ISARA Catalyst™ Connector 2.1 for OpenSSL Alt Catalyst Certificate Tutorial

The ISARA Catalyst™ Connector for OpenSSL lets you use the authentication algorithms provided in the ISARA Radiate™ Security Solution Suite to create:

For more information about ISARA quantum-safe solutions, visit https://www.isara.com.

This tutorial assumes that you are already familiar with X.509 certificates, certificate signing requests, and OpenSSL, and have extensive experience with them.

One of the design goals of the ISARA Catalyst certificate scheme is to make sure that integration into pre-existing systems is simple. This can be seen in the newly added utilities and APIs.

ISARA created minimalist utilities that transform already existing certificate signing requests, X.509 certificates, certificate revocation lists and PKCS12 files into their Catalyst variants. This means that if you already have scripts and infrastructure in place, you should not need to change any of your pre-existing commands, only add new ones. This also means that if you have created applications or libraries that use OpenSSL, you can begin integration by only inserting code and not changing your pre-existing code. This is potentially inefficient, but eases your prototyping. As efficiency becomes a priority, you can begin removing redundancies.

The architecture for ISARA Catalyst cryptographic artifacts is limited to creating and inserting attributes and extensions into the cryptographic artifacts mentioned above. Since OpenSSL already provides APIs for doing these operations to attributes and extensions, the only new additions to the OpenSSL API that are related to Catalyst certificates are for ASN.1 encoding and decoding of these new attributes and extensions. Details of how to use these new additions can be found in the Programmer’s Guide To Catalyst Certificates section below.

An important feature of Catalyst cryptographic artifacts is that they are backwards compatible with systems that are not aware of the Catalyst extensions. In situations where the system does not understand Catalyst extensions, those extensions will be ignored and the artifacts will be processed in the usual manor.

This Catalyst Certificate Tutorial covers the following topics:

The ISARA Catalyst Connector adds the following quantum-safe authentication schemes to OpenSSL:

Many of the algorithms' details are abstracted via the EVP PKEY API. For more information, see ISARA Catalyst Connector 2.1 for OpenSSL Developer’s Guide.

This document has several diagrams. The following is a legend of the various artifacts in the diagrams.

A detailed discussion of X.509 certificates and PKCS10 certificate signing requests is outside the scope of this document. More details about X.509 certifcates can be found in RFC-5280. More details about PKCS10 certificate signing requests can be found in RFC-2986.

Generally speaking, each X.509 certificate must contain a subject identifier, a public key, a signature algorithm identifier, and a signature. The main purpose of the certificate is to bind the subject that is identified by the subject identifier to the public key that is in the certificate. This binding is certified by having a "trusted" third party sign the certificate with their private key and add that signature into the certificate. The third party then publishes their public key to let anyone verify the signature in the certificate. How does the third party gain their status as "trusted"? The simplest way is to publish their public key in a certificate that was signed by another "actually trusted" third party. How a third party gains the status of "actually trusted" is beyond the scope of this document.

The "actually trusted" third parties distribute their certificates as self-signed certificates. That is, the private key that signs the certificate is the one that corresponds to the public key in the certificate. These are known as root certificates.

Thus you could have a chain of certificates where each certificate is signed by another subject, called the issuer, and verifiable by the public key in the issuer’s certificate. If the top of this chain is a root certificate whose subject is "actually trusted" then you would say that all certificates in that chain are trusted subject to other conditions of validity.

An issuer must bind the subject identified by the subject identifier to the public key. This is done by having the subject create a certificate signing request. Generally speaking, to prove possession of the private key, each certificate signing request must contain a subject identifier, a public key, a signature algorithm identifier and signature where the signature was created by the public key’s corresponding private key. The subject sends the issuer the certificate signing request and the issuer verifies the signature. The issuer can then create a certificate containing the subject identifier and public key from the certificate signing request and sign that certificate with their private key and attach that signature to the newly created certificate.

As the name suggests, a certificate revocation list is a list of revoked certificates. This list is signed by the issuer of the revoked certificates.

Each X.509 certificate contains a public key, a signature algorithm identifier, and a signature. As specified in RFC-5280, X.509 certificates may contain extensions. Catalyst certificates are simply X.509 certificates that contain newly defined extensions with a subject alternative public key, an alternative signature algorithm identifier, and an alternative signature. These all mirror the original formats and purposes from normal X.509 certificates.

Each certificate signing request contains a public key, a signature algorithm identifier, and a signature. As specified in RFC-2986, certificate signing requests may contain attributes. Catalyst certificate signing requests are simply certificate signing requests with newly defined attributes that contain a subject alternative public key, an alternative signature algorithm identifier, and an alternative signature. These all mirror the original formats and purposes from normal certificate signing requests.

Each certificate revocation list contains a signature algorithm identifier and a signature. As specified in RFC-5280, certificate revocation lists may contain extensions. Catalyst certificate revocation lists are simply certificate revocation lists that contain an alternative signature algorithm identifier and an alternative signature. These all mirror the original formats and purposes from normal certificate revocation lists.

Each signed Cryptographical Messaging Syntax (CMS) message contains at least one X.509 certificate and at least one SignerInfo structure as specified in RFC-5280. SignerInfo structures may contain unsigned attributes. Catalyst CMS messages are simply messages with a Catalyst certificate and a SignerInfo structure that contains an attribute that contains an alternative signature algorithm identifier and an attribute that contains an alternative signature. The signature resulted from signing the CMS message.

A PKCS8 private key file contains the ASN.1 encoding of a private key as specified in RFC-5208. When PEM encoded, the beginning of the private key is marked with one of the following markers:

The end of the private key is marked with one of the following markers:

A dual private key file has an alternative PKCS8 private key directly after the end marker above. The beginning of the alternative private key is marked with one of the following markers:

The end of the alternative private key is marked with one of the following markers:

The first private key is associated with the subject public key. The alternative private key is associated with the subject alternative public key.

Some of the new AltExtend applications also automatically merge the conventional and alternative private key files for your convenience. ISARA Catalyst Connector 2.1 also provides two new utilities:

A PKCS12 file contains various cryptographic artifacts. The original pkcs12 application that comes with OpenSSL only supports creating such files with a single X.509 certificate and private key. Dual private key PKCS12 files include the alternative private key as well.

ISARA Catalyst Connector 2.1 provides a utility called reqAltExtend that transforms a certificate signing request into its Catalyst variant and produces a dual private key file.

ISARA Catalyst Connector 2.1 provides two different utilities to transform an X.509 certificate into a Catalyst certificate. The first utility is called x509AltDirectExtend. This utility is meant for transforming self-signed root certificates or quickly transforming experimental certificates directly into its Catalyst variant; no certificate signing request is required. The second utility is called x509AltExtend and uses a Catalyst certificate signing request to transform an X.509 certificate into its Catalyst variant.

ISARA Catalyst Connector 2.1 provides a utility called x509AltVerify that performs verification of the alternative signatures in the certificates given a Catalyst certificate chain.

ISARA Catalyst Connector 2.1 provides a utility called crlAltExtend that transforms a CRL into its Catalyst variant. It does this by creating alternative signature algorithm and alternative signature value extensions and inserting them into the CRL.

ISARA Catalyst Connector 2.1 provides a utility called crlAltVerify that performs verification of the alternative signature in a CRL’s extensions.

ISARA Catalyst Connector 2.1 provides a utility called cmsAltExtend that transforms a CMS message into its Catalyst variant. It does this by creating alternative signature algorithm and alternative signature value attributes and inserting them into the SignerInfo’s unsigned attributes.

ISARA Catalyst Connector 2.1 provides a utility called cmsAltVerify that performs verification of the alternative signature in a CMS message’s SignerInfo’s unsigned attributes.

ISARA Catalyst Connector 2.1 provides a utility called pkcs12AltExtend that adds a new alternative private key into a pre-existing PKCS12 file that already contains a Catalyst certificate and conventional private key.

For the utilities that accept quantum-safe private keys as input to create alternative signatures, ISARA Catalyst Connector 2.1 always accepts the optional -privalt_engine parameter. This specifies that the private key should be loaded by the engine and is only appropriate for stateful hash based signature schemes. This is required to let you append the state file name to the private key flle name. If the private key is not for a stateful hash-based signature scheme, (i.e., Dilithium) the utility will return an error.

For the utilities that accept private keys as input to create signatures, use the optional -passin arg and -passinalt arg parameters. These specify the key password source. For more information about the format of arg, see the PASS PHRASE ARGUMENTS section at openssl.

This utility transforms a previously generated certificate signing request into a Catalyst certificate signing request by:

The first two attributes are inserted into the certificate signing request. The alternative signature attribute is then generated by signing the certificate signing request and adding it in. The certificate signing request is then re-signed with the conventional private key. Finally, the alternative private key file is replaced with the dual private key.

This utility transforms a previously generated X.509 certificate into a Catalyst certificate by:

The first two extensions are inserted into the certificate. Then the alternative signature is generated and transformed into an alternative signature extension and added to the certificate. The X.509 certificate is signed with the conventional private key. Finally, the alternative private key file is replaced with the dual private key.

If you are using this utility because you want to transform a self-signed root certificate, you may not want to bother producing a separate public key file. In that case, you can use the -self_sign flag to specify that the public key should be found in the file specified by -privalt. If you use the -self_sign flag you must not use the -pubalt flag; doing so will generate an error.

If you are using this utility because you want to quickly create an experimental X.509 certificate skipping the step of creating a certificate signing request, then you must use the -pubalt flag and not use the -self_sign flag; doing so will generate an error.

This utility combines a previously generated X.509 certificate and Catalyst certificate signing request into a Catalyst certificate by:

The first two extensions are inserted into the certificate. Then the alternative signature is generated with the alternative private key, transformed into an alternative signature extension and added to the certificate. The certificate is then re-signed with the conventional private key.

This utility primarily shows how to perform alternative signature verification of Catalyst certificate chains. It is important to note that this utility does not do verification of the conventional signatures in the Catalyst certificates in the chain and only checks the validity of the alternative signatures in the chain. However, the vanilla openssl verify utility can still function correctly with Catalyst certificates as the new extensions are optional and will be ignored by openssl verify. In short, this utility was meant to complement openssl verify, not replace it.

This utility transforms a previously generated certificate revocation list into a Catalyst certificate revocation list by:

This utility primarily shows how to perform alternative signature verification of a Catalyst certificate revocation list. It is important to note that this utility does not do verification of the conventional signature and only checks the validity of the signature in the alternative signature value extension. However, the vanilla openssl crl utility can still verify correctly as the new attributes will be ignored by openssl crl. In short, this utility was meant to complement the openssl crl utility’s verification functionality, not replace it.

This utility transforms a previously signed CMS Message into a Catalyst CMS message by:

Note that this requires that the certificate that was already embedded in the CMS message be a Catalyst certificate and the alternative public key be the one that corresponds to the alternative private key. Nothing in the API requires that encrypted private keys in the dual private key file share the same password. However, this utility expects that the conventional and alternative private keys in the dual private key file were encrypted under the same password.

This utility primarily shows how to perform alternative signature verification of a CMS message. It is important to note that this utility does not do verification of the conventional signature in the CMS message’s SignerInfo and only checks the validity of the signature in the alternative signature attribute in the SignerInfo’s unsigned attributes. However, the vanilla openssl cms utility can still verify correctly as the new attributes will be ignored by openssl cms. In short, this utility was meant to complement the openssl cms utility’s verification functionality, not replace it.

This utility takes a PKCS12 file that contains a Catalyst Certificate and a conventional private key and then adds an alternative private key that corresponds to the Alternative Public Key in the certificate.

Note that this requires that the certificate and conventional private key are already embedded in the PKCS12 file and the alternative public key be the one that corresponds to the alternative private key.

The following is a list of operations you might want to do in your applications related to transforming cryptographic artifacts into their Catalyst variants.

Each section begins with a description of what can be accomplished and where you can find the full source code to get more details.

The ISARA Catalyst Connector Binaries are licensed for use:

Copyright © 2017-2021, ISARA Corporation, All Rights Reserved.

The code and other content set out herein is not in the public domain, is considered a trade secret and is confidential to ISARA Corporation. Use, reproduction or distribution, in whole or in part, of such code or other content is strictly prohibited except by express written permission of ISARA Corporation. Please contact ISARA Corporation at info@isara.com for more information.