Description
I have been trying to create a TLS 1.3 powered server + client using Botan, with the usage of PQ signed certificates (created through the oqs provider for openssl, the scheme used is mldsa65). Unfortunately, when using those certificates and enforcing the usage of mldsa65 as the signature algorithm, I always run in this error:
terminate called after throwing an instance of 'Botan::TLS::TLS_Exception' what(): Non-PSK Client Hello did not contain supported_groups and signature_algorithms extensions
The code I wrote so far works perfectly if I don't enforce the usage of mldsa65 as the signature algorithm. Here are some crucial parts of the code you may want to check out.
TLS policy class (used by both client and server)
class TLS_pq_policy : public Botan::TLS::Strict_Policy {
bool require_cert_revocation_info() const override {
return false;
}
bool require_client_certificate_authentication() const override {
return true;
}
bool allow_tls12() const override {
return false;
}
bool allow_dtls12() const override {
return false;
}
std::vector<std::string> allowed_key_exchange_methods() const override {
return {"Kyber512", "Kyber768", "X25519/Kyber768"};
}
std::vector<std::string> allowed_signature_methods() const override {
return {"mldsa44", "mldsa65"};
}
};
Credentials manager class:
class TLS_credentials_manager : public Botan::Credentials_Manager {
std::vector<Botan::X509_Certificate> cert_chain_vec;
std::shared_ptr<Botan::Private_Key> private_key;
Botan::Certificate_Store_In_Memory m_cert_store;
public:
TLS_credentials_manager(std::string_view ca_certificate_file_path, std::string_view certificate_file_path,
std::string_view private_key_file_path)
: m_cert_store(Botan::X509_Certificate(ca_certificate_file_path)) {
cert_chain_vec.emplace_back(certificate_file_path);
Botan::DataSource_Stream private_key_stream(private_key_file_path);
private_key.reset(Botan::PKCS8::load_key(private_key_stream).release());
}
std::vector<Botan::Certificate_Store*> trusted_certificate_authorities(const std::string& type,
const std::string& context) override {
return {&m_cert_store};
}
std::vector<Botan::X509_Certificate> cert_chain(const std::vector<std::string>& cert_key_types,
const std::vector<Botan::AlgorithmIdentifier>& cert_signature_schemes,
const std::string& type, const std::string& context) override {
return cert_chain_vec;
}
std::shared_ptr<Botan::Private_Key> private_key_for(const Botan::X509_Certificate& cert,
const std::string& type,
const std::string& context) override {
return private_key;
}
};
The rest of the stuff is pretty straight forward, but let me know if you need to check that out too.
OS: Ubuntu 24.04.02
Botan version 3.7.1 configured with --minimized-build --enable-modules=poly1305,system_rng,uuid,base64,blake2,tls13_pqc,kyber,ml_dsa,emsa_pssr
The private key files have been created as follows (and yes, they are valid):
openssl genpkey -algorithm mldsa44 -out key_file.key