RFR: 8349732: Add support for JARs signed with ML-DSA [v12]

Sean Mullan mullan at openjdk.org
Thu Nov 6 19:34:08 UTC 2025 

On Wed, 5 Nov 2025 14:32:51 GMT, Weijun Wang <weijun at openjdk.org> wrote:

>> Add support for ML-DSA signing of JAR files.
>> 
>> ~Note: https://datatracker.ietf.org/doc/draft-ietf-lamps-cms-ml-dsa/ is not finalized.~
>> 
>> Update: it is published as https://datatracker.ietf.org/doc/rfc9882/.
>
> Weijun Wang has updated the pull request incrementally with two additional commits since the last revision:
> 
>  - rename DataFecther to RepositoryFileReader
>  - more comments for DataFetcher

test/jdk/sun/security/pkcs/pkcs7/DigestConformance.java line 47:

> 45: import java.util.Map;
> 46: 
> 47: public class DigestConformance {

Maybe call this `MLDSADigestConformance` or are you thinking you will enhance it to support EdDSA, etc?

test/jdk/sun/security/provider/pqc/ML_DSA_CMS.java line 50:

> 48:         // See https://datatracker.ietf.org/doc/html/rfc9882#name-examples
> 49:         try (var cmsReader = RepositoryFileReader.of(CMS_ML_DSA.class,
> 50:                     "cms-ml-dsa-draft-ietf-lamps-cms-ml-dsa-07/");

Can we call this "RFC9882" instead?

test/jdk/sun/security/provider/pqc/ML_DSA_CMS.java line 52:

> 50:                     "cms-ml-dsa-draft-ietf-lamps-cms-ml-dsa-07/");
> 51:             var dsaReader = RepositoryFileReader.of(DILITHIUM_CERTIFICATES.class,
> 52:                     "dilithium-certificates-draft-ietf-lamps-dilithium-certificates-13/")) {

Similarly, can we call this "RFC9881"?

test/jdk/sun/security/tools/jarsigner/ML_DSA.java line 81:

> 79:                 jf.getInputStream(je).readAllBytes();
> 80:                 Asserts.assertEquals(1, je.getCertificates().length);
> 81:                 checkDigestAlgorithm(jf, signer, KnownOIDs.SHA_512);

So there is currently no way to specify a different digest algorithm?

-------------

PR Review Comment: https://git.openjdk.org/jdk/pull/26563#discussion_r2500494559
PR Review Comment: https://git.openjdk.org/jdk/pull/26563#discussion_r2500459775
PR Review Comment: https://git.openjdk.org/jdk/pull/26563#discussion_r2500464197
PR Review Comment: https://git.openjdk.org/jdk/pull/26563#discussion_r2500534760

More information about the security-dev mailing list