|
| 1 | +## X9.146 Overview |
| 2 | + |
| 3 | +The X9.146 specification defines a certificate format supporting dual signatures and public keys. This implementation introduces an optional TLS 1.3 extension called Certificate Key Selection (CKS), which indicates which signatures are included in the CertificateVerify message. |
| 4 | + |
| 5 | +### Certificate Key Selection (CKS) Options: |
| 6 | +- `NATIVE (0x01)`: Classical signature only |
| 7 | +- `ALTERNATIVE (0x02)`: Post-quantum signature only |
| 8 | +- `BOTH (0x03)`: Hybrid signature (classical + post-quantum) |
| 9 | + |
| 10 | +During the handshake: |
| 11 | +1. The client includes the CKS extension in its ClientHello message |
| 12 | +2. The server evaluates the extension and, if supported, selects a CKS value to include in its ServerHello response |
| 13 | + |
| 14 | +## Demos and Configuration |
| 15 | + |
| 16 | +Four hybrid algorithm combinations are available for demonstration: |
| 17 | + |
| 18 | +1. P-256 + MLDSA44 |
| 19 | +2. P-384 + MLDSA65 |
| 20 | +3. P-521 + MLDSA87 |
| 21 | +4. RSA-3072 + MLDSA44 |
| 22 | + |
| 23 | +### Configuration Options: |
| 24 | +- Set CKS mode using `CKS_TYPE` |
| 25 | +- Configure handshake algorithms using [list of supported algorithms](#) (link to documentation) |
| 26 | +- [Additional configuration details...] |
| 27 | + |
| 28 | +## Interoperability Testing |
| 29 | + |
| 30 | +Test file: [TlsX9146InteroptTest.java](tls%2Fsrc%2Ftest%2Fjava%2Forg%2Fbouncycastle%2Ftls%2Ftest%2FTlsX9146InteroptTest.java) |
| 31 | + |
| 32 | +Comprehensive testing was performed across all combinations of: |
| 33 | +- BouncyCastle (BC) TLS server/client |
| 34 | +- wolfSSL TLS server/client |
| 35 | + |
| 36 | +### Test Setup |
| 37 | + |
| 38 | +#### Prerequisites: |
| 39 | +- Generated conventional/post-quantum keys (converted to PEM using OpenSSL) |
| 40 | +- Certificate chains created using wolfSSL utilities |
| 41 | +- [PEM files location](#) (link to files) |
| 42 | + |
| 43 | +#### Setup Instructions: |
| 44 | + |
| 45 | +1. **wolfSSL Setup** |
| 46 | + - Clone the wolfSSL repository (outside BC directory) |
| 47 | + - Configure wolfSSL with appropriate settings |
| 48 | + |
| 49 | +2. **Certificate Generation** |
| 50 | + - Clone wolfssl-example repository |
| 51 | + - Run `make scripts` |
| 52 | + - For desired demo: generate certificate chain → perform DER conversion |
| 53 | + - Move PEM files to BC directory |
| 54 | + |
| 55 | +3. **Test Configuration** |
| 56 | + - Set BC parameters in test file: |
| 57 | + - set `wolfSSLWorkingDirectory` to where wolfssl was installed |
| 58 | + - set `DEMO` to wanted test demo |
| 59 | + - set `CKS_TYPE` to wanted Certificate Key Selection Type |
| 60 | + - (Optional) Handshake algorithm |
| 61 | + |
| 62 | +4. **Running Tests** |
| 63 | + - Expected outcome: Successful handshake with no errors |
| 64 | + - **BC Client ↔ wolfSSL Server** |
| 65 | + 1. run testOneShotBCClientWithWolfServer() |
| 66 | + |
| 67 | + *OR* |
| 68 | + 1. Start wolfSSL server (with correct PEM file paths) |
| 69 | + 2. Execute `testWithWolfSSLServer()` |
| 70 | + - **wolfSSL Client ↔ BC Server** |
| 71 | + 1. run testOneShotWolfClientWithBCServer() |
| 72 | + |
| 73 | + *OR* |
| 74 | + 1. Execute `testRunBCServer()` |
| 75 | + 2. Start wolfSSL client (with correct PEM file paths) |
| 76 | + |
| 77 | +## Performance Metrics |
| 78 | + |
| 79 | +### Test Environment: |
| 80 | +- **Processor:** Intel Core i7-9750H (6 cores @ 2.60GHz) |
| 81 | +- **OS:** Pop!_OS 22.04 LTS |
| 82 | +- **Kernel:** Linux 6.9.3 |
| 83 | +- **Architecture:** x86_64 |
| 84 | +- **Memory:** 32GB |
| 85 | + |
| 86 | +### Performance Analysis: |
| 87 | +- **Summary:** TODO |
| 88 | + |
0 commit comments