Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Enable revocation list tests for ML-DSA and SLH-DSA #115254

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Enable revocation list tests for ML-DSA and SLH-DSA #115254

wants to merge 2 commits into from
+19 −1

Conversation

PranavSenthilnathan
Copy link
Member

Add ML-DSA and SLH-DSA to the list of tested algorithms for revocation.

Copilot
Copilot AI reviewed May 2, 2025
View reviewed changes
Copy link
Contributor

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR extends the supported revocation list tests to include the ML-DSA and SLH-DSA algorithms by updating key factory definitions and certificate-related functions.

  • Introduces a new key factory for SLH-DSA.
  • Updates the build variant factories to include both ML-DSA and SLH-DSA.
  • Enhances certificate creation and signature generation to support the new SLH-DSA algorithm.

@dotnet-policy-service Dotnet Policy Service
Copy link
Contributor

Tagging subscribers to this area: @dotnet/area-system-security, @bartonjs, @vcsjones
See info in area-owners.md if you want to be subscribed.

This was referenced May 3, 2025
Open
Open
Open
Open
Open
@bartonjs
Copy link
Member

bartonjs commented May 6, 2025

Looks like this is introducing some test failures (a few SslStream tests seem to be waking up to ML-DSA and SLH-DSA? Though that seems surprising...):

    System.Net.Security.Tests.SslStreamCertificateContextOcspLinuxTests.FetchOcspResponse_NoExpiration_Success [FAIL]
      System.NotSupportedException : The server mode SSL must use a certificate with the associated private key.
      Stack Trace:
        /_/src/libraries/System.Net.Security/src/System/Net/Security/SslStreamCertificateContext.Linux.cs(84,0): at System.Net.Security.SslStreamCertificateContext..ctor(X509Certificate2 target, ReadOnlyCollection`1 intermediates, SslCertificateTrust trust)
        /_/src/libraries/System.Net.Security/src/System/Net/Security/SslStreamCertificateContext.cs(150,0): at System.Net.Security.SslStreamCertificateContext.Create(X509Certificate2 target, X509Certificate2Collection additionalCertificates, Boolean offline, SslCertificateTrust trust, Boolean noOcspFetch)
        /_/src/libraries/System.Net.Security/src/System/Net/Security/SslStreamCertificateContext.cs(32,0): at System.Net.Security.SslStreamCertificateContext.Create(X509Certificate2 target, X509Certificate2Collection additionalCertificates, Boolean offline, SslCertificateTrust trust)
        /_/src/libraries/System.Net.Security/tests/UnitTests/SslStreamCertificateContextOcspLinuxTests.cs(248,0): at System.Net.Security.Tests.SslStreamCertificateContextOcspLinuxTests.<>c__DisplayClass9_1.<SimpleTest>b__0(Boolean offline)
        /_/src/libraries/System.Net.Security/tests/UnitTests/SslStreamCertificateContextOcspLinuxTests.cs(41,0): at System.Net.Security.Tests.SslStreamCertificateContextOcspLinuxTests.<>c.<<FetchOcspResponse_NoExpiration_Success>b__1_0>d.MoveNext()
        --- End of stack trace from previous location ---
        /_/src/libraries/System.Net.Security/tests/UnitTests/SslStreamCertificateContextOcspLinuxTests.cs(254,0): at System.Net.Security.Tests.SslStreamCertificateContextOcspLinuxTests.SimpleTest(PkiOptions pkiOptions, RunSimpleTest callback, String callerName, Boolean pkiOptionsInTestName)
        /_/src/libraries/System.Net.Security/tests/UnitTests/SslStreamCertificateContextOcspLinuxTests.cs(37,0): at System.Net.Security.Tests.SslStreamCertificateContextOcspLinuxTests.FetchOcspResponse_NoExpiration_Success()
        --- End of stack trace from previous location ---

If it's that PQC certs are making it into the tests, we can either make those tests pick RSA (sad) or insert the ML-DSA/SLH-DSA calls into

runtime/src/libraries/System.Net.Security/src/System/Net/Security/SslStreamCertificateContext.Linux.cs

Lines 70 to 72 in dd75c45

}
if (KeyHandle == null)

@vcsjones
Copy link
Member

vcsjones commented May 7, 2025

Though that seems surprising...

Especially because as far as I know, nothing in CI has OpenSSL 3.5 yet (does it?) so it feels like an IsSupported check is missing or not doing the right thing.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bartonjs bartonjs bartonjs left review comments

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

@PranavSenthilnathan PranavSenthilnathan

Labels
area-System.Security
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@PranavSenthilnathan @bartonjs @vcsjones