Apologies for the noise. Indeed, it wasn't tested properly. Thanks for fixing it.
Dimitris On Fri, May 15, 2026 at 3:02 PM Mark Thomas <[email protected]> wrote: > On 13/05/2026 12:44, [email protected] wrote: > > This is an automated email from the ASF dual-hosted git repository. > > > > dsoumis pushed a commit to branch main > > in repository https://gitbox.apache.org/repos/asf/tomcat.git > > > > > > The following commit(s) were added to refs/heads/main by this push: > > new 7ff10fab8e Add unit tests for PQC features > > 7ff10fab8e is described below > > > > commit 7ff10fab8ede061fe61524ef96b463fef637429f > > Author: Dimitrios Soumis <[email protected]> > > AuthorDate: Wed May 13 13:44:42 2026 +0200 > > > > Add unit tests for PQC features > > How well tested is this patch? And with which OpenSSL versions? > > The OpenSSL tests can never run because the version check is looking at > the OpenSSLStatus rather than AprStatus. > > With the above fixed, the OpenSSL tests still won't run because the > OpenSSL version isn't set until after the version check. > > With that fixed, most of the OpenSSL tests result in errors or failures. > The OpenSSL-FFM tests have a similar failure rate. > > Mark > > > > --- > > test/org/apache/tomcat/util/net/TestPQC.java | 331 > +++++++++++++++++++++ > > .../tomcat/util/net/TesterKeystoreGenerator.java | 65 ++++ > > 2 files changed, 396 insertions(+) > > > > diff --git a/test/org/apache/tomcat/util/net/TestPQC.java > b/test/org/apache/tomcat/util/net/TestPQC.java > > new file mode 100644 > > index 0000000000..db3f53ff60 > > --- /dev/null > > +++ b/test/org/apache/tomcat/util/net/TestPQC.java > > @@ -0,0 +1,331 @@ > > +/* > > + * Licensed to the Apache Software Foundation (ASF) under one or more > > + * contributor license agreements. See the NOTICE file distributed > with > > + * this work for additional information regarding copyright ownership. > > + * The ASF licenses this file to You under the Apache License, Version > 2.0 > > + * (the "License"); you may not use this file except in compliance with > > + * the License. You may obtain a copy of the License at > > + * > > + * http://www.apache.org/licenses/LICENSE-2.0 > > + * > > + * Unless required by applicable law or agreed to in writing, software > > + * distributed under the License is distributed on an "AS IS" BASIS, > > + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or > implied. > > + * See the License for the specific language governing permissions and > > + * limitations under the License. > > + */ > > +package org.apache.tomcat.util.net; > > + > > +import java.io.File; > > +import java.util.ArrayList; > > +import java.util.Collection; > > +import java.util.List; > > +import java.util.Map; > > +import java.util.concurrent.TimeUnit; > > + > > +import javax.net.ssl.SSLContext; > > +import javax.net.ssl.SSLHandshakeException; > > +import javax.net.ssl.TrustManager; > > + > > +import org.junit.Assert; > > +import org.junit.Assume; > > +import org.junit.Test; > > +import org.junit.runner.RunWith; > > +import org.junit.runners.Parameterized; > > +import org.junit.runners.Parameterized.Parameter; > > + > > +import org.apache.catalina.Context; > > +import org.apache.catalina.connector.Connector; > > +import org.apache.catalina.startup.TesterServlet; > > +import org.apache.catalina.startup.Tomcat; > > +import org.apache.catalina.startup.TomcatBaseTest; > > +import org.apache.tomcat.util.buf.ByteChunk; > > +import org.apache.tomcat.util.net.SSLHostConfigCertificate.Type; > > +import org.apache.tomcat.util.net.openssl.OpenSSLStatus; > > + > > +@RunWith(Parameterized.class) > > +public class TestPQC extends TomcatBaseTest { > > + > > + @Parameterized.Parameters(name = "{0}") > > + public static Collection<Object[]> parameters() { > > + List<Object[]> parameterSets = new ArrayList<>(); > > + parameterSets.add(new Object[] { > > + "JSSE", Boolean.FALSE, "org.apache.tomcat.util.net > .jsse.JSSEImplementation"}); > > + parameterSets.add(new Object[] { > > + "OpenSSL", Boolean.TRUE, "org.apache.tomcat.util.net > .openssl.OpenSSLImplementation"}); > > + parameterSets.add(new Object[] { > > + "OpenSSL-FFM", Boolean.TRUE, " > org.apache.tomcat.util.net.openssl.panama.OpenSSLImplementation"}); > > + return parameterSets; > > + } > > + > > + @Parameter(0) > > + public String connectorName; > > + > > + @Parameter(1) > > + public boolean useOpenSSL; > > + > > + @Parameter(2) > > + public String sslImplementationName; > > + > > + @Override > > + public void setUp() throws Exception { > > + super.setUp(); > > + > > + Tomcat tomcat = getTomcatInstance(); > > + Connector connector = tomcat.getConnector(); > > + > > + Assert.assertTrue(connector.setProperty("SSLEnabled", "true")); > > + SSLHostConfig sslHostConfig = new SSLHostConfig(); > > + sslHostConfig.setProtocols(Constants.SSL_PROTO_TLSv1_3); > > + connector.addSslHostConfig(sslHostConfig); > > + > > + TesterSupport.configureSSLImplementation(tomcat, > sslImplementationName, useOpenSSL); > > + > > + Context ctx = getProgrammaticRootContext(); > > + Tomcat.addServlet(ctx, "TesterServlet", new TesterServlet()); > > + ctx.addServletMappingDecoded("/*", "TesterServlet"); > > + } > > + > > + @Test > > + public void testHostMLDSA44() throws Exception { > > + File[] pqcFiles = configureHostMLDSA("ML-DSA-44"); > > + doTestWithOpenSSLClient(pqcFiles[0].getAbsolutePath(), null, > null, null); > > + } > > + > > + > > + @Test > > + public void testHostMLDSA65() throws Exception { > > + File[] pqcFiles = configureHostMLDSA("ML-DSA-65"); > > + doTestWithOpenSSLClient(pqcFiles[0].getAbsolutePath(), null, > null, null); > > + } > > + > > + > > + @Test > > + public void testHostMLDSA87() throws Exception { > > + File[] pqcFiles = configureHostMLDSA("ML-DSA-87"); > > + doTestWithOpenSSLClient(pqcFiles[0].getAbsolutePath(), null, > null, null); > > + } > > + > > + @Test > > + public void testHostRSAandMLDSA() throws Exception { > > + configureHostRSA(); > > + configureHostMLDSA("ML-DSA-65"); > > + doTest(); > > + } > > + > > + @Test > > + public void testHostECandMLDSA() throws Exception { > > + configureHostEC(); > > + configureHostMLDSA("ML-DSA-65"); > > + doTest(); > > + } > > + > > + @Test > > + public void testHostRSAwithX25519MLKEM768() throws Exception { > > + configureHostRSA(); > > + configureHostWithGroup("X25519MLKEM768"); > > + doTestWithOpenSSLClient(new > File(TesterSupport.CA_CERT_PEM).getAbsolutePath(), > > + "X25519MLKEM768", null, null); > > + } > > + > > + > > + @Test > > + public void testHostRSAwithSecP256r1MLKEM768() throws Exception { > > + configureHostRSA(); > > + configureHostWithGroup("SecP256r1MLKEM768"); > > + doTestWithOpenSSLClient(new > File(TesterSupport.CA_CERT_PEM).getAbsolutePath(), > > + "SecP256r1MLKEM768", null, null); > > + } > > + > > + @Test > > + public void testHostRSAwithSecP384r1MLKEM1024() throws Exception { > > + configureHostRSA(); > > + configureHostWithGroup("SecP384r1MLKEM1024"); > > + doTestWithOpenSSLClient(new > File(TesterSupport.CA_CERT_PEM).getAbsolutePath(), > > + "SecP384r1MLKEM1024", null, null); > > + } > > + > > + @Test > > + public void testHostMLDSAwithX25519MLKEM768() throws Exception { > > + File[] pqcFiles = configureHostMLDSA("ML-DSA-65"); > > + configureHostWithGroup("X25519MLKEM768"); > > + doTestWithOpenSSLClient(pqcFiles[0].getAbsolutePath(), > "X25519MLKEM768", null, null); > > + } > > + > > + @Test > > + public void testHostMLDSAwithSecP256r1MLKEM768() throws Exception { > > + File[] pqcFiles = configureHostMLDSA("ML-DSA-65"); > > + configureHostWithGroup("SecP256r1MLKEM768"); > > + doTestWithOpenSSLClient(pqcFiles[0].getAbsolutePath(), > "SecP256r1MLKEM768", null, null); > > + } > > + > > + @Test > > + public void testClientMLDSA() throws Exception { > > + configureHostRSA(); > > + File[] clientFiles = > TesterKeystoreGenerator.generatePQCCertificate("testuser", "ML-DSA-65", > > + null, null); > > + SSLHostConfig sslHostConfig = > getTomcatInstance().getConnector().findSslHostConfigs()[0]; > > + sslHostConfig.setCertificateVerification("required"); > > + > sslHostConfig.setCaCertificateFile(clientFiles[0].getAbsolutePath()); > > + doTestWithOpenSSLClient(new > File(TesterSupport.CA_CERT_PEM).getAbsolutePath(), null, > > + clientFiles[0].getAbsolutePath(), > clientFiles[1].getAbsolutePath()); > > + } > > + > > + @Test > > + public void testClientMLDSAwithMLDSAServer() throws Exception { > > + File[] serverFiles = configureHostMLDSA("ML-DSA-65"); > > + File[] clientFiles = > TesterKeystoreGenerator.generatePQCCertificate("testuser", "ML-DSA-65", > > + null, null); > > + SSLHostConfig sslHostConfig = > getTomcatInstance().getConnector().findSslHostConfigs()[0]; > > + sslHostConfig.setCertificateVerification("required"); > > + > sslHostConfig.setCaCertificateFile(clientFiles[0].getAbsolutePath()); > > + doTestWithOpenSSLClient(serverFiles[0].getAbsolutePath(), null, > > + clientFiles[0].getAbsolutePath(), > clientFiles[1].getAbsolutePath()); > > + } > > + > > + @Test(expected = SSLHandshakeException.class) > > + public void testHostMLDSAHandshakeFailure() throws Exception { > > + assumePQCSupported(); > > + configureHostMLDSA("ML-DSA-65"); > > + > > + SSLContext sc = > SSLContext.getInstance(Constants.SSL_PROTO_TLSv1_2); > > + sc.init(null, new TrustManager[] { new > TesterSupport.TrustAllCerts() }, null); > > + TesterSupport.ClientSSLSocketFactory clientSSLSocketFactory = > > + new > TesterSupport.ClientSSLSocketFactory(sc.getSocketFactory()); > > + clientSSLSocketFactory.setProtocols(new String[] { > Constants.SSL_PROTO_TLSv1_2 }); > > + > javax.net.ssl.HttpsURLConnection.setDefaultSSLSocketFactory(clientSSLSocketFactory); > > + > > + Tomcat tomcat = getTomcatInstance(); > > + tomcat.start(); > > + getUrl("https://localhost:"; + getPort() + "/"); > > + } > > + > > + > > + private void assumePQCSupported() { > > + if (!useOpenSSL) { > > + Assume.assumeTrue("JSSE does not yet support PQC", false); > > + } > > + > > + Assume.assumeTrue("PQC requires OpenSSL 3.5+", > > + OpenSSLStatus.getMajorVersion() > 3 || > > + OpenSSLStatus.getMajorVersion() == 3 && > OpenSSLStatus.getMinorVersion() >= 5); > > + } > > + > > + private File[] configureHostMLDSA(String algorithm) throws > Exception { > > + File[] pqcFiles = > TesterKeystoreGenerator.generatePQCCertificate("localhost", algorithm, > > + new String[] { "localhost" }, null); > > + > > + Tomcat tomcat = getTomcatInstance(); > > + Connector connector = tomcat.getConnector(); > > + SSLHostConfig sslHostConfig = connector.findSslHostConfigs()[0]; > > + > > + SSLHostConfigCertificate cert = new > SSLHostConfigCertificate(sslHostConfig, Type.MLDSA); > > + cert.setCertificateFile(pqcFiles[0].getAbsolutePath()); > > + cert.setCertificateKeyFile(pqcFiles[1].getAbsolutePath()); > > + sslHostConfig.addCertificate(cert); > > + > > + return pqcFiles; > > + } > > + > > + private void configureHostRSA() { > > + Tomcat tomcat = getTomcatInstance(); > > + Connector connector = tomcat.getConnector(); > > + SSLHostConfig sslHostConfig = connector.findSslHostConfigs()[0]; > > + > > + SSLHostConfigCertificate cert = new > SSLHostConfigCertificate(sslHostConfig, Type.RSA); > > + cert.setCertificateFile(new > File(TesterSupport.LOCALHOST_RSA_CERT_PEM).getAbsolutePath()); > > + cert.setCertificateKeyFile(new > File(TesterSupport.LOCALHOST_RSA_KEY_PEM).getAbsolutePath()); > > + cert.setCertificateKeyPassword(TesterSupport.JKS_PASS); > > + sslHostConfig.addCertificate(cert); > > + } > > + > > + private void configureHostEC() { > > + Tomcat tomcat = getTomcatInstance(); > > + Connector connector = tomcat.getConnector(); > > + SSLHostConfig sslHostConfig = connector.findSslHostConfigs()[0]; > > + > > + SSLHostConfigCertificate cert = new > SSLHostConfigCertificate(sslHostConfig, Type.EC); > > + cert.setCertificateFile(new > File(TesterSupport.LOCALHOST_EC_CERT_PEM).getAbsolutePath()); > > + cert.setCertificateKeyFile(new > File(TesterSupport.LOCALHOST_EC_KEY_PEM).getAbsolutePath()); > > + sslHostConfig.addCertificate(cert); > > + } > > + > > + private void configureHostWithGroup(String groupName) { > > + Tomcat tomcat = getTomcatInstance(); > > + Connector connector = tomcat.getConnector(); > > + SSLHostConfig sslHostConfig = connector.findSslHostConfigs()[0]; > > + sslHostConfig.setGroups(groupName); > > + } > > + > > + private void doTest() throws Exception { > > + assumePQCSupported(); > > + SSLContext sc = > SSLContext.getInstance(Constants.SSL_PROTO_TLSv1_3); > > + sc.init(null, new TrustManager[] { new > TesterSupport.TrustAllCerts() }, null); > > + > javax.net.ssl.HttpsURLConnection.setDefaultSSLSocketFactory(sc.getSocketFactory()); > > + Tomcat tomcat = getTomcatInstance(); > > + tomcat.start(); > > + ByteChunk res = getUrl("https://localhost:"; + getPort() + "/"); > > + Assert.assertEquals("OK", res.toString()); > > + } > > + > > + private void doTestWithOpenSSLClient(String caFile, String groups, > > + String clientCert, String clientKey) throws Exception { > > + assumePQCSupported(); > > + > > + Tomcat tomcat = getTomcatInstance(); > > + tomcat.start(); > > + > > + String openSSLPath = > System.getProperty("tomcat.test.openssl.path"); > > + String openSSLLibPath = null; > > + if (openSSLPath == null || openSSLPath.length() == 0) { > > + openSSLPath = "openssl"; > > + } else { > > + openSSLLibPath = openSSLPath.substring(0, > openSSLPath.lastIndexOf('/')); > > + openSSLLibPath = openSSLLibPath + "/../:" + openSSLLibPath > + "/../lib:" + openSSLLibPath + "/../lib64"; > > + } > > + > > + List<String> cmd = new ArrayList<>(); > > + cmd.add(openSSLPath); > > + cmd.add("s_client"); > > + cmd.add("-connect"); > > + cmd.add("localhost:" + getPort()); > > + cmd.add("-CAfile"); > > + cmd.add(caFile); > > + cmd.add("-tls1_3"); > > + if (groups != null) { > > + cmd.add("-groups"); > > + cmd.add(groups); > > + } > > + if (clientCert != null) { > > + cmd.add("-cert"); > > + cmd.add(clientCert); > > + cmd.add("-key"); > > + cmd.add(clientKey); > > + } > > + > > + ProcessBuilder pb = new ProcessBuilder(cmd); > > + > > + if (openSSLLibPath != null) { > > + Map<String,String> env = pb.environment(); > > + String libraryPath = env.get("LD_LIBRARY_PATH"); > > + if (libraryPath == null) { > > + libraryPath = openSSLLibPath; > > + } else { > > + libraryPath = libraryPath + ":" + openSSLLibPath; > > + } > > + env.put("LD_LIBRARY_PATH", libraryPath); > > + } > > + > > + pb.redirectErrorStream(true); > > + Process p = pb.start(); > > + > > + p.getOutputStream().write("GET / HTTP/1.0\r\nHost: > localhost\r\n\r\n".getBytes()); > > + p.getOutputStream().flush(); > > + > > + String output = new String(p.getInputStream().readAllBytes()); > > + > > + Assert.assertTrue("Process did not complete in time", > p.waitFor(10, TimeUnit.SECONDS)); > > + Assert.assertTrue("TLS handshake failed:\n" + output, > output.contains("HTTP/1.")); > > + Assert.assertTrue("Unexpected response body:\n" + output, > output.contains("OK")); > > + } > > +} > > diff --git > a/test/org/apache/tomcat/util/net/TesterKeystoreGenerator.java > b/test/org/apache/tomcat/util/net/TesterKeystoreGenerator.java > > index 9fd4affde6..00f1772fcc 100644 > > --- a/test/org/apache/tomcat/util/net/TesterKeystoreGenerator.java > > +++ b/test/org/apache/tomcat/util/net/TesterKeystoreGenerator.java > > @@ -19,6 +19,7 @@ package org.apache.tomcat.util.net; > > > > import java.io.File; > > import java.io.FileOutputStream; > > +import java.io.FileWriter; > > import java.math.BigInteger; > > import java.security.KeyPair; > > import java.security.KeyPairGenerator; > > @@ -33,6 +34,8 @@ import org.bouncycastle.asn1.x509.GeneralNames; > > import org.bouncycastle.cert.X509v3CertificateBuilder; > > import org.bouncycastle.cert.jcajce.JcaX509CertificateConverter; > > import org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder; > > +import org.bouncycastle.jce.provider.BouncyCastleProvider; > > +import org.bouncycastle.openssl.jcajce.JcaPEMWriter; > > import org.bouncycastle.operator.ContentSigner; > > import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder; > > > > @@ -100,4 +103,66 @@ public final class TesterKeystoreGenerator { > > > > return keystoreFile; > > } > > + > > + /** > > + * Generate temporary PEM files containing a self-signed PQC > certificate and private key. > > + * > > + * @param cn the Common Name for the certificate subject > > + * @param algorithm the PQC algorithm name, e.g. {@code > "ML-DSA-44"}, {@code "ML-DSA-65"}, > > + * or {@code "ML-DSA-87"} > > + * @param sanNames DNS Subject Alternative Names to include, or > {@code null} for none > > + * @param customizer callback to add extensions to the certificate, > or {@code null} for none > > + * > > + * @return a two-element array: {@code [0]} is the certificate PEM > file, {@code [1]} is the > > + * private key PEM file > > + * > > + * @throws Exception if certificate generation fails > > + */ > > + public static File[] generatePQCCertificate(String cn, String > algorithm, String[] sanNames, > > + > CertificateExtensionsCustomizer customizer) throws Exception { > > + BouncyCastleProvider bouncyCastleProvider = new > BouncyCastleProvider(); > > + > > + KeyPairGenerator keyPairGenerator = > KeyPairGenerator.getInstance(algorithm, bouncyCastleProvider); > > + KeyPair keyPair = keyPairGenerator.generateKeyPair(); > > + > > + X500Name subject = new X500Name("CN=" + cn); > > + BigInteger serial = > BigInteger.valueOf(System.currentTimeMillis()); > > + long oneDay = 86400000L; > > + Date notBefore = new Date(System.currentTimeMillis() - oneDay); > > + Date notAfter = new Date(System.currentTimeMillis() + 365L * > oneDay); > > + > > + X509v3CertificateBuilder certBuilder = new > JcaX509v3CertificateBuilder(subject, serial, notBefore, > > + notAfter, subject, keyPair.getPublic()); > > + > > + if (sanNames != null && sanNames.length > 0) { > > + GeneralName[] generalNames = new > GeneralName[sanNames.length]; > > + for (int i = 0; i < sanNames.length; i++) { > > + generalNames[i] = new GeneralName(GeneralName.dNSName, > sanNames[i]); > > + } > > + certBuilder.addExtension(Extension.subjectAlternativeName, > false, new GeneralNames(generalNames)); > > + } > > + > > + if (customizer != null) { > > + customizer.customize(keyPair, certBuilder); > > + } > > + > > + ContentSigner signer = new > JcaContentSignerBuilder(algorithm).setProvider(bouncyCastleProvider) > > + .build(keyPair.getPrivate()); > > + X509Certificate certificate = new > JcaX509CertificateConverter().setProvider(bouncyCastleProvider) > > + .getCertificate(certBuilder.build(signer)); > > + > > + File certFile = File.createTempFile("test-pqc-cert-", ".pem"); > > + certFile.deleteOnExit(); > > + try (JcaPEMWriter writer = new JcaPEMWriter(new > FileWriter(certFile))) { > > + writer.writeObject(certificate); > > + } > > + > > + File keyFile = File.createTempFile("test-pqc-key-", ".pem"); > > + keyFile.deleteOnExit(); > > + try (JcaPEMWriter writer = new JcaPEMWriter(new > FileWriter(keyFile))) { > > + writer.writeObject(keyPair.getPrivate()); > > + } > > + > > + return new File[] { certFile, keyFile }; > > + } > > } > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [email protected] > > For additional commands, e-mail: [email protected] > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > >
