jdk icon indicating copy to clipboard operation
jdk copied to clipboard

Published 20 hours ago verified publisher icon openjdk

8347938: Switch to latest ML-KEM private key encoding

Open wangweij opened this issue 6 months ago • 11 comments
trafficstars

The private key encoding formats of ML-KEM and ML-DSA are updated to match the latest IETF drafts at: https://datatracker.ietf.org/doc/html/draft-ietf-lamps-dilithium-certificates-11 and https://datatracker.ietf.org/doc/html/draft-ietf-lamps-kyber-certificates-10. New security/system properties are introduced to determine which CHOICE a private key is encoded when a new key pair is generated or when KeyFactory::translateKey is called.

Both the encoding and the expanded format are stored inside a NamedPKCS8Key now. When loading from a PKCS #8 key, the expanded format is calculated from the input if it's seed only.

Progress

  • [ ] Change must be properly reviewed (1 review required, with at least 1 Reviewer)
  • [x] Change must not contain extraneous whitespace
  • [x] Commit message must refer to an issue
  • [ ] Change requires CSR request JDK-8349163 to be approved
  • [ ] Change requires CSR request JDK-8349164 to be approved

Issues

  • JDK-8347938: Switch to latest ML-KEM private key encoding (Bug - P2)
  • JDK-8347941: Switch to latest ML-DSA private key encoding (Bug - P2)
  • JDK-8349164: Switch to latest ML-DSA private key encoding (CSR)
  • JDK-8349163: Switch to latest ML-KEM private key encoding (CSR)

Reviewing

Using git

Checkout this PR locally:
$ git fetch https://git.openjdk.org/jdk.git pull/24969/head:pull/24969
$ git checkout pull/24969

Update a local copy of the PR:
$ git checkout pull/24969
$ git pull https://git.openjdk.org/jdk.git pull/24969/head

Using Skara CLI tools

Checkout this PR locally:
$ git pr checkout 24969

View PR using the GUI difftool:
$ git pr show -t 24969

Using diff file

Download this PR as a diff file:
https://git.openjdk.org/jdk/pull/24969.diff

Using Webrev

Link to Webrev Comment

wangweij avatar Apr 30 '25 15:04 wangweij

:wave: Welcome back weijun! A progress list of the required criteria for merging this PR into master will be added to the body of your pull request. There are additional pull request commands available for use with this pull request.

bridgekeeper[bot] avatar Apr 30 '25 15:04 bridgekeeper[bot]

❗ This change is not yet ready to be integrated. See the Progress checklist in the description for automated requirements.

openjdk[bot] avatar Apr 30 '25 15:04 openjdk[bot]

/issue add JDK-8347941

wangweij avatar Apr 30 '25 15:04 wangweij

@wangweij The following labels will be automatically applied to this pull request:

  • core-libs
  • hotspot-runtime
  • security

When this pull request is ready to be reviewed, an "RFR" email will be sent to the corresponding mailing lists. If you would like to change these labels, use the /label pull request command.

openjdk[bot] avatar Apr 30 '25 15:04 openjdk[bot]

@wangweij Adding additional issue to issue list: 8347941: Switch to latest ML-DSA private key encoding.

openjdk[bot] avatar Apr 30 '25 15:04 openjdk[bot]

Webrevs

mlbridge[bot] avatar Apr 30 '25 15:04 mlbridge[bot]

/label remove core-libs /label remove hotspot-runtime

wangweij avatar Apr 30 '25 16:04 wangweij

@wangweij The core-libs label was successfully removed.

openjdk[bot] avatar Apr 30 '25 16:04 openjdk[bot]

@wangweij The hotspot-runtime label was successfully removed.

openjdk[bot] avatar Apr 30 '25 16:04 openjdk[bot]

@wangweij this pull request can not be integrated into master due to one or more merge conflicts. To resolve these merge conflicts and update this pull request you can run the following commands in the local repository for your personal fork:

git checkout 8347938
git fetch https://git.openjdk.org/jdk.git master
git merge FETCH_HEAD
# resolve conflicts and follow the instructions given by git merge
git commit -m "Merge master"
git push

openjdk[bot] avatar May 15 '25 20:05 openjdk[bot]

@wangweij This pull request has been inactive for more than 4 weeks and will be automatically closed if another 4 weeks passes without any activity. To avoid this, simply issue a /touch or /keepalive command to the pull request. Feel free to ask for assistance if you need help with progressing this pull request towards integration!

bridgekeeper[bot] avatar Jun 26 '25 12:06 bridgekeeper[bot]

@wangweij This pull request has been inactive for more than 8 weeks and will now be automatically closed. If you would like to continue working on this pull request in the future, feel free to reopen it! This can be done using the /open pull request command.

bridgekeeper[bot] avatar Jul 24 '25 19:07 bridgekeeper[bot]

/open

wangweij avatar Jul 25 '25 17:07 wangweij

@wangweij This pull request is now open

openjdk[bot] avatar Jul 25 '25 17:07 openjdk[bot]

@wangweij This pull request has been inactive for more than 4 weeks and will be automatically closed if another 4 weeks passes without any activity. To avoid this, simply issue a /touch or /keepalive command to the pull request. Feel free to ask for assistance if you need help with progressing this pull request towards integration!

bridgekeeper[bot] avatar Oct 09 '25 08:10 bridgekeeper[bot]

/issue remove JDK-8347941

wangweij avatar Nov 03 '25 22:11 wangweij

@wangweij Removing additional issue from issue list: 8347941.

openjdk[bot] avatar Nov 03 '25 22:11 openjdk[bot]