Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Tls injection mechanism #1517

Open
wants to merge 19 commits into
base: main
Choose a base branch
from
Open

Tls injection mechanism #1517

wants to merge 19 commits into from

Conversation

sergejskozlovics
Copy link

I have developed a TLS injection mechanism. It can be used to inject PQC algorithms (KEMs and signature algorithms) into TLS 1.3. The injection mechanism is located in the org.bouncycastle.tls.injection package, where the InjectionPoint class has been defined. Then, there are many places where InjectionPoint is consulted for injected KEMs and signature algorithms, which are added to the corresponding lists of supported TLS algorithms.

@sergejskozlovics
Added multiples classes implementing the TLS injection mechanism in BC
afe7f4e
@sergejskozlovics
Added code that makes injected KEMs visible to TLS
33abb91
@sergejskozlovics
Re-implemented NamedGroupInfo to support injected KEMs
006ee29
@sergejskozlovics
Re-implemented SignatureSchemeInfo to support injected Sig Algs
04d11e6
@sergejskozlovics
added injected KEMs to the TLS supported groups extension
2c97329
@sergejskozlovics
adding injected KEMs and signature algorithms to the list of supporte…
77b40de 
…d by TLS
@sergejskozlovics
using KEM as a TlsAgreement
d9c4416
@sergejskozlovics
adding injected KEMs and signature algorithms to JcaTlsCrypto
fa0b30b
@sergejskozlovics
Added code that makes signature algorithms (injected via InjectionPoi…
c433374 
…nt) visible to TLS
@sergejskozlovics
Adding support for injected algorithms (via InjectionPoint) to the BC…
7450b06 
… PQC provider. PQC algorithms now can be loaded without reflection (useful when compiling with GraalVM native-image).
@peterdettman
Copy link
Collaborator

Hi Sergejs, thanks for the PR. It will be a while before a full review can be done, but on a first pass I have seen some basic issues:

  • core project cannot depend on tls project (only the reverse). So I guess the basic injection concept would have to live in core and be used/built-upon by tls.
  • tls project supports still minimum java version 5 (actually we still build also for jdk 1.4 with org.bouncycastle.tls classes only - no JSSE). I see at least some usage of Java 8 stream API, which should be replaced, and perhaps there are others. There are src/main/jdk??? folders to provide multi-release override classes if needed.
  • There's some incidental reformatting that should be removed from the patch; I see various imports collapsed to ".*", braces moved, some switch case indentation, and there's probably more.

We are certainly interested in getting PQC algorithms into TLS, but our intention would be to proceed by publishing algorithms in the BC provider as usual, then having TLS add the registrar entries from the relevant standards and support them when it can find the algorithm via the provider. Perhaps you could comment a little about what you have in mind in terms of the basic "injection" idea here, particularly in comparison to the existing provider-based mechanism.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@sergejskozlovics @peterdettman