RFR: 8349759: Fix CertificateBuilder and SimpleOCSPServer test utilities to support PQC algorithms
Jamil Nimeh
jnimeh at openjdk.org
Tue Feb 11 23:55:11 UTC 2025
On Tue, 11 Feb 2025 17:50:45 GMT, Jamil Nimeh <jnimeh at openjdk.org> wrote:
> This fix makes some minor changes to the internals of the `CertificateBuilder` and `SimpleOCSPServer` test classes. They would break when ML-DSA was selected as key and signing algorithms. Also RSASSA-PSS works better now with these changes. I've also taken this opportunity to do some cleanup on CertificateBuilder and added a method which uses a default signing algorithm based on the key, so the `build()` method no longer needs to provide that algorithm (though one can if they wish for things like RSA signatures if they want a different message digest in the signature).
I see no reason why an ECDSA end-entity key wouldn't work when signed from an ML-DSA root. To be clear, this just fixes these test classes I wrote a long time ago where the creation of signatures on certs and OCSP responses just wasn't done in a manner as algorithm-neutral as I intended it to be. As far as I've seen since the inclusion of ML-DSA, CertPathValidator operations seem to work just fine. I haven't gone looking to see who in the 3rd party world is doing ML-DSA certs...the goal of this PR was to make sure that we could simply build those cert chains for use with our tests, especially where we needed an OCSP server.
-------------
PR Comment: https://git.openjdk.org/jdk/pull/23566#issuecomment-2652318099
More information about the core-libs-dev
mailing list