00 00 1c 20 00 a0 02 ............ ...
[...]
write to 0x5581e0750b80 [0x5581e076e100] (6 bytes => 6 (0x6))
0000 - 14 03 03 00 01 01 ......
write to 0x5581e0750b80 [0x5581e076e100] (45 bytes => 45 (0x2D))
0000 - 16 03 03 00 28 d0 99 97-94 6d a1 5c f8 b0 c0 65 ....(....m.\...e
[...]
-----BEGIN SSL SESSION PARAMETERS-----
[...]
-----END SSL SESSION PARAMETERS-----
Shared ciphers:ECDHE-NHDH-DILM-AES256-GCM-SHA384:ECDHE-NHDH-SIDH-DILM-AES256-GCM-SHA384
Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1:HSS+SHA512:XMSS+SHA512:XMSSmt+SHA512:DILITHIUM+SHA512:DILITHIUM+SHA512:0xE0+SHA512
Shared Signature Algorithms: RSA+SHA512:DSA+SHA512:ECDSA+SHA512:RSA+SHA384:DSA+SHA384:ECDSA+SHA384:RSA+SHA256:DSA+SHA256:ECDSA+SHA256:RSA+SHA224:DSA+SHA224:ECDSA+SHA224:RSA+SHA1:DSA+SHA1:ECDSA+SHA1:HSS+SHA512:DILITHIUM+SHA512:DILITHIUM+SHA512
Supported Elliptic Curve Point Formats: uncompressed:ansiX962_compressed_prime:ansiX962_compressed_char2
Supported Elliptic Curves: P-256:P-521:brainpoolP512r1:brainpoolP384r1:P-384:brainpoolP256r1:secp256k1:B-571:K-571:K-409:B-409:K-283:B-283:0xFE01
Shared Elliptic curves: P-256:P-521:brainpoolP512r1:brainpoolP384r1:P-384:brainpoolP256r1:secp256k1:B-571:K-571:K-409:B-409:K-283:B-283:UNDEF
CIPHER is ECDHE-NHDH-DILM-AES256-GCM-SHA384
Secure Renegotiation IS supported恭喜!您已使用 DigiCert 的 PQC 工具組和 ISARA Catalyst OpenSSL Connector 引擎成功建立對量子安全的混合式憑證鏈。