Skip to content

Support PQC certificates for HTTPS #62030

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
vcsjones opened this issue May 20, 2025 · 2 comments
Open

Support PQC certificates for HTTPS #62030

vcsjones opened this issue May 20, 2025 · 2 comments
Labels
area-security
Milestone
.NET 10 Planning

Comments

@vcsjones
Copy link
Member

.NET 10 has been working on adding support for Post Quantum Cryptography, including X.509 certificates for HTTPS.

This issue is to track the enablement and support of three new X.509 certificate types:

  1. ML-DSA
  2. SLH-DSA
  3. Hybrid-ML-DSA

The first two are expected to be in .NET 10 Preview 5, with some pieces of 2 already in .NET 10 preview 4. The third is yet to be implemented, as of writing.

Note that PQC support is currently very limited to certain operating systems. OpenSSL 3.5+ is required for Linux, and a Windows Insider build that contains support should be available in the near future.
@MackinnonBuck
Copy link
Member

Thanks, @vcsjones.

What do you think we'll need to do on the ASP.NET Core side to react to the runtime changes?

@MackinnonBuck MackinnonBuck added the Needs: Author Feedback The author of this issue needs to respond in order for us to continue investigating this issue. label May 28, 2025
@vcsjones
Copy link
Member Author

As an example, the CertificateConfigLoader matches on the certificate's public key OID:

aspnetcore/src/Servers/Kestrel/Core/src/Internal/Certificates/CertificateConfigLoader.cs

Lines 92 to 102 in 9c8a0c3

private static X509Certificate2 LoadCertificateKey(X509Certificate2 certificate, string keyPath, string? password)
{
// OIDs for the certificate key types.
const string RSAOid = "1.2.840.113549.1.1.1";
const string DSAOid = "1.2.840.10040.4.1";
const string ECDsaOid = "1.2.840.10045.2.1";
// Duplication is required here because there are separate CopyWithPrivateKey methods for each algorithm.
var keyText = File.ReadAllText(keyPath);
switch (certificate.PublicKey.Oid.Value)
{

Each PQC algorithm has a new OID, so right now they fall in the default "I don't know what kind of key this is".

More broadly, this issue should also serve as a placeholder for "Ensure there are unit tests and e2e tests for PQC"

@dotnet-policy-service dotnet-policy-service bot added Needs: Attention 👋 This issue needs the attention of a contributor, typically because the OP has provided an update. and removed Needs: Author Feedback The author of this issue needs to respond in order for us to continue investigating this issue. labels May 28, 2025
@MackinnonBuck MackinnonBuck added this to the .NET 10 Planning milestone Jun 2, 2025
@MackinnonBuck MackinnonBuck removed the Needs: Attention 👋 This issue needs the attention of a contributor, typically because the OP has provided an update. label Jun 2, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
area-security
Projects
None yet
Milestone
.NET 10 Planning
Development

No branches or pull requests
2 participants
@vcsjones @MackinnonBuck