8314323: TLS 1.3 Hybrid Key Exchange

[haimaychao]

Implement hybrid key exchange support for TLS 1.3 by adding three post-quantum hybrid named groups: X25519MLKEM768, SecP256r1MLKEM768, and SecP384r1MLKEM1024.
Please see JEP 527 for details about this change.

---

Progress

• Change must be properly reviewed (1 review required, with at least 1 Reviewer)
• Change must not contain extraneous whitespace
• Commit message must refer to an issue

Integration blocker

 ⚠️ Title mismatch between PR and JBS for issue JDK-8314323

Issue

• JDK-8314323: Implement JEP 527: TLS 1.3 Hybrid Key Exchange (Enhancement - P2) ⚠️ Title mismatch between PR and JBS.

Contributors

• Jamil Nimeh <[email protected]>
• Weijun Wang <[email protected]>

Reviewing

Using git

Checkout this PR locally:
$ git fetch https://git.openjdk.org/jdk.git pull/27614/head:pull/27614
$ git checkout pull/27614

Update a local copy of the PR:
$ git checkout pull/27614
$ git pull https://git.openjdk.org/jdk.git pull/27614/head

Using Skara CLI tools

Checkout this PR locally:
$ git pr checkout 27614

View PR using the GUI difftool:
$ git pr show -t 27614

Using diff file

Download this PR as a diff file:
https://git.openjdk.org/jdk/pull/27614.diff

Using Webrev

Link to Webrev Comment

[bridgekeeper]

👋 Welcome back hchao! A progress list of the required criteria for merging this PR into master will be added to the body of your pull request. There are additional pull request commands available for use with this pull request.

[openjdk]

❗ This change is not yet ready to be integrated.
See the Progress checklist in the description for automated requirements.

[openjdk]

@haimaychao The following label will be automatically applied to this pull request:

• security

When this pull request is ready to be reviewed, an "RFR" email will be sent to the corresponding mailing list. If you would like to change these labels, use the /label pull request command.

[haimaychao]

/contributor add @jnimeh

[haimaychao]

/contributor add @wangweij

[openjdk]

@haimaychao
Contributor Jamil Nimeh <[email protected]> successfully added.

[openjdk]

@haimaychao
Contributor Weijun Wang <[email protected]> successfully added.

[mlbridge]

Webrevs

• 01: Full - Incremental (3c0e91ed)
• 00: Full (c7ba12a7)

[artur-oracle]

We assume that if provider is not null then it must be DH without doing any checks to confirm that. It would be cleaner to call getProvider() instead.

Provider p = getProvider();
if (p == null) {
KeyFactory.getInstance(name);
} else {
KeyFactory.getInstance(name, p);
}

[haimaychao]

Done.

[artur-oracle]

Do we need X448 here? Also, please provide a comment for this method with functionality description.

[haimaychao]

X448 removed, and comment added.

[artur-oracle]

Why do we need X448 and P521?

[jnimeh]

Need, no. Want, yes. The support for traditional curves that are not part of the first round of hybrid KEMs lays the groundwork for future hybrid KEMs that might use these larger curves. It also gives us the base framework to move these algorithms as named groups to KEM implementations in the future.

[artur-oracle]

I see, thanks for the explanation! I guess it makes sense if we expect those curves to be used in the future rounds of hybrid KEM.

[artur-oracle]

This variable is not being used, it can be removed together with the constructor parameter.

[haimaychao]

Removed variable spec.

[ecki]

Maybe use NamedParameterSpec.X25519?

[haimaychao]

Updated.

[ecki]

Are they needed for this Jep?

[haimaychao]

We added ML-KEM NamedGroups with null AlgorithmParameterSpec, and they won’t appear as negotiable named groups. They were added to support debug display and recognition of MLKEM named groups when used in the key share, so we can see them in debug and know if they are used. It'd help for interop debugging/testing.

[ecki]

That Choice of Name needs probably an explaining comment if it is for pure PQC and/ormhybrid?

[haimaychao]

Comment added.

[wangweij]

Maybe we can rename "PQC" to "KEM" to be consistent.

[ecki]

It feels like all the infra for X448MLKEM1024 is there, so rather than removing x448 from this patch, why not implement it (it’s more obvious than P511 Variants)

[jnimeh]

Indeed the infrastructure is there, but I don't see an IETF draft that covers that hybrid variant for TLS, nor do I see an IANA mapping for it here: https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8

There needs to be a standard for TLS 1.3 backing these hybrid KEMs before we implement them.

[ecki]

Unrelated change?

[jnimeh]

No, the choise to knock out ffdhe6144 and 8192 from the default list was done on purpose. I don't think they get much use and they can always be re-enabled via SSLParameters or the system property. We're open to feedback on this if you or others feel like they should remain in place, though.

[ecki]

The change is I think ok, doesn’t make much of a difference for most cases I was just thinking it needed its own commit and ticket reference but if it was intentional fine as well.

[jnimeh]

I think you make a fair point here. It probably deserves its own change, JBS entry, CSR, etc. We'll leave them in for now.

[ecki]

This seems to be repeated multiple times including the case sensitive string, maybe have an APS.isGenericEC() helper?

[ecki]

Isn’t that Part formte named groups, maybe Look it up instead?

[ecki]

Do we really want a non presized buffer and a stream in the handshake hot path?

[haimaychao]

Updated to use presized buffer.

[artur-oracle]

This test case fails whether we specify -Djdk.tls.namedGroups="secp384r1" or not, because the test certificate also uses secp384r1 algorithm in the signature.