Skip to content

Add PQC certificate support for HTTPS #62866

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 7 commits into from
Aug 15, 2025
Merged

Add PQC certificate support for HTTPS #62866

merged 7 commits into from
Aug 15, 2025

Conversation

MackinnonBuck
Copy link
Member

@MackinnonBuck MackinnonBuck commented Jul 22, 2025
edited
Loading

Add PQC certificate support for HTTPS

Opening initially as a draft:

  • SLH-DSA tests will be skipped until SLH-DSA is supported by Windows
  • Composite ML-DSA support isn't fully implemented in the BCL yet

Note that, as of the time of writing, a Windows Insider Build (Canary) is required in order for the ML-DSA tests to pass.

Fixes #62030

@github-actions github-actions bot added the area-networking Includes servers, yarp, json patch, bedrock, websockets, http client factory, and http abstractions label Jul 22, 2025
@BrennanConroy
Copy link
Member

Should we try to get this in for RC1?

@MackinnonBuck MackinnonBuck marked this pull request as ready for review August 14, 2025 20:24
@Copilot Copilot AI review requested due to automatic review settings August 14, 2025 20:24
Copilot
Copilot AI reviewed Aug 14, 2025
View reviewed changes
Copy link
Contributor

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR adds support for Post-Quantum Cryptography (PQC) certificates in HTTPS configuration by supporting ML-DSA and SLH-DSA signature algorithms alongside existing RSA and ECDSA support. The implementation includes both certificate loading functionality and comprehensive test coverage.

Key changes include:

  • Added PQC certificate support in the certificate configuration loader with OID mappings for ML-DSA and SLH-DSA variants
  • Replaced hardcoded test certificates with dynamic generation to support multiple signature algorithms
  • Enhanced test coverage to validate PQC certificate loading with both encrypted and unencrypted keys

Reviewed Changes

Copilot reviewed 8 out of 10 changed files in this pull request and generated no comments.

File Description
src/Shared/TestCertificates/https-*.pem and https-*.key Removed hardcoded RSA and ECDSA test certificates to be replaced with dynamic generation
src/Servers/Kestrel/Core/src/Internal/Certificates/CertificateConfigLoader.cs Added PQC algorithm support with OID mappings and import methods for ML-DSA and SLH-DSA
src/Servers/Kestrel/Kestrel/test/KestrelConfigurationLoaderTests.cs Refactored tests to dynamically generate certificates for multiple algorithms including PQC variants

BrennanConroy
BrennanConroy approved these changes Aug 14, 2025
View reviewed changes
src/Servers/Kestrel/Kestrel/test/KestrelConfigurationLoaderTests.cs
}
else
{
// For all other algorithms, we generate the certificate and key dynamically, saving them
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🥳

@build-analysis build-analysis bot mentioned this pull request Aug 14, 2025
Open
@MackinnonBuck MackinnonBuck merged commit d0cd690 into main Aug 15, 2025
29 checks passed
@MackinnonBuck MackinnonBuck deleted the mbuck/pqc branch August 15, 2025 15:34
@dotnet-policy-service dotnet-policy-service bot added this to the 10.0-rc1 milestone Aug 15, 2025
@MackinnonBuck MackinnonBuck mentioned this pull request Aug 15, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Copilot left review comments

@BrennanConroy BrennanConroy BrennanConroy approved these changes

@DeagleGross DeagleGross DeagleGross approved these changes

@halter73 halter73 Awaiting requested review from halter73 halter73 is a code owner

@JamesNK JamesNK Awaiting requested review from JamesNK JamesNK is a code owner

Assignees
No one assigned
Labels
area-networking Includes servers, yarp, json patch, bedrock, websockets, http client factory, and http abstractions
Projects
None yet
Milestone
10.0-rc1
Development

Successfully merging this pull request may close these issues.

Support PQC certificates for HTTPS
3 participants
@MackinnonBuck @BrennanConroy @DeagleGross