Cannot read FALCON-1024 certificates using openssl-liboqs #837

sandevins · 2025-03-25T08:01:12Z

sandevins
Mar 25, 2025

``When I generate a certificate using EJBCA and the FALCON signing algorithm (both 512 and 1024) this certificate and key cannot be used by any service that use liboqs (like Mosquitto with liboqs). At first I thought it was because of how the mosquitto was using the libraries, but then I tried reading the certificate with the openquantumsafe/openssl3 docker image and the public keys cannot be decoded.

The result from the terminal is the following.

/tmp # openssl x509 -in PQC\ Server\ High.pem -text -noout
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            57:d1:cc:c8:80:11:ea:7a:0b:87:de:39:a8:20:5c:ca:a8:ce:59:00
        Signature Algorithm: 1.3.9999.3.9
        Issuer: O=MyORG, CN=PQCSubCA
        Validity
            Not Before: Mar 24 15:13:04 2025 GMT
            Not After : Mar 24 15:13:03 2027 GMT
        Subject: CN=10.5.4.70
        Subject Public Key Info:
            Public Key Algorithm: 1.3.9999.3.9
            Unable to load Public Key
285B1132A37F0000:error:03000072:digital envelope routines:X509_PUBKEY_get0:decode error:crypto/x509/x_pubkey.c:464:
285B1132A37F0000:error:03000072:digital envelope routines:X509_PUBKEY_get0:decode error:crypto/x509/x_pubkey.c:464:
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Authority Key Identifier: 
                92:29:A7:25:25:07:CE:74:5F:82:B5:98:3A:90:E4:E3:4A:F8:72:52
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication
            X509v3 Subject Key Identifier: 
                8C:61:C3:66:21:38:C1:07:FA:F7:46:C9:3F:64:FE:D9:0D:BE:41:32
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
    Signature Algorithm: 1.3.9999.3.9
    Signature Value:
        3a:d4:bb:21:4b:f6:66:fc:24:0f:5b:38:b4:ce:d5:73:a6:25:
        72:62:b3:8f:b3:ee:8a:2c:42:0b:2b:4c:07:39:4a:95:38:1e:
        ca:2e:e3:45:da:0f:23:1b:13:91:e1:a1:2d:f4:e7:25:63:d7:
        45:b0:0e:2a:d1:32:6a:73:18:46:07:d0:9d:09:65:87:33:a7:
        e5:4e:90:37:75:ac:4d:39:f2:73:e6:cd:0d:93:1b:d5:a3:64:
        16:e5:b2:17:8e:70:18:99:c8:8f:f4:2b:13:fe:52:9c:f9:4e:
        fa:fd:2d:b2:7d:28:2d:bf:4c:12:17:1d:9b:2b:c0:b2:96:3b:
        07:db:ca:9a:b2:e3:f7:9f:69:31:39:64:d8:fe:c5:0b:d6:e2:
        f7:bd:d3:71:b0:f9:95:4a:97:f7:28:cc:aa:f8:51:c9:ec:0b:
        41:9a:ab:79:ec:f2:66:71:18:7a:a2:c9:aa:47:6a:89:a5:8d:
        95:73:7b:7e:43:e1:24:bf:34:ce:68:b6:1f:2c:fa:00:68:27:
        92:63:7f:be:32:49:c7:d5:a0:89:fe:d4:63:98:44:18:cb:d9:
        a6:b5:b2:86:5a:e7:03:85:11:94:d7:7e:d5:a2:3d:3a:2d:0d:
        bd:bf:64:d1:25:aa:5e:d9:ed:c9:37:83:27:7b:9a:67:18:d9:
        bc:72:85:20:9b:d6:be:59:b3:19:49:44:d3:5b:7c:d2:57:ac:
        3f:1f:c7:9b:85:19:74:64:f5:45:2c:97:c6:b3:99:94:eb:fb:
        50:4f:1a:b1:87:a9:a4:50:06:f6:d3:94:82:cf:16:2c:ae:72:
        8c:ff:45:b7:f0:f3:6e:dc:b4:7a:fd:2d:b2:aa:c7:a5:6c:62:
        51:5a:85:6f:0f:7e:af:0e:de:38:fe:f9:b3:ba:8e:6f:17:8f:
        91:47:dd:35:38:13:e8:9a:b1:29:0b:43:9a:a7:32:1f:57:67:
        af:9c:a0:dc:3a:d5:5b:be:53:70:32:3d:36:4c:9b:6b:19:2c:
        3c:1e:ff:a3:7f:29:54:da:33:13:33:9a:e5:e6:0d:cb:20:8e:
        5a:4a:b0:98:cf:77:12:8a:7c:ee:0d:0c:52:62:83:cd:d8:b1:
        ab:5c:08:c9:9c:9f:8f:d7:3b:c3:fc:a9:46:6a:b2:07:8d:2d:
        65:ce:bf:a7:07:b5:46:ac:30:3a:3d:2a:f3:36:d4:40:5a:69:
        78:97:51:37:4e:05:16:9c:ed:af:3a:a4:a1:00:c8:54:51:8a:
        45:b3:94:37:68:fd:4d:0f:95:b5:e4:f9:32:ca:4d:2c:29:8c:
        1d:1a:b8:94:0c:1a:c2:e8:d6:24:66:83:67:5e:6b:34:a3:d1:
        75:b6:68:d8:66:35:e4:10:94:ad:3f:9e:56:f6:8e:95:16:17:
        66:b5:de:e2:6e:15:ca:7e:48:9a:86:19:ed:ef:d5:76:cb:63:
        23:97:70:31:9b:4e:16:3d:6b:46:09:8f:c7:cc:7b:2d:fc:18:
        e4:ed:fb:a3:19:9b:f3:3b:cd:4c:0b:aa:85:0b:ac:ee:1b:42:
        06:74:ed:d1:62:7d:20:35:a6:82:68:d8:db:f0:e2:00:d6:39:
        35:ea:26:88:c5:d9:e7:92:9f:64:4f:33:1f:35:61:2c:d9:ca:
        98:04:1e:24:bd:6b:a2:96:f1:82:9c:5f:fa:ed:b6:8d:ca:ed:
        ef:c7:a1:a9:d6:ad:24:71:e1:a1:30:e7:8b:cf:dd:61:30:5e:
        84:b6:a4:6d:21:18:98:e3:30:83:2b:f7:b6:e7:6b:b4:35:3b:
        51:17:c6:58:21:ec:e9:47:af:c1:2a:36:66:18:6f:9a:a5:f2:
        3d:45:ff:6f:ee:17:2a:04:9d:49:b8:14:5b:45:c0:9d:66:0c:
        db:7e:79:0c:d3:05:fa:44:65:56:29:32:87:ad:d9:a9:ac:91:
        ae:36:c6:9d:10:65:2a:da:5f:45:ca:f1:f5:a1:fb:e5:c9:7d:
        df:28:26:78:37:56:9b:6d:89:28:e9:1d:a6:bf:d9:76:1b:3f:
        44:62:e8:85:53:97:79:51:0c:75:1d:5a:1a:cc:a9:5f:33:5b:
        23:eb:bb:f2:11:de:9d:49:7f:c9:54:27:64:8d:1a:cd:ba:5a:
        d2:7d:15:6b:f7:92:47:99:36:12:39:fa:12:e1:4c:22:7d:2a:
        69:08:5a:e0:96:df:3b:1f:af:8f:65:70:2f:26:2d:93:a6:66:
        37:72:c8:0e:b2:16:6c:36:2d:96:ff:37:c7:d8:19:e8:1c:c9:
        a4:cb:5a:33:e7:03:80:e6:cb:33:33:0e:8a:1b:6e:ac:23:94:
        cc:6f:13:7e:ac:7a:e4:b0:26:71:63:6c:31:46:79:c1:91:60:
        fa:6a:61:06:54:b6:b8:83:9f:5c:4b:66:a6:1d:e9:9a:57:ea:
        8a:56:fa:ad:ed:38:26:de:d0:c4:af:f9:8e:96:10:9e:37:e7:
        6d:a2:ee:ec:16:4c:97:69:fc:50:88:e4:c7:19:51:8b:9f:24:
        4e:27:93:69:50:c4:66:b7:ee:ee:c0:86:65:5f:e6:a1:6e:f6:
        7c:d4:38:df:1f:96:45:2f:bc:69:74:07:86:9f:3d:cc:36:77:
        3c:ad:3e:79:1d:46:79:9a:77:5b:30:e6:75:1b:7e:3e:f0:a3:
        33:5e:a2:bc:f8:10:0d:df:2e:05:a4:6a:24:13:d3:24:51:0c:
        ad:75:2f:33:63:13:ae:8e:cb:d8:7d:9a:e2:d0:73:df:6c:0a:
        99:a2:79:84:e1:5f:e2:c5:66:70:6f:cf:8a:47:40:94:37:ec:
        e3:73:a6:78:da:66:e8:b1:25:f2:7d:8e:d2:05:34:79:7c:78:
        a5:19:7e:9a:4f:66:fb:c5:cd:5f:f8:fa:24:13:83:bf:a1:ce:
        1a:fa:54:5a:a9:08:ca:25:52:79:52:17:1b:7e:34:6c:b3:33:
        ad:c6:da:59:1b:75:f5:97:9f:2a:7b:cf:65:60:f0:cf:e5:2d:
        eb:20:b1:cf:d8:db:f7:27:0f:40:64:da:66:cb:0e:9f:f3:ec:
        58:03:0c:8b:ad:cc:5d:e0:b2:1e:01:26:c4:92:9d:93:6c:48:
        6f:da:03:02:cf:66:0f:3a:df:63:f5:20:a7:a6:66:f3:de:96:
        17:79:c0:45:94:b2:74:68:71:5b:78:59:99:9b:b3:58:18:ae:
        43:f9:06:93:3f:7a:f9:d1:47:c1:b5:5b:5c:d2:1e:80:43:b3:
        5b:e2:45:a4:49:c8:66:43:3e:93:77:89:ed:06:78:9f:45:e4:
        28:02:7a:6e:bd:5d:02:4b:20:46:c9:b3:7f:39:40:32:23:79:
        23:6e:71:fb:a4:c4:64:73:2c:e4:41:a9:78:36:ac:65:98:fe:
        5d:77:18:4a:83:27:b8:e1:a0
/tmp # openssl version
OpenSSL 3.4.0 22 Oct 2024 (Library: OpenSSL 3.4.0 22 Oct 2024)

Answered by primetomas

Mar 25, 2025

This is probably a question you should ask to the OQS project. If they are interoperable with Bouncy Castle for certificates.

On another note it may be hard to get attention for Falcon now, with it being standardized as FN-DSA later this year I don't think many people will want to spend time on the old draft version of the algorithm.

View full answer

primetomas · 2025-03-25T11:01:09Z

primetomas
Mar 25, 2025
Maintainer

This is probably a question you should ask to the OQS project. If they are interoperable with Bouncy Castle for certificates.

On another note it may be hard to get attention for Falcon now, with it being standardized as FN-DSA later this year I don't think many people will want to spend time on the old draft version of the algorithm.

1 reply

sandevins Mar 25, 2025
Author

Understood, thank you very much for your help!

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Cannot read FALCON-1024 certificates using openssl-liboqs #837

Uh oh!

{{title}}

Uh oh!

Replies: 1 comment 1 reply

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

Cannot read FALCON-1024 certificates using openssl-liboqs #837

Uh oh!

sandevins Mar 25, 2025

Replies: 1 comment · 1 reply

Uh oh!

primetomas Mar 25, 2025 Maintainer

Uh oh!

sandevins Mar 25, 2025 Author

sandevins
Mar 25, 2025

Replies: 1 comment 1 reply

primetomas
Mar 25, 2025
Maintainer

sandevins Mar 25, 2025
Author