Merge pull request #7 from disentangle-network/feature/pq-handshake

Merge PQ handshake, CLI, and e2e test to master

Author: disentangle-network

cert/cert.go

@@ -158,6 +158,20 @@ func Recombine(v Version, rawCertBytes, publicKey []byte, curve Curve) (Certific
 	return c, nil
 }
 
+// UnmarshalCertificateFromBytes unmarshals a certificate from raw bytes when the full certificate
+// (including public key) is already present. This is used for PQ certificates where the public key
+// is not stripped during handshake marshaling.
+func UnmarshalCertificateFromBytes(b []byte, v Version, curve Curve) (Certificate, error) {
+	switch v {
+	case VersionPre1, Version1:
+		return unmarshalCertificateV1(b, nil)
+	case Version2:
+		return unmarshalCertificateV2(b, nil, curve)
+	default:
+		return nil, ErrUnknownVersion
+	}
+}
+
 // CalculateAlternateFingerprint calculates a 2nd fingerprint representation for P256 certificates
 // CAPool blocklist testing through `VerifyCertificate` and `VerifyCachedCertificate` automatically performs this step.
 func CalculateAlternateFingerprint(c Certificate) (string, error) {

cert/cert_v2.go

@@ -239,13 +239,14 @@ func (c *certificateV2) VerifyPrivateKey(curve Curve, key []byte) error {
 		pub = privkey.PublicKey().Bytes()
 	case Curve_PQ:
 		// Host certs use ML-KEM-1024 key agreement keys
-		if len(key) != mlkem1024.PrivateKeySize {
+		var sk mlkem1024.PrivateKey
+		if err := sk.Unpack(key); err != nil {
+			return ErrInvalidPrivateKey
+		}
+		derivedPub, err := sk.Public().(*mlkem1024.PublicKey).MarshalBinary()
+		if err != nil {
 			return ErrInvalidPrivateKey
 		}
-		_, sk := mlkem1024.NewKeyFromSeed(key[:mlkem1024.KeySeedSize])
-		pub, _ = sk.MarshalBinary()
-		// Compare only the public key portion
-		derivedPub := pub[:mlkem1024.PublicKeySize]
 		if !bytes.Equal(derivedPub, c.publicKey) {
 			return ErrPublicPrivateKeyMismatch
 		}

cert/pem.go

@@ -15,25 +15,25 @@ const ( //cert banners
 )
 
 const ( //key-agreement-key banners
-	X25519PrivateKeyBanner  = "NEBULA X25519 PRIVATE KEY"
-	X25519PublicKeyBanner   = "NEBULA X25519 PUBLIC KEY"
-	P256PrivateKeyBanner    = "NEBULA P256 PRIVATE KEY"
-	P256PublicKeyBanner     = "NEBULA P256 PUBLIC KEY"
+	X25519PrivateKeyBanner    = "NEBULA X25519 PRIVATE KEY"
+	X25519PublicKeyBanner     = "NEBULA X25519 PUBLIC KEY"
+	P256PrivateKeyBanner      = "NEBULA P256 PRIVATE KEY"
+	P256PublicKeyBanner       = "NEBULA P256 PUBLIC KEY"
 	MLKEM1024PrivateKeyBanner = "NEBULA MLKEM1024 PRIVATE KEY"
 	MLKEM1024PublicKeyBanner  = "NEBULA MLKEM1024 PUBLIC KEY"
 )
 
 /* including "ECDSA" in the P256 banners is a clue that these keys should be used only for signing */
 const ( //signing key banners
-	EncryptedECDSAP256PrivateKeyBanner   = "NEBULA ECDSA P256 ENCRYPTED PRIVATE KEY"
-	ECDSAP256PrivateKeyBanner            = "NEBULA ECDSA P256 PRIVATE KEY"
-	ECDSAP256PublicKeyBanner             = "NEBULA ECDSA P256 PUBLIC KEY"
-	EncryptedEd25519PrivateKeyBanner     = "NEBULA ED25519 ENCRYPTED PRIVATE KEY"
-	Ed25519PrivateKeyBanner              = "NEBULA ED25519 PRIVATE KEY"
-	Ed25519PublicKeyBanner               = "NEBULA ED25519 PUBLIC KEY"
-	EncryptedMLDSA87PrivateKeyBanner     = "NEBULA MLDSA87 ENCRYPTED PRIVATE KEY"
-	MLDSA87PrivateKeyBanner              = "NEBULA MLDSA87 PRIVATE KEY"
-	MLDSA87PublicKeyBanner               = "NEBULA MLDSA87 PUBLIC KEY"
+	EncryptedECDSAP256PrivateKeyBanner = "NEBULA ECDSA P256 ENCRYPTED PRIVATE KEY"
+	ECDSAP256PrivateKeyBanner          = "NEBULA ECDSA P256 PRIVATE KEY"
+	ECDSAP256PublicKeyBanner           = "NEBULA ECDSA P256 PUBLIC KEY"
+	EncryptedEd25519PrivateKeyBanner   = "NEBULA ED25519 ENCRYPTED PRIVATE KEY"
+	Ed25519PrivateKeyBanner            = "NEBULA ED25519 PRIVATE KEY"
+	Ed25519PublicKeyBanner             = "NEBULA ED25519 PUBLIC KEY"
+	EncryptedMLDSA87PrivateKeyBanner   = "NEBULA MLDSA87 ENCRYPTED PRIVATE KEY"
+	MLDSA87PrivateKeyBanner            = "NEBULA MLDSA87 PRIVATE KEY"
+	MLDSA87PublicKeyBanner             = "NEBULA MLDSA87 PUBLIC KEY"
 )
 
 // UnmarshalCertificateFromPEM will try to unmarshal the first pem block in a byte array, returning any non consumed

cert/sign_test.go

@@ -173,7 +173,7 @@ func TestCertificateV2_SignPQ(t *testing.T) {
 	assert.Equal(t, pubBytes, c.PublicKey())
 
 	// Verify signature length matches ML-DSA-87
-	assert.Equal(t, mldsa87.SignatureSize, len(c.Signature()))
+	assert.Len(t, c.Signature(), mldsa87.SignatureSize)
 
 	// Marshal and unmarshal roundtrip
 	b, err := c.Marshal()

cert_test/cert.go

@@ -9,6 +9,8 @@ import (
 	"net/netip"
 	"time"
 
+	"github.com/cloudflare/circl/kem/mlkem/mlkem1024"
+	"github.com/cloudflare/circl/sign/mldsa/mldsa87"
 	"github.com/slackhq/nebula/cert"
 	"golang.org/x/crypto/curve25519"
 	"golang.org/x/crypto/ed25519"
@@ -30,6 +32,13 @@ func NewTestCaCert(version cert.Version, curve cert.Curve, before, after time.Ti
 
 		pub = elliptic.Marshal(elliptic.P256(), privk.PublicKey.X, privk.PublicKey.Y)
 		priv = privk.D.FillBytes(make([]byte, 32))
+	case cert.Curve_PQ:
+		pk, sk, err := mldsa87.GenerateKey(rand.Reader)
+		if err != nil {
+			panic(err)
+		}
+		pub = pk.Bytes()
+		priv = sk.Bytes()
 	default:
 		// There is no default to allow the underlying lib to respond with an error
 	}
@@ -84,6 +93,8 @@ func NewTestCert(v cert.Version, curve cert.Curve, ca cert.Certificate, key []by
 		pub, priv = X25519Keypair()
 	case cert.Curve_P256:
 		pub, priv = P256Keypair()
+	case cert.Curve_PQ:
+		pub, priv = PQKeypair()
 	default:
 		panic("unknown curve")
 	}
@@ -163,3 +174,13 @@ func P256Keypair() ([]byte, []byte) {
 	pubkey := privkey.PublicKey()
 	return pubkey.Bytes(), privkey.Bytes()
 }
+
+func PQKeypair() ([]byte, []byte) {
+	pk, sk, err := mlkem1024.GenerateKeyPair(rand.Reader)
+	if err != nil {
+		panic(err)
+	}
+	pubBytes, _ := pk.MarshalBinary()
+	privBytes, _ := sk.MarshalBinary()
+	return pubBytes, privBytes
+}

cmd/nebula-cert/ca.go

@@ -13,6 +13,7 @@ import (
 	"strings"
 	"time"
 
+	"github.com/cloudflare/circl/sign/mldsa/mldsa87"
 	"github.com/skip2/go-qrcode"
 	"github.com/slackhq/nebula/cert"
 	"github.com/slackhq/nebula/pkclient"
@@ -59,7 +60,7 @@ func newCaFlags() *caFlags {
 	cf.argonParallelism = cf.set.Uint("argon-parallelism", 4, "Optional: Argon2 parallelism parameter used for encrypted private key passphrase")
 	cf.argonIterations = cf.set.Uint("argon-iterations", 1, "Optional: Argon2 iterations parameter used for encrypted private key passphrase")
 	cf.encryption = cf.set.Bool("encrypt", false, "Optional: prompt for passphrase and write out-key in an encrypted format")
-	cf.curve = cf.set.String("curve", "25519", "EdDSA/ECDSA Curve (25519, P256)")
+	cf.curve = cf.set.String("curve", "25519", "EdDSA/ECDSA/PQ Curve (25519, P256, PQ)")
 	cf.p11url = p11Flag(cf.set)
 
 	cf.ips = cf.set.String("ips", "", "Deprecated, see -networks")
@@ -243,11 +244,23 @@ func ca(args []string, out io.Writer, errOut io.Writer, pr PasswordReader) error
 			}
 			rawPriv = eKey.Bytes()
 			pub = eKey.PublicKey().Bytes()
+		case "PQ":
+			curve = cert.Curve_PQ
+			pk, sk, err := mldsa87.GenerateKey(rand.Reader)
+			if err != nil {
+				return fmt.Errorf("error while generating ML-DSA-87 keys: %s", err)
+			}
+			pub = pk.Bytes()
+			rawPriv = sk.Bytes()
 		default:
 			return fmt.Errorf("invalid curve: %s", *cf.curve)
 		}
 	}
 
+	if curve == cert.Curve_PQ && version != cert.Version2 {
+		return fmt.Errorf("PQ curve requires certificate version 2")
+	}
+
 	t := &cert.TBSCertificate{
 		Version:        version,
 		Name:           *cf.name,

cmd/nebula-cert/ca_test.go

@@ -34,7 +34,7 @@ func Test_caHelp(t *testing.T) {
 			"  -argon-parallelism uint\n"+
 			"    \tOptional: Argon2 parallelism parameter used for encrypted private key passphrase (default 4)\n"+
 			"  -curve string\n"+
-			"    \tEdDSA/ECDSA Curve (25519, P256) (default \"25519\")\n"+
+			"    \tEdDSA/ECDSA/PQ Curve (25519, P256, PQ) (default \"25519\")\n"+
 			"  -duration duration\n"+
 			"    \tOptional: amount of time the certificate should be valid for. Valid time units are seconds: \"s\", minutes: \"m\", hours: \"h\" (default 8760h0m0s)\n"+
 			"  -encrypt\n"+

cmd/nebula-cert/keygen.go

@@ -24,7 +24,7 @@ func newKeygenFlags() *keygenFlags {
 	cf.set.Usage = func() {}
 	cf.outPubPath = cf.set.String("out-pub", "", "Required: path to write the public key to")
 	cf.outKeyPath = cf.set.String("out-key", "", "Required: path to write the private key to")
-	cf.curve = cf.set.String("curve", "25519", "ECDH Curve (25519, P256)")
+	cf.curve = cf.set.String("curve", "25519", "ECDH/KEM Curve (25519, P256, PQ)")
 	cf.p11url = p11Flag(cf.set)
 	return &cf
 }
@@ -64,6 +64,9 @@ func keygen(args []string, out io.Writer, errOut io.Writer) error {
 		case "P256":
 			pub, rawPriv = p256Keypair()
 			curve = cert.Curve_P256
+		case "PQ":
+			pub, rawPriv = pqKeypair()
+			curve = cert.Curve_PQ
 		default:
 			return fmt.Errorf("invalid curve: %s", *cf.curve)
 		}

cmd/nebula-cert/keygen_test.go

@@ -21,7 +21,7 @@ func Test_keygenHelp(t *testing.T) {
 		t,
 		"Usage of "+os.Args[0]+" keygen <flags>: create a public/private key pair. the public key can be passed to `nebula-cert sign`\n"+
 			"  -curve string\n"+
-			"    \tECDH Curve (25519, P256) (default \"25519\")\n"+
+			"    \tECDH/KEM Curve (25519, P256, PQ) (default \"25519\")\n"+
 			"  -out-key string\n"+
 			"    \tRequired: path to write the private key to\n"+
 			"  -out-pub string\n"+

cmd/nebula-cert/sign.go

@@ -14,6 +14,7 @@ import (
 
 	"github.com/skip2/go-qrcode"
 	"github.com/slackhq/nebula/cert"
+	"github.com/slackhq/nebula/noiseutil"
 	"github.com/slackhq/nebula/pkclient"
 	"golang.org/x/crypto/curve25519"
 )
@@ -405,6 +406,8 @@ func newKeypair(curve cert.Curve) ([]byte, []byte) {
 		return x25519Keypair()
 	case cert.Curve_P256:
 		return p256Keypair()
+	case cert.Curve_PQ:
+		return pqKeypair()
 	default:
 		return nil, nil
 	}
@@ -433,6 +436,14 @@ func p256Keypair() ([]byte, []byte) {
 	return pubkey.Bytes(), privkey.Bytes()
 }
 
+func pqKeypair() ([]byte, []byte) {
+	pub, priv, err := noiseutil.PQKEMKeypair()
+	if err != nil {
+		panic(err)
+	}
+	return pub, priv
+}
+
 func signSummary() string {
 	return "sign <flags>: create and sign a certificate"
 }