Skip to content

Add Composite ML-DSA support for HTTPS #63280

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Aug 15, 2025
Merged

Add Composite ML-DSA support for HTTPS #63280

merged 2 commits into from
Aug 15, 2025

Conversation

@MackinnonBuck
Copy link
Member

@MackinnonBuck MackinnonBuck commented Aug 15, 2025

Follow-up to #62866 with support for Composite ML-DSA.

Tests are included, but disabled because certificate generation for composite ML-DSA is not currently implemented.

Fixes #62030

Copilot AI review requested due to automatic review settings August 15, 2025 18:41
@github-actions github-actions bot added the area-networking Includes servers, yarp, json patch, bedrock, websockets, http client factory, and http abstractions label Aug 15, 2025
Copilot AI reviewed Aug 15, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR adds support for Composite ML-DSA (Machine Learning Digital Signature Algorithm) to HTTPS in Kestrel. This follows up on previous work to enable post-quantum cryptographic support in the ASP.NET Core web server.

  • Adds support for all 18 Composite ML-DSA algorithm variants for certificate loading and test generation
  • Refactors existing test infrastructure to use shared dictionaries for algorithm definitions
  • Includes comprehensive tests (disabled due to certificate generation limitations)

Reviewed Changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File Description
KestrelConfigurationLoaderTests.cs Refactors algorithm handling and adds Composite ML-DSA test support with shared dictionaries
CertificateConfigLoader.cs Adds OID constants and certificate loading logic for all 18 Composite ML-DSA variants

MackinnonBuck
MackinnonBuck commented Aug 15, 2025
View reviewed changes
src/Servers/Kestrel/Kestrel/test/KestrelConfigurationLoaderTests.cs
Comment on lines +687 to +691
private static readonly Dictionary<string, MLDsaAlgorithm> _mlDsaAlgorithms = ((IEnumerable<MLDsaAlgorithm>)[
MLDsaAlgorithm.MLDsa44,
MLDsaAlgorithm.MLDsa65,
MLDsaAlgorithm.MLDsa87,
]).ToDictionary(a => a.Name);
Copy link
Member Author

@MackinnonBuck MackinnonBuck Aug 15, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This refactor allows us to add more algorithms to test without having to repeat the algorithm name in 3 different places.

BrennanConroy
BrennanConroy reviewed Aug 15, 2025
View reviewed changes
src/Servers/Kestrel/Core/src/Internal/Certificates/CertificateConfigLoader.cs Outdated
const string SlhDsaShake_256sOid = "2.16.840.1.101.3.4.3.30";
const string SlhDsaShake_256fOid = "2.16.840.1.101.3.4.3.31";

const string MLDsa44WithRSA2048PssPreHashSha256Oid = "2.16.840.1.114027.80.9.0";
Copy link
Member

@BrennanConroy BrennanConroy Aug 15, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These seem wrong? Ref https://datatracker.ietf.org/doc/draft-ietf-lamps-pq-composite-sigs/

<CompSig> is equal to 2.16.840.1.114027.80.9.1
id-MLDSA44-RSA2048-PSS-SHA256|<CompSig>.0

That would equal 2.16.840.1.114027.80.9.1.0

Copy link
Member Author

@MackinnonBuck MackinnonBuck Aug 15, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Wow, good catch. We should probably fix https://github.com/dotnet/runtime/blob/f514fa50f3385d28fad10d3e1ef5b75a8dfa84f5/src/libraries/Common/src/System/Security/Cryptography/Oids.cs#L138-L155 then (that's where I copied these from).

cc @bartonjs, @PranavSenthilnathan

Copy link
Member Author

@MackinnonBuck MackinnonBuck Aug 15, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

dotnet/runtime#118795

@MackinnonBuck MackinnonBuck mentioned this pull request Aug 15, 2025
Merged
@MackinnonBuck MackinnonBuck enabled auto-merge (squash) August 15, 2025 20:23
halter73
halter73 approved these changes Aug 15, 2025
View reviewed changes
Copy link
Member

@halter73 halter73 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good catch @BrennanConroy!

@MackinnonBuck MackinnonBuck merged commit 52453ff into main Aug 15, 2025
29 checks passed
@MackinnonBuck MackinnonBuck deleted the mbuck/composite-mldsa branch August 15, 2025 20:49
@dotnet-policy-service dotnet-policy-service bot added this to the 10.0-rc1 milestone Aug 15, 2025
@build-analysis build-analysis bot mentioned this pull request Aug 15, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@halter73 halter73 halter73 approved these changes

@BrennanConroy BrennanConroy BrennanConroy approved these changes

@JamesNK JamesNK Awaiting requested review from JamesNK JamesNK is a code owner

Assignees

No one assigned

Labels

area-networking Includes servers, yarp, json patch, bedrock, websockets, http client factory, and http abstractions

Projects

None yet

Milestone

10.0-rc1

Development

Successfully merging this pull request may close these issues.

Support PQC certificates for HTTPS

4 participants

@MackinnonBuck @halter73 @BrennanConroy