This container image provides a reference environment based on Fedora rawhide with the correct configuration changes to enable post-quantum cryptography.

Pre-built versions of this container image are available from quay.io. To use these, you will need a container runtime, e.g., podman on Linux or Podman Desktop.

To download the pre-built container image using podman, use

podman pull quay.io/qubip/pq-container

To run the container, use

podman run \
	--rm \
	-it \
	quay.io/qubip/pq-container

The following is a list of items to test inside the container to show that it has been configured for post-quantum cryptography.

openssl list -providers

will list the OpenSSL OQS Provider, which uses liboqs to offer post-quantum cryptography for OpenSSL.

Fedora provides a global configuration mechanism for all its cryptographic libraries called crypto-policies. The crypto-policies package in Fedora has a policy module that enables post-quantum cryptography called TEST-PQ.

It is already enabled in the container. You can verify this by running

update-crypto-policies --show

which will return DEFAULT:TEST-PQ. If the TEST-PQ policy module is not enabled, it can be by running

update-crypto-policies --set DEFAULT:TEST-PQ

To connect to openquantumsafe.org's test server using post-quantum cryptography for the key exchange, use the s_client OpenSSL command:

openssl s_client \
	-connect test.openquantumsafe.org:6041 \
	-trace

An instance of the nginx webserver is configured to use post-quantum cryptography key exchange in the container and will listen on port 443.

First, you need to start it by running

/usr/sbin/nginx

Next, you can use OpenSSL's s_client to connect to it:

openssl s_client \
	-CAfile root.crt \
	-tls1_3 \
	-trace \
	-connect localhost:443

To test OpenSSL with curl, use the following command:

curl \
	--cacert root.crt \
	https://localhost/

To build the container on your local system, you can use podman build. Make sure that your current working directory contains the Containerfile when running this.

podman build -t pq-container .

Podman prefixes the names of all locally built containers with localhost/, so to run this container after building it, use

podman run \
	--rm \
	-it \
	localhost/pq-container

The setup inside of the container can also be replicated manually on any Fedora rawhide installation by following the steps below:

1. Install the required packages:

   sudo dnf install openssl curl oqsprovider crytpo-policies-scripts sed

2. Switch the system-wide cryptographic policy to include the TEST-PQ policy module, which enables post-quantum algorithms:

   sudo update-crypto-policies --set DEFAULT:TEST-PQ

3. Enable the OpenSSL OQS Provider:

    sudo sed -i '/default = default_sect/a oqsprovider = oqs_sect' /etc/pki/tls/openssl.cnf
   
    sudo sed -i '/activate = 1/ {
    a [oqs_sect]
    a activate = 1
    }' /etc/pki/tls/openssl.cnf

This enables key exchange with post-quantum cryptography in TLS in both clients and servers that use OpenSSL.