BCJSSE: Don't enable ML-DSA signature schemes by default

peterdettman · peterdettman · commit 11d7ddd81ee8 · 2025-11-25T22:20:21.000+07:00
diff --git a/tls/src/main/java/org/bouncycastle/jsse/provider/SignatureSchemeInfo.java b/tls/src/main/java/org/bouncycastle/jsse/provider/SignatureSchemeInfo.java
@@ -596,11 +596,12 @@ private static int[] createCandidatesDefault()
         {
             int signatureScheme = values[i].signatureScheme;
 
-            /*
-             * SLH-DSA signing is quite slow; users will most likely be interested in it for the certificate
-             * chain, so we'll leave it to them to configure signature_algorithms_cert.
-             */
-            if (!SignatureScheme.isSLHDSA(signatureScheme))
+            if (SignatureScheme.isMLDSA(signatureScheme) ||
+                SignatureScheme.isSLHDSA(signatureScheme))
+            {
+                // For the time being, do not enable stand-alone PQ schemes by default
+            }
+            else
             {
                 result[pos++] = signatureScheme;
             }
diff --git a/tls/src/test/java/org/bouncycastle/jsse/provider/test/MLDSACredentialsTest.java b/tls/src/test/java/org/bouncycastle/jsse/provider/test/MLDSACredentialsTest.java
@@ -22,9 +22,23 @@
 public class MLDSACredentialsTest
     extends TestCase
 {
+    private static final String PROPERTY_CLIENT_SIGNATURE_SCHEMES = "jdk.tls.client.SignatureSchemes";
+    private static final String PROPERTY_SERVER_SIGNATURE_SCHEMES = "jdk.tls.server.SignatureSchemes";
+
     protected void setUp()
     {
         ProviderUtils.setupLowPriority(false);
+
+        String signatureSchemes = "mldsa44, mldsa65, mldsa87";
+
+        System.setProperty(PROPERTY_CLIENT_SIGNATURE_SCHEMES, signatureSchemes);
+        System.setProperty(PROPERTY_SERVER_SIGNATURE_SCHEMES, signatureSchemes);
+    }
+
+    protected void tearDown()
+    {
+        System.clearProperty(PROPERTY_CLIENT_SIGNATURE_SCHEMES);
+        System.clearProperty(PROPERTY_SERVER_SIGNATURE_SCHEMES);
     }
 
     private static final String HOST = "localhost";

Original file line number	Diff line number	Diff line change
`@@ -596,11 +596,12 @@ private static int[] createCandidatesDefault()`
`596`	`596`	`{`
`597`	`597`	`int signatureScheme = values[i].signatureScheme;`
`598`	`598`
`599`		`- /*`
`600`		`- * SLH-DSA signing is quite slow; users will most likely be interested in it for the certificate`
`601`		`- * chain, so we'll leave it to them to configure signature_algorithms_cert.`
`602`		`- */`
`603`		`- if (!SignatureScheme.isSLHDSA(signatureScheme))`
	`599`	`+ if (SignatureScheme.isMLDSA(signatureScheme) \|\|`
	`600`	`+ SignatureScheme.isSLHDSA(signatureScheme))`
	`601`	`+ {`
	`602`	`+ // For the time being, do not enable stand-alone PQ schemes by default`
	`603`	`+ }`
	`604`	`+ else`
`604`	`605`	`{`
`605`	`606`	`result[pos++] = signatureScheme;`
`606`	`607`	`}`