<feed xmlns='http://www.w3.org/2005/Atom'>
<title>ouroboros/include/test/certs, branch be</title>
<subtitle>Ouroboros main repository</subtitle>
<id>https://ouroboros.rocks/cgit/ouroboros/atom?h=be</id>
<link rel='self' href='https://ouroboros.rocks/cgit/ouroboros/atom?h=be'/>
<link rel='alternate' type='text/html' href='https://ouroboros.rocks/cgit/ouroboros/'/>
<updated>2026-06-29T06:32:58+00:00</updated>
<entry>
<title>irmd: Reject OAP peer crt with unusable CN</title>
<updated>2026-06-29T06:32:58+00:00</updated>
<author>
<name>Dimitri Staessens</name>
<email>dimitri@ouroboros.rocks</email>
</author>
<published>2026-06-12T18:26:27+00:00</published>
<link rel='alternate' type='text/html' href='https://ouroboros.rocks/cgit/ouroboros/commit/?id=dce27129b74f906e0d1c086858f360228d5cbc83'/>
<id>urn:sha1:dce27129b74f906e0d1c086858f360228d5cbc83</id>
<content type='text'>
Added checks for CN &gt; NAME_SIZE.

Signed-off-by: Dimitri Staessens &lt;dimitri@ouroboros.rocks&gt;
Signed-off-by: Sander Vrijders &lt;sander@ouroboros.rocks&gt;
</content>
</entry>
<entry>
<title>irmd: Add issuer and digest pinning to OAP</title>
<updated>2026-06-29T06:32:58+00:00</updated>
<author>
<name>Dimitri Staessens</name>
<email>dimitri@ouroboros.rocks</email>
</author>
<published>2026-06-12T17:34:27+00:00</published>
<link rel='alternate' type='text/html' href='https://ouroboros.rocks/cgit/ouroboros/commit/?id=977bcac2d56a8793ed93b4aac7016ef36b51a07f'/>
<id>urn:sha1:977bcac2d56a8793ed93b4aac7016ef36b51a07f</id>
<content type='text'>
A peer certificate that verifies against the CA store could have
been issued by any trusted CA, and a peer could pick any supported
digest for its signature. Tighten the authentication contract with
two local policies.

cacert= pins the issuing CA: a peer certificate, if presented, must
chain through the pinned CA. Whether a certificate is mandatory at
all remains controlled by auth= alone.

digest= now also pins the signature digest: a classical peer must sign
with the locally configured digest, and may not omit the digest NID to
fall back to the key's default digest. PQC signatures (ML-DSA,
SLH-DSA) have an intrinsic digest and may be NID_undef.

Signed-off-by: Dimitri Staessens &lt;dimitri@ouroboros.rocks&gt;
Signed-off-by: Sander Vrijders &lt;sander@ouroboros.rocks&gt;
</content>
</entry>
<entry>
<title>lib: Add SLH-DSA tests and per-algorithm PQC gating</title>
<updated>2026-02-18T06:53:35+00:00</updated>
<author>
<name>Dimitri Staessens</name>
<email>dimitri@ouroboros.rocks</email>
</author>
<published>2026-02-17T21:37:39+00:00</published>
<link rel='alternate' type='text/html' href='https://ouroboros.rocks/cgit/ouroboros/commit/?id=040bdfb18684d809cb5edacf9867d3378b7e093b'/>
<id>urn:sha1:040bdfb18684d809cb5edacf9867d3378b7e093b</id>
<content type='text'>
This replaces the single HAVE_OPENSSL_PQC/DISABLE_PQC with
per-algorithm CMake variables (ML-KEM, ML-DSA, SLH-DSA), gated by the
OpenSSL versions: ML-KEM and ML-DSA require &gt;= 3.4, SLH-DSA &gt;= 3.5.

SLH-DSA was already working, but now added explicit authentication
tests for it with a full certificate chain (root CA, intermediate CA,
server) to show full support.

Rename PQC test files and cert headers to use algorithm-specific names
(ml_kem, ml_dsa, slh_dsa) and move cert headers to
include/test/certs/.

Signed-off-by: Dimitri Staessens &lt;dimitri@ouroboros.rocks&gt;
Signed-off-by: Sander Vrijders &lt;sander@ouroboros.rocks&gt;
</content>
</entry>
</feed>
