This repository contains notes on multiple ways of how to install post-quantum version of OpenSSL.
My main goal was to use openssl_XXX
functions in the PHP, but as it turns out DSA, DH, RSA, and EC algorithms are hardcoded in the OpenSSL PHP extension. Therefore, only few functions are usable (those, that do not require algorithm identifier, like openssl_verify
and openssl_sign
, but not openssl_pkey_new
).
- follow instructions at open-quantum-safe/openssl
- Step 2:
./Configure no-shared linux-aarch64 --lm
for Apple Silicon - Step X:
make install
in the end
- Step 2:
- then we can build PHP again with modified openssl
- Before PHP configure:
apt install apache2-dev libxml2-dev sqlite3 libsqlite3-dev zlib1g-dev libcurl4-openssl-dev libonig-dev libreadline-dev libsodium-dev libargon2-dev
- remove keccak mentions from PHP configure file (it creates duplicate errors during the build, it is already defined in OpenSSL fork)
- remove sha3 mentions from ext/hash/hash.c:
- PHP configure (basically same arguments you would get by running
php-config --configure-options
, except change thewith-openssl
:./configure --build=aarch64-linux-gnu --with-config-file-path=/usr/local/etc/php --with-config-file-scan-dir=/usr/local/etc/php/conf.d --enable-option-checking=fatal --with-mhash --with-pic --enable-ftp --enable-mbstring --enable-mysqlnd --with-password-argon2 --with-sodium=shared --with-pdo-sqlite=/usr --with-sqlite3=/usr --with-curl --with-iconv --with-openssl=/usr/local/ssl --with-readline --with-zlib --disable-phpdbg --with-pear --with-libdir=lib/aarch64-linux-gnu --disable-cgi --with-apxs2 build_alias=aarch64-linux-gnu
- add
-lpthread
to make file here: make
the PHPmake install
the PHP
- Before PHP configure:
- this works:
shell_exec("/usr/local/bin/openssl dgst -sha256 -verify /tmp/dil5_CA_public.pem -signature /tmp/dilhash.sig /tmp/example.txt");
- most probably would work with OpenSSL3 as well
$result = exec(
"/usr/local/bin/openssl dgst -sha256 -verify /tmp/dil5_CA_public.pem -signature /tmp/dilhash.sig /tmp/example.txt",
$output,
$return
);
git clone https://github.com/open-quantum-safe/oqs-provider.git
./scripts/fullbuild.sh
to obtain_build/lib/oqsprovider.so
- fullbuild.sh is probably best way (without openssl installation if you already have one)
- place
oqsprovider.so
intoOPENSSL_DIR/ossl_modules
- insert this snippet into used
openssl.cnf
:
[openssl_init]
providers = provider_sect
# List of providers to load
[provider_sect]
default = default_sect
oqsprovider = oqsprovider_sect
[default_sect]
activate = 1
[oqsprovider_sect]
activate = 1
- build PHP:
./configure --build=aarch64-linux-gnu --with-config-file-path=/usr/local/etc/php --with-config-file-scan-dir=/usr/local/etc/php/conf.d --enable-option-checking=fatal --with-mhash --with-pic --enable-ftp --enable-mbstring --enable-mysqlnd --with-password-argon2 --with-sodium=shared --with-pdo-sqlite=/usr --with-sqlite3=/usr --with-curl --with-iconv --with-openssl=/usr/local/ssl --with-readline --with-zlib --disable-phpdbg --with-pear --with-libdir=lib/aarch64-linux-gnu --disable-cgi --with-apxs2 build_alias=aarch64-linux-gnu
make
make install
echo "test data" > /tmp/example.txt
openssl genpkey -algorithm dilithium5 -out /tmp/dil5.key
openssl genrsa -out rsa.key 2048
openssl pkey -pubout -in /tmp/dil5.key -out /tmp/dil5.pem
openssl rsa -pubout -in /tmp/rsa.key -out /tmp/rsa.pem
openssl dgst -sign /tmp/rsa.key -out /tmp/rsa.sig -sha256 /tmp/example.txt
openssl dgst -sign /tmp/dil5.key -out /tmp/dil5.sig -sha256 /tmp/example.txt
openssl dgst -sha256 -verify /tmp/rsa.pem -signature /tmp/rsa.sig /tmp/example.txt
openssl dgst -sha256 -verify /tmp/dil5.pem -signature /tmp/dil5.sig /tmp/example.txt
<?php
$data = file_get_contents('/tmp/example.txt');
// RSA
$rsa_verification_public_key = file_get_contents('/tmp/rsa.pem');
$rsa_verification_signature = file_get_contents('/tmp/rsa.sig');
$rsa_verification_results = openssl_verify($data, $rsa_verification_signature, $rsa_verification_public_key, OPENSSL_ALGO_SHA256);
// DIL5
$dil5_verification_public_key = file_get_contents('/tmp/dil5.pem');
$dil5_verification_signature = file_get_contents('/tmp/dil5.sig');
$dil5_verification_results = openssl_verify($data, $dil5_verification_signature, $dil5_verification_public_key, OPENSSL_ALGO_SHA256);
// RSA create signature
$rsa_signing_private_key = file_get_contents('/tmp/rsa.key');
$rsa_signing_signature = null;
$rsa_signing_result = openssl_sign($data, $rsa_signing_signature, $rsa_signing_private_key, OPENSSL_ALGO_SHA256);
$rsa_signing_verify_result = openssl_verify($data, $rsa_signing_signature, $rsa_verification_public_key, OPENSSL_ALGO_SHA256);
// DIL5 create signature
$dil5_signing_private_key = file_get_contents('/tmp/dil5.key');
$dil5_signing_signature = null;
$dil5_signing_result = openssl_sign($data, $dil5_signing_signature, $dil5_signing_private_key, OPENSSL_ALGO_SHA256);
$dil5_signing_verify_result = openssl_verify($data, $dil5_signing_signature, $dil5_verification_public_key, OPENSSL_ALGO_SHA256);
echo "Done";