This is an automated email from the ASF dual-hosted git repository.
remm pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/9.0.x by this push:
new 7f6dc98031 Add hybrid PQC support for OpenSSL 3.5
7f6dc98031 is described below
commit 7f6dc980314e2837313ee001b703b5c9aa9936e1
Author: remm <[email protected]>
AuthorDate: Thu Sep 4 16:18:46 2025 +0200
Add hybrid PQC support for OpenSSL 3.5
This adds any of the PQC certificates to the other SSL contexts. Each
certificate still gets its own SSL context. The PQC certificate will
never be selected by itself for a handshake.
This technique is simple but will likely remain OpenSSL specific. The
code is clearly separate and could be refactored out if a more general
solution is implemented for JSSE.
Based on PR#888.
Based itself on the current mod_ssl code for doing hybrid PQC
handshakes.
---
.../tomcat/util/net/AbstractJsseEndpoint.java | 34 +++++++++++++++++++++-
.../apache/tomcat/util/net/LocalStrings.properties | 1 +
.../tomcat/util/net/SSLHostConfigCertificate.java | 3 +-
java/org/apache/tomcat/util/net/SSLUtil.java | 10 +++++++
.../util/net/openssl/LocalStrings.properties | 1 +
.../tomcat/util/net/openssl/OpenSSLUtil.java | 10 +++++++
.../net/openssl/panama/LocalStrings.properties | 1 +
.../util/net/openssl/panama/OpenSSLContext.java | 2 +-
.../util/net/openssl/panama/OpenSSLUtil.java | 18 ++++++++++++
webapps/docs/changelog.xml | 10 +++++++
10 files changed, 87 insertions(+), 3 deletions(-)
diff --git a/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java
b/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java
index c1b095e8fa..81c6d2b827 100644
--- a/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java
+++ b/java/org/apache/tomcat/util/net/AbstractJsseEndpoint.java
@@ -29,6 +29,7 @@ import javax.net.ssl.SSLEngine;
import javax.net.ssl.SSLParameters;
import org.apache.tomcat.util.compat.JreCompat;
+import org.apache.tomcat.util.net.openssl.OpenSSLStatus;
import org.apache.tomcat.util.net.openssl.ciphers.Cipher;
public abstract class AbstractJsseEndpoint<S, U> extends AbstractEndpoint<S,U>
{
@@ -84,6 +85,24 @@ public abstract class AbstractJsseEndpoint<S, U> extends
AbstractEndpoint<S,U> {
@Override
protected void createSSLContext(SSLHostConfig sslHostConfig) throws
IllegalArgumentException {
+ boolean useHybridSslContext = false;
+ if (sslHostConfig.getProtocols().contains(Constants.SSL_PROTO_TLSv1_3)
&& OpenSSLStatus.isAvailable()) {
+ // If TLS 1.3 is enabled, check if a hybrid scheme using a single
SSL context
+ // should be attempted
+ boolean nonMldsaFound = false;
+ boolean mldsaFound = false;
+ for (SSLHostConfigCertificate certificate :
sslHostConfig.getCertificates(true)) {
+ if
(certificate.getType().equals(SSLHostConfigCertificate.Type.MLDSA)) {
+ mldsaFound = true;
+ } else {
+ nonMldsaFound = true;
+ }
+ }
+ if (mldsaFound && nonMldsaFound) {
+ useHybridSslContext = true;
+ }
+ }
+
boolean firstCertificate = true;
for (SSLHostConfigCertificate certificate :
sslHostConfig.getCertificates(true)) {
SSLUtil sslUtil = sslImplementation.getSSLUtil(certificate);
@@ -105,14 +124,27 @@ public abstract class AbstractJsseEndpoint<S, U> extends
AbstractEndpoint<S,U> {
try {
sslContext = sslUtil.createSSLContext(negotiableProtocols);
} catch (Exception e) {
- throw new IllegalArgumentException(e.getMessage(), e);
+ throw new
IllegalArgumentException(sm.getString("endpoint.errorCreatingSSLContext"), e);
}
certificate.setSslContextGenerated(sslContext);
}
+ // If using a hybrid scheme, add any MLDSA certificates to all
other SSL contexts
+ if (useHybridSslContext &&
!certificate.getType().equals(SSLHostConfigCertificate.Type.MLDSA)) {
+ for (SSLHostConfigCertificate certificateToAdd :
sslHostConfig.getCertificates(true)) {
+ // Add additional certificate to all non MLDSA contexts
+ if
(certificateToAdd.getType().equals(SSLHostConfigCertificate.Type.MLDSA)) {
+ if (!sslUtil.addSecondCertificate(sslContext,
certificateToAdd)) {
+ throw new
IllegalArgumentException(sm.getString("endpoint.errorCreatingSSLContext"));
+ }
+ }
+ }
+ }
+
logCertificate(certificate);
}
+
}
diff --git a/java/org/apache/tomcat/util/net/LocalStrings.properties
b/java/org/apache/tomcat/util/net/LocalStrings.properties
index fe45d03653..5a20bd58e9 100644
--- a/java/org/apache/tomcat/util/net/LocalStrings.properties
+++ b/java/org/apache/tomcat/util/net/LocalStrings.properties
@@ -90,6 +90,7 @@ endpoint.err.close=Caught exception trying to close socket
endpoint.err.duplicateAccept=Duplicate socket accept detected. This is a known
Linux kernel bug. The original connection has been processed normally and the
duplicate has been ignored. The client should be unaffected. Updating the OS to
a version that uses kernel 5.10 or later should fix the duplicate accept bug.
endpoint.err.handshake=Handshake failed for client connection from IP address
[{0}] and port [{1}]
endpoint.err.unexpected=Unexpected error processing socket
+endpoint.errorCreatingSSLContext=Error creating SSLContext
endpoint.executor.fail=Executor rejected socket [{0}] for processing
endpoint.getAttribute=[{0}] is [{1}]
endpoint.init.bind=Socket bind failed: [{0}] [{1}]
diff --git a/java/org/apache/tomcat/util/net/SSLHostConfigCertificate.java
b/java/org/apache/tomcat/util/net/SSLHostConfigCertificate.java
index 7b68844d06..e7f8d628e4 100644
--- a/java/org/apache/tomcat/util/net/SSLHostConfigCertificate.java
+++ b/java/org/apache/tomcat/util/net/SSLHostConfigCertificate.java
@@ -317,7 +317,8 @@ public class SSLHostConfigCertificate implements
Serializable {
UNDEFINED,
RSA(Authentication.RSA),
DSA(Authentication.DSS),
- EC(Authentication.ECDH, Authentication.ECDSA);
+ EC(Authentication.ECDH, Authentication.ECDSA),
+ MLDSA;
private final Set<Authentication> compatibleAuthentications;
diff --git a/java/org/apache/tomcat/util/net/SSLUtil.java
b/java/org/apache/tomcat/util/net/SSLUtil.java
index da89dddb20..7a9c32dc4a 100644
--- a/java/org/apache/tomcat/util/net/SSLUtil.java
+++ b/java/org/apache/tomcat/util/net/SSLUtil.java
@@ -90,4 +90,14 @@ public interface SSLUtil {
*/
String getNegotiatedProtocol();
}
+
+ /**
+ * Add a second certificate to an existing context, to enable hybrid TLS
1.3 handshakes.
+ * @param context the existing context
+ * @param certificate the second certificate to add
+ * @return true if supported by the context
+ */
+ default boolean addSecondCertificate(SSLContext context,
SSLHostConfigCertificate certificate) {
+ return false;
+ }
}
diff --git a/java/org/apache/tomcat/util/net/openssl/LocalStrings.properties
b/java/org/apache/tomcat/util/net/openssl/LocalStrings.properties
index 61d88c2959..2dcef71a83 100644
--- a/java/org/apache/tomcat/util/net/openssl/LocalStrings.properties
+++ b/java/org/apache/tomcat/util/net/openssl/LocalStrings.properties
@@ -54,6 +54,7 @@ openssl.keyManagerMissing.warn=No key manager found. TLS will
work but the certi
openssl.makeConf=Creating OpenSSLConf context
openssl.nonJsseCertificate=The certificate [{0}] or its private key [{1}]
could not be processed using a JSSE key manager and will be given directly to
OpenSSL
openssl.nonJsseChain=The certificate chain [{0}] was not specified or was not
valid and JSSE requires a valid certificate chain so attempting to use OpenSSL
directly
+openssl.secondCertificateError=Error adding second certificate to OpenSSL
context
openssl.trustManagerMissing=No trust manager found
opensslconf.applyCommand=OpenSSLConf applying command (name [{0}], value [{1}])
diff --git a/java/org/apache/tomcat/util/net/openssl/OpenSSLUtil.java
b/java/org/apache/tomcat/util/net/openssl/OpenSSLUtil.java
index 1c31d7e970..2112fa8674 100644
--- a/java/org/apache/tomcat/util/net/openssl/OpenSSLUtil.java
+++ b/java/org/apache/tomcat/util/net/openssl/OpenSSLUtil.java
@@ -136,4 +136,14 @@ public class OpenSSLUtil extends SSLUtilBase {
}
}
+ @Override
+ public boolean addSecondCertificate(SSLContext context,
SSLHostConfigCertificate certificate) {
+ try {
+ ((OpenSSLContext) context).addCertificate(certificate);
+ return true;
+ } catch (Exception e) {
+ throw new
IllegalArgumentException(sm.getString("openssl.secondCertificateError"), e);
+ }
+ }
+
}
diff --git
a/java/org/apache/tomcat/util/net/openssl/panama/LocalStrings.properties
b/java/org/apache/tomcat/util/net/openssl/panama/LocalStrings.properties
index e1c58ce12e..5e4f66af2a 100644
--- a/java/org/apache/tomcat/util/net/openssl/panama/LocalStrings.properties
+++ b/java/org/apache/tomcat/util/net/openssl/panama/LocalStrings.properties
@@ -70,6 +70,7 @@ openssl.noCACerts=No CA certificates were configured
openssl.nonJsseCertificate=The certificate [{0}] or its private key [{1}]
could not be processed using a JSSE key manager and will be given directly to
OpenSSL
openssl.nonJsseChain=The certificate chain [{0}] was not specified or was not
valid and JSSE requires a valid certificate chain so attempting to use OpenSSL
directly
openssl.passwordTooLong=The certificate password is too long
+openssl.secondCertificateError=Error adding second certificate to OpenSSL
context
openssl.setCustomDHParameters=Setting custom DH parameters ([{0}] bits) for
the key [{1}]
openssl.setECDHCurve=Setting ECDH curve ([{0}]) for the key [{1}]
openssl.trustManagerMissing=No trust manager found
diff --git a/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java
b/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java
index bb2f916567..2d7d654357 100644
--- a/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java
+++ b/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLContext.java
@@ -874,7 +874,7 @@ public class OpenSSLContext implements
org.apache.tomcat.util.net.SSLContext {
}
- private boolean addCertificate(SSLHostConfigCertificate certificate, Arena
localArena) throws Exception {
+ public boolean addCertificate(SSLHostConfigCertificate certificate, Arena
localArena) throws Exception {
int index = getCertificateIndex(certificate);
// Load Server key and certificate
if (certificate.getCertificateFile() != null) {
diff --git a/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLUtil.java
b/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLUtil.java
index 3475190e5a..955d0aba0d 100644
--- a/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLUtil.java
+++ b/java/org/apache/tomcat/util/net/openssl/panama/OpenSSLUtil.java
@@ -17,6 +17,7 @@
package org.apache.tomcat.util.net.openssl.panama;
import java.io.IOException;
+import java.lang.foreign.Arena;
import java.security.KeyException;
import java.security.KeyStoreException;
import java.util.List;
@@ -106,4 +107,21 @@ public class OpenSSLUtil extends SSLUtilBase {
}
}
+
+ @Override
+ public boolean addSecondCertificate(SSLContext context,
SSLHostConfigCertificate certificate) {
+ try (var localArena = Arena.ofConfined()) {
+ try {
+ if (((OpenSSLContext) context).addCertificate(certificate,
localArena)) {
+ return true;
+ } else {
+ log.warn(sm.getString("openssl.secondCertificateError"));
+ return false;
+ }
+ } catch (Exception e) {
+ throw new
IllegalArgumentException(sm.getString("openssl.secondCertificateError"), e);
+ }
+ }
+ }
+
}
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 2e39222746..ebf80f71dc 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -105,6 +105,16 @@
issues do not "pop up" wrt. others).
-->
<section name="Tomcat 9.0.110 (remm)" rtext="in development">
+ <subsection name="Coyote">
+ <changelog>
+ <update>
+ Add hybrid PQC support to OpenSSL, based on code from
+ <code>mod_ssl</code>. Using this OpenSSL specific code path,
+ additional PQC certificates defined with type <code>MLDSA</code> are
+ added to contexts which use classic certificates. (jfclere/remm)
+ </update>
+ </changelog>
+ </subsection>
</section>
<section name="Tomcat 9.0.109 (remm)" rtext="release in progress">
<subsection name="Catalina">
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
