jfc'log

 As explained in my previous post the JVM doesn't have the TLS support yet.
But the keytool can be used to create the keystore and tomcat will use OpenSSL to do the TLS crypto part.

Create the keytool (I have used java25):
 # key/cert signer for certificates.
keytool  -keystore keystore -storepass changeit \
       -genkeypair -alias ec -keyalg EC \
       -dname CN=CA_test -ext bc
# key/cert ML-DSA to use for test.
keytool -keystore keystore -storepass changeit -genkeypair -alias mldsa -keyalg ML-DSA -groupname ML-DSA-65 -dname CN=localhost -signer ec
# traditional key/cert to use for test.
keytool -keystore keystore -storepass changeit -genkeypair -alias mykey -keyalg RSA -dname CN=localhost -signer ec

In the tomcat connector:
       <SSLHostConfig>
            <Certificate certificateKeystoreFile="conf/keystore"
                         certificateKeyAlias="mykey"
                         certificateKeystorePassword="changeit" type="RSA" />
            <Certificate certificateKeystoreFile="conf//keystore"
                         certificateKeyAlias="mldsa"
                         certificateKeystorePassword="changeit" type="MLDSA" />
        </SSLHostConfig>

To test use FFM and curl:
curl -ivk  --curves X25519  https://localhost:8443 -o /dev/null
The certificate will be the ML-DSA one:

 * SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 / x25519 / id-ml-dsa-65

and later in the trace:

*   Certificate level 0: Public key type ML-DSA-65 (15616/192 Bits/secBits), signed using ecdsa-with-SHA384
*   Certificate level 1: Public key type EC/secp384r1 (384/192 Bits/secBits), signed using ecdsa-with-SHA384

 curl -ivk  --curves X25519 --sigalgs RSA-PSS+SHA256  https://localhost:8443 -o /dev/null

The cerficate will the  other/traditional one:

* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 / x25519 / RSASSA-PSS

and later in the trace:

*   Certificate level 0: Public key type RSA (3072/128 Bits/secBits), signed using ecdsa-with-SHA384
*   Certificate level 1: Public key type EC/secp384r1 (384/192 Bits/secBits), signed using ecdsa-with-SHA384

# posted by Jean-Frederic Clere @ 1:42 PM 0 comments

To use PQC in tomcat you need to use OpenSSL at least version 3.5, either with the APR connector, with the OpenSSLImplementation or FFM, the current version of the JVM are not supporting TLS and PQC so we have to use OpenSSL.

Based on my previous posts, create a RSA key/cert pair and an MLDSA-65 one for PQC.

Configure a connector with 2 key/cert pairs:

    <Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
               maxThreads="150" SSLEnabled="true">
        <SSLHostConfig>
            <Certificate certificateFile="conf/localhost-mldsa.crt"
                         certificateKeyFile="conf/localhost-mldsa.key"
                         type="MLDSA" />
            <Certificate certificateFile="conf/localhost/localhost.crt"
                         certificateKeyFile="conf/localhost/localhost.key"
                         type="RSA" />
        </SSLHostConfig>
    </Connector>

Make sure to have tc-native or FFM configured

tc-native:

You need a libtcnative*.so linked with OpenSSL 3.5+ in the path of LD_LIBRARY_PATH or in bin directory of your tomcat installation and the listener in server.xml: 

<Listener className="org.apache.catalina.core.AprLifecycleListener" /> 

 FFM:

You need a "recent" version of the JVM (at least 22), OpenSSL 3.5+ libraries in the LD_LIBRARY_PATH and the following in server.xml:

 <Listener className="org.apache.catalina.core.OpenSSLLifecycleListener"

curl -k -v --curves X25519 --sigalgs RSA-PSS+SHA256 https://localhost:8443/

Or X25519MLKEM768 and ask for an ML-DSA-65 key/cert for PQC:

 curl -k -v --curves X25519MLKEM768 --sigalgs ML-DSA-65 https://localhost:8443/

# posted by Jean-Frederic Clere @ 2:55 PM 0 comments