Create a mechanism for analyzing certificates for PQC-readiness#683
Open
subecho wants to merge 1 commit intoopenstack-k8s-operators:mainfrom
Open
Create a mechanism for analyzing certificates for PQC-readiness#683subecho wants to merge 1 commit intoopenstack-k8s-operators:mainfrom
subecho wants to merge 1 commit intoopenstack-k8s-operators:mainfrom
Conversation
This patch adds functionality to the tls module where we can now generate an analysis for a given certificate and determine its readiness for PQC and compliance for TLS 1.3. Tests were also added to ensure this all works. We will need to go back and add more to this when the new algorithms become available in the crypto libraries for true, quantum-safe instead of quantum-resistant solutions. Co-Author: Claude <claude@anthropic.com>
abays
reviewed
Apr 13, 2026
Comment on lines
+487
to
+488
| minPQCSafeRSAKeySize = 3072 | ||
| minPQCSafeECDSAKeySize = 384 // P-384 curve |
Contributor
There was a problem hiding this comment.
My understanding is that RSA and ECDSA are never PQC "safe" (as in, immune to breakage), but are rather PQC "resistant". I'm not a PQC SME, however.
abays
reviewed
Apr 13, 2026
|
|
||
| // isTLS13Compatible checks if a certificate is compatible with TLS 1.3 | ||
| func isTLS13Compatible(cert *x509.Certificate) bool { | ||
| // TLS 1.3 removed support for RSA-PSS and requires specific signature algorithms. |
Contributor
There was a problem hiding this comment.
I'm not sure this is true with regards to TLS 1.3. I think TLS 1.3 mandates support for RSA-PSS but instead dropped PKCS#1 v1.5 signatures.
abays
reviewed
Apr 13, 2026
| if pqcSafe { | ||
| // For PQC-safe configs, prefer stronger ciphers | ||
| return append([]string{ | ||
| "TLS_AES_256_GCM_SHA384", |
Contributor
There was a problem hiding this comment.
This results in a duplicate entry, given L589.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This patch adds functionality to the tls module where we can now generate an analysis for a given certificate and determine its readiness for PQC and compliance for TLS 1.3. Tests were also added to ensure this all works.
We will need to go back and add more to this when the new algorithms become available in the crypto libraries for true, quantum-safe instead of quantum-resistant solutions.
Co-Author: Claude claude@anthropic.com