8347938: Add Support for the Latest ML-KEM and ML-DSA Private Key Encodings#446
8347938: Add Support for the Latest ML-KEM and ML-DSA Private Key Encodings#446rm-gh-8 wants to merge 1 commit intoopenjdk:masterfrom
Conversation
|
👋 Welcome back rmesde! A progress list of the required criteria for merging this PR into |
|
❗ This change is not yet ready to be integrated. |
openjdk
bot
changed the title
|
This backport pull request has now been updated with issue from the original commit. |
openjdk
bot
added
the
backport
phohensee
left a comment
phohensee
left a comment
There was a problem hiding this comment.
Looks ok. Might be worth backporting JDK-8349732, even though it has a CSR, which looks like a pure addition.
|
|
|
@phohensee I'll ask for maintainer approval and will act based on their feedback. |
|
/approval request for backport of JDK-8347938: Add Support for the Latest ML-KEM and ML-DSA Private Key Encodings. For parity with Oracle JDK. Medium risk — this changes the default private key encoding from expanded to seed format. Existing serialized keys in expanded format will still be readable (all three CHOICE formats are supported on input), but newly generated keys will encode differently by default. In addition, the NamedKeyFactory becoming abstract is a source-breaking change for any external subclasses. |
openjdk
bot
added
the
approval
2 participants
Backporting JDK-8347938: Add Support for the Latest ML-KEM and ML-DSA Private Key Encodings.
This PR updates ML-KEM and ML-DSA private key encodings to comply with draft-ietf-lamps-kyber-certificates-11 and RFC 9881, which define private keys as a DER-encoded ASN.1 CHOICE of three formats (seed, expandedKey, or both), replacing the JDK 24 implementation that only supported the FIPS 203/204 expanded format.
This PR is not clean because it skips JDK-8349732, which introduces behavioral changes which will require a new CSR. A new file ("test/lib/jdk/test/lib/security/RepositoryFileReader.java") was added in this PR from the skipped commit, and conflicts were resolved on "test/jdk/sun/security/provider/acvp/Launcher.java".
For parity with Oracle JDK.
Ran related tests on macos-aarch64 (with kyber certificates repo) :
~/github/jtreg/build/images/jtreg/bin/jtreg -jdk build/macosx-aarch64-server-release/images/jdk -Djdk.tests.repos.pattern="file:///Users/$USER/repos/lamps-wg/%n/%e" test/jdk/sun/security/providerResults:
test result: Passed. Execution successfulPrivateKeyEncodings.jtr.txt
summary.txt (all tests)
Ran related tests on linux-x64, linux-aarch64, macos-aarch64 and windows-x64 (no kyber certificates repo):
make test TEST=test/jdk/sun/security/provider
make test TEST=test/jdk/javax/crypto/KEM
Results attached:
windows-x64-specific-test.log
windows-x64-specific-2-test.log
macos-aarch64-specific-test.log
macos-aarch64-specific-2-test.log
linux-x64-specific-test.log
linux-x64-specific-2-test.log
linux-aarch64-specific-test.log
linux-aarch64-specific-2-test.log
Progress
Issues
Reviewers
Reviewing
Using
gitCheckout this PR locally:
$ git fetch https://git.openjdk.org/jdk25u-dev.git pull/446/head:pull/446$ git checkout pull/446Update a local copy of the PR:
$ git checkout pull/446$ git pull https://git.openjdk.org/jdk25u-dev.git pull/446/headUsing Skara CLI tools
Checkout this PR locally:
$ git pr checkout 446View PR using the GUI difftool:
$ git pr show -t 446Using diff file
Download this PR as a diff file:
https://git.openjdk.org/jdk25u-dev/pull/446.diff
Using Webrev
Link to Webrev Comment