Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Add PQC support for SslStreamCertificateContext and fix test #115254

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
May 7, 2025
Merged

Add PQC support for SslStreamCertificateContext and fix test #115254

merged 4 commits into from
May 7, 2025

Conversation

PranavSenthilnathan
Copy link
Member

@PranavSenthilnathan PranavSenthilnathan commented May 2, 2025
edited
Loading

Add ML-DSA and SLH-DSA to the list of tested algorithms for revocation.

Tests now exercise SslStreamCertificateContext with PQC certs so this PR also updates it to know about them.

Copilot
Copilot AI reviewed May 2, 2025
View reviewed changes
Copy link
Contributor

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR extends the supported revocation list tests to include the ML-DSA and SLH-DSA algorithms by updating key factory definitions and certificate-related functions.

  • Introduces a new key factory for SLH-DSA.
  • Updates the build variant factories to include both ML-DSA and SLH-DSA.
  • Enhances certificate creation and signature generation to support the new SLH-DSA algorithm.

@dotnet-policy-service Dotnet Policy Service
Copy link
Contributor

Tagging subscribers to this area: @dotnet/area-system-security, @bartonjs, @vcsjones
See info in area-owners.md if you want to be subscribed.

This was referenced May 3, 2025
Open
Open
Open
Open
Open
@bartonjs
Copy link
Member

bartonjs commented May 6, 2025

Looks like this is introducing some test failures (a few SslStream tests seem to be waking up to ML-DSA and SLH-DSA? Though that seems surprising...):

    System.Net.Security.Tests.SslStreamCertificateContextOcspLinuxTests.FetchOcspResponse_NoExpiration_Success [FAIL]
      System.NotSupportedException : The server mode SSL must use a certificate with the associated private key.
      Stack Trace:
        /_/src/libraries/System.Net.Security/src/System/Net/Security/SslStreamCertificateContext.Linux.cs(84,0): at System.Net.Security.SslStreamCertificateContext..ctor(X509Certificate2 target, ReadOnlyCollection`1 intermediates, SslCertificateTrust trust)
        /_/src/libraries/System.Net.Security/src/System/Net/Security/SslStreamCertificateContext.cs(150,0): at System.Net.Security.SslStreamCertificateContext.Create(X509Certificate2 target, X509Certificate2Collection additionalCertificates, Boolean offline, SslCertificateTrust trust, Boolean noOcspFetch)
        /_/src/libraries/System.Net.Security/src/System/Net/Security/SslStreamCertificateContext.cs(32,0): at System.Net.Security.SslStreamCertificateContext.Create(X509Certificate2 target, X509Certificate2Collection additionalCertificates, Boolean offline, SslCertificateTrust trust)
        /_/src/libraries/System.Net.Security/tests/UnitTests/SslStreamCertificateContextOcspLinuxTests.cs(248,0): at System.Net.Security.Tests.SslStreamCertificateContextOcspLinuxTests.<>c__DisplayClass9_1.<SimpleTest>b__0(Boolean offline)
        /_/src/libraries/System.Net.Security/tests/UnitTests/SslStreamCertificateContextOcspLinuxTests.cs(41,0): at System.Net.Security.Tests.SslStreamCertificateContextOcspLinuxTests.<>c.<<FetchOcspResponse_NoExpiration_Success>b__1_0>d.MoveNext()
        --- End of stack trace from previous location ---
        /_/src/libraries/System.Net.Security/tests/UnitTests/SslStreamCertificateContextOcspLinuxTests.cs(254,0): at System.Net.Security.Tests.SslStreamCertificateContextOcspLinuxTests.SimpleTest(PkiOptions pkiOptions, RunSimpleTest callback, String callerName, Boolean pkiOptionsInTestName)
        /_/src/libraries/System.Net.Security/tests/UnitTests/SslStreamCertificateContextOcspLinuxTests.cs(37,0): at System.Net.Security.Tests.SslStreamCertificateContextOcspLinuxTests.FetchOcspResponse_NoExpiration_Success()
        --- End of stack trace from previous location ---

If it's that PQC certs are making it into the tests, we can either make those tests pick RSA (sad) or insert the ML-DSA/SLH-DSA calls into

runtime/src/libraries/System.Net.Security/src/System/Net/Security/SslStreamCertificateContext.Linux.cs

Lines 70 to 72 in dd75c45

}
if (KeyHandle == null)

@vcsjones
Copy link
Member

vcsjones commented May 7, 2025

Though that seems surprising...

Especially because as far as I know, nothing in CI has OpenSSL 3.5 yet (does it?) so it feels like an IsSupported check is missing or not doing the right thing.

@bartonjs
Copy link
Member

bartonjs commented May 7, 2025

nothing in CI has OpenSSL 3.5 yet (does it?)

The log says mcr.microsoft.com/dotnet-buildtools/prereqs:centos-stream-10-helix-amd64 and https://pkgs.org/search/?q=openssl-libs says 3.5 is available on Stream 10... maybe we got it?

I think I also see SlhDsaImplementationTests results in https://dev.azure.com/dnceng-public/public/_build/results?buildId=1032619&view=ms.vss-test-web.build-test-results-tab&runId=27735836&paneView=debug&resultId=203683 (if you select also tests that passed), on Centos 10 and Debian 13...

@PranavSenthilnathan PranavSenthilnathan changed the title Enable revocation list tests for ML-DSA and SLH-DSA Add PQC support for SslStreamCertificateContext and fix test May 7, 2025
@bartonjs bartonjs merged commit ed8142a into dotnet:main May 7, 2025
87 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Copilot left review comments

@bartonjs bartonjs bartonjs approved these changes

Assignees

@PranavSenthilnathan PranavSenthilnathan

Labels
area-System.Security
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@PranavSenthilnathan @bartonjs @vcsjones