From c25807b71f6199137efb7acb9e0fa62351f98277 Mon Sep 17 00:00:00 2001
From: Kris Kwiatkowski <contact@amongbytes.com>
Date: Tue, 5 Nov 2024 12:15:23 +0000
Subject: [PATCH] [kris] Computes compatMatrix for R4 (#167)

* [kris] Small fix

* [kris] compatMatrix for R4
---
 providers/kris/artifacts_certs_r4.zip         | Bin 23055 -> 46444 bytes
 .../artifacts_certs_r4/bc_kris.csv            |   6 +
 .../artifacts_certs_r4/cht_kris.csv           |   4 +
 .../cryptonext-cnsprovider_kris.csv           |   6 +
 .../artifacts_certs_r4/cryptonext_kris.csv    |   6 +
 .../artifacts_certs_r4/entrust_kris.csv       |   3 +
 .../artifacts_certs_r4/kris_kris.csv          |   6 +
 providers/kris/scripts/check_r4.sh            | 105 ++++++++++++++++++
 8 files changed, 136 insertions(+)
 create mode 100644 providers/kris/compatMatrices/artifacts_certs_r4/bc_kris.csv
 create mode 100644 providers/kris/compatMatrices/artifacts_certs_r4/cht_kris.csv
 create mode 100644 providers/kris/compatMatrices/artifacts_certs_r4/cryptonext-cnsprovider_kris.csv
 create mode 100644 providers/kris/compatMatrices/artifacts_certs_r4/cryptonext_kris.csv
 create mode 100644 providers/kris/compatMatrices/artifacts_certs_r4/entrust_kris.csv
 create mode 100644 providers/kris/compatMatrices/artifacts_certs_r4/kris_kris.csv
 create mode 100755 providers/kris/scripts/check_r4.sh

diff --git a/providers/kris/artifacts_certs_r4.zip b/providers/kris/artifacts_certs_r4.zip
index 9c718d8f196929fad75bf6d1dc5728958b5480a5..872a42eca8e57332f87fb0a529125ae5ae8b97d1 100644
GIT binary patch
delta 564
zcmeC*!uaMD(}q{!-pnjq3?RUfmmCRZKnY<68HU87lFYQk<dWj}<kTV{S!ALg8p6rI
ztWd9>?g+%C72FJrEMFNJ7+6Gr+9pVe8(`P9Q7)5R+#0*w=5F>gqT+@)B%@`0cya1n
zt@VH(r)0lXj=UQqlN>WH|4Bf7D!}m8@kKZTcHgpsd^?#ZQgQN+a2{0y2AC!Wh9!-r
z5m+@%l#`##9;r6Dnw>}08b!m_c&r*Gce87Ob$HA2s2ZZ^m{E#dN3^U0P=^tk`M;a6
ktM-nJK~wo@5_XmSRv?#1h_JGO0*4z2Z?P~i)NBCp0FnHc9smFU

delta 35
lcmaF!im87K<Azt^o9i|RGKsLVF#rK85DGFeFuVu{@c`Mz2z>wm

diff --git a/providers/kris/compatMatrices/artifacts_certs_r4/bc_kris.csv b/providers/kris/compatMatrices/artifacts_certs_r4/bc_kris.csv
new file mode 100644
index 00000000..a92f8dc9
--- /dev/null
+++ b/providers/kris/compatMatrices/artifacts_certs_r4/bc_kris.csv
@@ -0,0 +1,6 @@
+key_algorithm_oid,test_result
+2.16.840.1.101.3.4.3.17,Y
+2.16.840.1.101.3.4.3.18,Y
+2.16.840.1.101.3.4.3.19,Y
+1.3.9999.3.6,N
+1.3.9999.3.9,N
diff --git a/providers/kris/compatMatrices/artifacts_certs_r4/cht_kris.csv b/providers/kris/compatMatrices/artifacts_certs_r4/cht_kris.csv
new file mode 100644
index 00000000..0214457c
--- /dev/null
+++ b/providers/kris/compatMatrices/artifacts_certs_r4/cht_kris.csv
@@ -0,0 +1,4 @@
+key_algorithm_oid,test_result
+2.16.840.1.101.3.4.3.17,Y
+2.16.840.1.101.3.4.3.18,Y
+2.16.840.1.101.3.4.3.19,Y
diff --git a/providers/kris/compatMatrices/artifacts_certs_r4/cryptonext-cnsprovider_kris.csv b/providers/kris/compatMatrices/artifacts_certs_r4/cryptonext-cnsprovider_kris.csv
new file mode 100644
index 00000000..a92f8dc9
--- /dev/null
+++ b/providers/kris/compatMatrices/artifacts_certs_r4/cryptonext-cnsprovider_kris.csv
@@ -0,0 +1,6 @@
+key_algorithm_oid,test_result
+2.16.840.1.101.3.4.3.17,Y
+2.16.840.1.101.3.4.3.18,Y
+2.16.840.1.101.3.4.3.19,Y
+1.3.9999.3.6,N
+1.3.9999.3.9,N
diff --git a/providers/kris/compatMatrices/artifacts_certs_r4/cryptonext_kris.csv b/providers/kris/compatMatrices/artifacts_certs_r4/cryptonext_kris.csv
new file mode 100644
index 00000000..a92f8dc9
--- /dev/null
+++ b/providers/kris/compatMatrices/artifacts_certs_r4/cryptonext_kris.csv
@@ -0,0 +1,6 @@
+key_algorithm_oid,test_result
+2.16.840.1.101.3.4.3.17,Y
+2.16.840.1.101.3.4.3.18,Y
+2.16.840.1.101.3.4.3.19,Y
+1.3.9999.3.6,N
+1.3.9999.3.9,N
diff --git a/providers/kris/compatMatrices/artifacts_certs_r4/entrust_kris.csv b/providers/kris/compatMatrices/artifacts_certs_r4/entrust_kris.csv
new file mode 100644
index 00000000..229eff35
--- /dev/null
+++ b/providers/kris/compatMatrices/artifacts_certs_r4/entrust_kris.csv
@@ -0,0 +1,3 @@
+key_algorithm_oid,test_result
+1.3.9999.3.6,N
+1.3.9999.3.9,N
diff --git a/providers/kris/compatMatrices/artifacts_certs_r4/kris_kris.csv b/providers/kris/compatMatrices/artifacts_certs_r4/kris_kris.csv
new file mode 100644
index 00000000..1b1ab5b6
--- /dev/null
+++ b/providers/kris/compatMatrices/artifacts_certs_r4/kris_kris.csv
@@ -0,0 +1,6 @@
+key_algorithm_oid,test_result
+2.16.840.1.101.3.4.3.17,Y
+2.16.840.1.101.3.4.3.18,Y
+2.16.840.1.101.3.4.3.19,Y
+1.3.9999.3.6,Y
+1.3.9999.3.9,Y
diff --git a/providers/kris/scripts/check_r4.sh b/providers/kris/scripts/check_r4.sh
new file mode 100755
index 00000000..850c28a8
--- /dev/null
+++ b/providers/kris/scripts/check_r4.sh
@@ -0,0 +1,105 @@
+#!/bin/bash
+# This script must be run from the root directory of pqc-certificates
+# Stolen from seventhsense.ai and retrofitted to work with OpenSSL and
+# anti-atlas.
+
+certszipr4="artifacts_certs_r4.zip"
+inputdir="./providers"
+outputdir="./output/certs"
+logfile=$outputdir/kris.log
+
+# Start the results CSV file
+mkdir -p $outputdir
+printf "Build time: %s\n\n" "$(date)" > $logfile
+
+source providers/kris/scripts/oids.sh
+
+supported_ta_oids=("${PQSP_OID_MLDSA44}" "${PQSP_OID_MLDSA65}" "${PQSP_OID_MLDSA87}" "${FALCON_512}" "${FALCON_1024}")
+
+
+function convert_to_pem {
+	# We want to check that the needed structures
+	# are all in place
+    certfile=$1
+    pemfile=$2
+
+    echo $certfile
+	# Checks if we have the PEM version of the RootCA
+	if [ -f "$certfile" ]; then
+        openssl x509 -inform DER -in "$certfile" -out "$pemfile"
+        if [ $? -gt 0 ] ; then
+            echo
+            echo "ERROR: Cannot convert $certfile into PEM format"
+            echo
+            exit 1
+        fi
+	fi
+}
+
+check() {
+	# Extracts the argument
+	pemfile=$1
+
+	# Baseline test whether TA cert is well formed
+	openssl x509 -in $pemfile -text -noout 2>/dev/null > /dev/null
+	if [ $? -ne 0 ]; then
+		echo "${pemfile} not suitable."
+		return 0
+	fi
+
+	# Baseline test whether TA cert is self-signed
+	openssl verify -CAfile $pemfile $pemfile 2>/dev/null >/dev/null
+	if [ $? -ne 0 ]; then
+		echo "${pemfile} not self-signed."
+		return 0
+	fi
+
+	# Checking for some parsing errors
+	openssl x509 -in $pemfile -text -noout | grep error 2>/dev/null > /dev/null
+	if [ $? -ne 0 ]; then
+		#echo "No error parsing TA certificate in $1";
+		# Extracting algorithm name
+		openssl x509 -in $pemfile -text -noout | grep "Public Key Algorithm" 2>&1 > /dev/null
+        if [ $? -ne 0 ]; then
+            echo "Can't extract the algorithm name"
+            echo "N"
+            return
+        fi
+	else
+        echo "Error parsing ${PEM}"
+        return 0
+	fi
+    return 1
+}
+
+# First, recurse into any provider dir
+for providerdir in $(ls -d $inputdir/*/); do
+    provider=$(basename $providerdir)
+
+    # process certs
+    zip=${providerdir}$certszipr4
+    unzipdir=${providerdir}"artifacts_certs_r4"
+    unzip -o $zip -d $unzipdir 2> /dev/null
+    if [ $? -ne 0 ]; then
+        echo "$provider: artifacts not found"
+        continue
+    else
+        echo "Processing $provider"
+    fi
+
+    resultsfile=${outputdir}/${provider}_kris.csv
+    echo "key_algorithm_oid,test_result" > $resultsfile  # CSV header row
+
+    for oid in ${supported_ta_oids[@]}; do
+        for certfile in `ls ${unzipdir}/artifacts_certs_r4/*-${oid}_ta.der`; do
+            pemfile=`dirname $certfile`/`basename $certfile .der`.pem
+            convert_to_pem $certfile $pemfile
+            check $pemfile
+            if [ $? -eq 1 ]; then
+                echo "${oid},Y" >> $resultsfile
+            else
+                echo "${oid},N" >> $resultsfile
+            fi
+        done
+    done
+done