From 8d4b7e14b7c0290dbfe52ae0690cc9c2188ffd62 Mon Sep 17 00:00:00 2001 From: Will Childs-Klein Date: Mon, 29 Dec 2025 15:14:14 -0500 Subject: [PATCH 1/7] Implement opt-out for PQ TLS Java CRT 0.39.3 enables and prefers PQ by default, so `TLS_CIPHER_SYSTEM_DEFAULT` now uses PQ cipher suites. The `postQuantumTlsEnabled` builder option in aws-sdk-java-v2 now becomes an opt-out mechanism; setting it to false explicitly disables PQ by using policy `TLS_CIPHER_PREF_TLSv1_0_2023`. --- .../internal/AwsCrtConfigurationUtils.java | 20 +++++------------- .../AwsCrtConfigurationUtilsTest.java | 21 +++++-------------- 2 files changed, 10 insertions(+), 31 deletions(-) diff --git a/http-clients/aws-crt-client/src/main/java/software/amazon/awssdk/http/crt/internal/AwsCrtConfigurationUtils.java b/http-clients/aws-crt-client/src/main/java/software/amazon/awssdk/http/crt/internal/AwsCrtConfigurationUtils.java index e3c92d620f1b..e2a33246667d 100644 --- a/http-clients/aws-crt-client/src/main/java/software/amazon/awssdk/http/crt/internal/AwsCrtConfigurationUtils.java +++ b/http-clients/aws-crt-client/src/main/java/software/amazon/awssdk/http/crt/internal/AwsCrtConfigurationUtils.java @@ -20,14 +20,11 @@ import software.amazon.awssdk.annotations.SdkInternalApi; import software.amazon.awssdk.crt.io.SocketOptions; import software.amazon.awssdk.crt.io.TlsCipherPreference; -import software.amazon.awssdk.http.crt.AwsCrtAsyncHttpClient; import software.amazon.awssdk.http.crt.TcpKeepAliveConfiguration; -import software.amazon.awssdk.utils.Logger; import software.amazon.awssdk.utils.NumericUtils; @SdkInternalApi public final class AwsCrtConfigurationUtils { - private static final Logger log = Logger.loggerFor(AwsCrtAsyncHttpClient.class); private AwsCrtConfigurationUtils() { } @@ -55,19 +52,12 @@ public static SocketOptions buildSocketOptions(TcpKeepAliveConfiguration tcpKeep } public static TlsCipherPreference resolveCipherPreference(Boolean postQuantumTlsEnabled) { - TlsCipherPreference defaultTls = TlsCipherPreference.TLS_CIPHER_SYSTEM_DEFAULT; - if (postQuantumTlsEnabled == null || !postQuantumTlsEnabled) { - return defaultTls; + // As of of v0.39.3, aws-crt-java prefers PQ by default, so only return the pre-PQ-default policy + // below if the caller explicitly disables PQ by passing in false. + if (Boolean.FALSE.equals(postQuantumTlsEnabled)) { + return TlsCipherPreference.TLS_CIPHER_PREF_TLSv1_0_2023; } - - TlsCipherPreference pqTls = TlsCipherPreference.TLS_CIPHER_PQ_DEFAULT; - if (!pqTls.isSupported()) { - log.warn(() -> "Hybrid post-quantum cipher suites are not supported on this platform. The SDK will use the system " - + "default cipher suites instead"); - return defaultTls; - } - - return pqTls; + return TlsCipherPreference.TLS_CIPHER_SYSTEM_DEFAULT; } } diff --git a/http-clients/aws-crt-client/src/test/java/software/amazon/awssdk/http/crt/internal/AwsCrtConfigurationUtilsTest.java b/http-clients/aws-crt-client/src/test/java/software/amazon/awssdk/http/crt/internal/AwsCrtConfigurationUtilsTest.java index e83e29e0aea1..f1c67665e57b 100644 --- a/http-clients/aws-crt-client/src/test/java/software/amazon/awssdk/http/crt/internal/AwsCrtConfigurationUtilsTest.java +++ b/http-clients/aws-crt-client/src/test/java/software/amazon/awssdk/http/crt/internal/AwsCrtConfigurationUtilsTest.java @@ -16,18 +16,14 @@ package software.amazon.awssdk.http.crt.internal; import static org.assertj.core.api.AssertionsForClassTypes.assertThat; -import static software.amazon.awssdk.crt.io.TlsCipherPreference.TLS_CIPHER_PQ_DEFAULT; +import static software.amazon.awssdk.crt.io.TlsCipherPreference.TLS_CIPHER_PREF_TLSv1_0_2023; import static software.amazon.awssdk.crt.io.TlsCipherPreference.TLS_CIPHER_SYSTEM_DEFAULT; import java.time.Duration; import java.util.stream.Stream; -import org.junit.jupiter.api.AfterAll; -import org.junit.jupiter.api.Assumptions; -import org.junit.jupiter.api.Test; import org.junit.jupiter.params.ParameterizedTest; import org.junit.jupiter.params.provider.Arguments; import org.junit.jupiter.params.provider.MethodSource; -import software.amazon.awssdk.crt.CrtResource; import software.amazon.awssdk.crt.io.SocketOptions; import software.amazon.awssdk.crt.io.TlsCipherPreference; import software.amazon.awssdk.http.crt.TcpKeepAliveConfiguration; @@ -35,22 +31,15 @@ class AwsCrtConfigurationUtilsTest { @ParameterizedTest @MethodSource("cipherPreferences") - void resolveCipherPreference_pqNotSupported_shouldFallbackToSystemDefault(Boolean preferPqTls, - TlsCipherPreference tlsCipherPreference) { - Assumptions.assumeFalse(TLS_CIPHER_PQ_DEFAULT.isSupported()); - assertThat(AwsCrtConfigurationUtils.resolveCipherPreference(preferPqTls)).isEqualTo(tlsCipherPreference); - } - - @Test - void resolveCipherPreference_pqSupported_shouldHonor() { - Assumptions.assumeTrue(TLS_CIPHER_PQ_DEFAULT.isSupported()); - assertThat(AwsCrtConfigurationUtils.resolveCipherPreference(true)).isEqualTo(TLS_CIPHER_PQ_DEFAULT); + void resolveCipherPreference_shouldResolveCorrectly(Boolean postQuantumTlsEnabled, + TlsCipherPreference expectedPreference) { + assertThat(AwsCrtConfigurationUtils.resolveCipherPreference(postQuantumTlsEnabled)).isEqualTo(expectedPreference); } private static Stream cipherPreferences() { return Stream.of( Arguments.of(null, TLS_CIPHER_SYSTEM_DEFAULT), - Arguments.of(false, TLS_CIPHER_SYSTEM_DEFAULT), + Arguments.of(false, TLS_CIPHER_PREF_TLSv1_0_2023), Arguments.of(true, TLS_CIPHER_SYSTEM_DEFAULT) ); } From d3d1739e563a2571639bc5a17a79b06fe9943d7d Mon Sep 17 00:00:00 2001 From: Will Childs-Klein Date: Mon, 29 Dec 2025 18:49:14 -0500 Subject: [PATCH 2/7] Update release changelog --- .changes/next-release/bugfix-AWSSDKforJavav2-4b5fea2.json | 6 ++++++ 1 file changed, 6 insertions(+) create mode 100644 .changes/next-release/bugfix-AWSSDKforJavav2-4b5fea2.json diff --git a/.changes/next-release/bugfix-AWSSDKforJavav2-4b5fea2.json b/.changes/next-release/bugfix-AWSSDKforJavav2-4b5fea2.json new file mode 100644 index 000000000000..25a9e6d6a084 --- /dev/null +++ b/.changes/next-release/bugfix-AWSSDKforJavav2-4b5fea2.json @@ -0,0 +1,6 @@ +{ + "type": "bugfix", + "category": "AWS SDK for Java v2", + "contributor": "WillChilds-Klein", + "description": "Java CRT 0.39.3 enables and prefers PQ by default, so `TLS_CIPHER_SYSTEM_DEFAULT` now uses PQ cipher suites. The `postQuantumTlsEnabled` builder option in aws-sdk-java-v2 now becomes an opt-out mechanism; setting it to false explicitly disables PQ by using policy `TLS_CIPHER_PREF_TLSv1_0_2023`." +} From a86a2e1723320e39db34ae0095e8f670e1a85b6a Mon Sep 17 00:00:00 2001 From: Will Childs-Klein Date: Mon, 5 Jan 2026 10:31:07 -0500 Subject: [PATCH 3/7] Only use opt-out policy if supported --- .../awssdk/http/crt/internal/AwsCrtConfigurationUtils.java | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/http-clients/aws-crt-client/src/main/java/software/amazon/awssdk/http/crt/internal/AwsCrtConfigurationUtils.java b/http-clients/aws-crt-client/src/main/java/software/amazon/awssdk/http/crt/internal/AwsCrtConfigurationUtils.java index e2a33246667d..1ceac0a3ee80 100644 --- a/http-clients/aws-crt-client/src/main/java/software/amazon/awssdk/http/crt/internal/AwsCrtConfigurationUtils.java +++ b/http-clients/aws-crt-client/src/main/java/software/amazon/awssdk/http/crt/internal/AwsCrtConfigurationUtils.java @@ -54,7 +54,8 @@ public static SocketOptions buildSocketOptions(TcpKeepAliveConfiguration tcpKeep public static TlsCipherPreference resolveCipherPreference(Boolean postQuantumTlsEnabled) { // As of of v0.39.3, aws-crt-java prefers PQ by default, so only return the pre-PQ-default policy // below if the caller explicitly disables PQ by passing in false. - if (Boolean.FALSE.equals(postQuantumTlsEnabled)) { + if (Boolean.FALSE.equals(postQuantumTlsEnabled) + && TlsCipherPreference.TLS_CIPHER_PREF_TLSv1_0_2023.isSupported()) { return TlsCipherPreference.TLS_CIPHER_PREF_TLSv1_0_2023; } return TlsCipherPreference.TLS_CIPHER_SYSTEM_DEFAULT; From 2c652cc2c22ab809d7a5cf0c2bc3769370841e2c Mon Sep 17 00:00:00 2001 From: Will Childs-Klein Date: Thu, 5 Feb 2026 12:21:15 -0500 Subject: [PATCH 4/7] Update CRT to 0.43.1 --- pom.xml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pom.xml b/pom.xml index 5fb7329928ae..5c9e68ecd4a6 100644 --- a/pom.xml +++ b/pom.xml @@ -129,7 +129,7 @@ 3.1.5 1.17.1 1.37 - 0.40.3 + 0.43.1 5.10.3 From 6871bd98646bb25932abfe5b1aff5a5736e37fe6 Mon Sep 17 00:00:00 2001 From: Will Childs-Klein Date: Fri, 6 Feb 2026 13:51:50 -0500 Subject: [PATCH 5/7] Add pq-tls-test confirming everything works --- pq-tls-test/Dockerfile | 29 ++++ pq-tls-test/README.md | 88 +++++++++++ pq-tls-test/pom.xml | 53 +++++++ pq-tls-test/run-docker.sh | 41 +++++ .../src/main/java/com/example/PqTlsTest.java | 142 ++++++++++++++++++ 5 files changed, 353 insertions(+) create mode 100644 pq-tls-test/Dockerfile create mode 100644 pq-tls-test/README.md create mode 100644 pq-tls-test/pom.xml create mode 100755 pq-tls-test/run-docker.sh create mode 100644 pq-tls-test/src/main/java/com/example/PqTlsTest.java diff --git a/pq-tls-test/Dockerfile b/pq-tls-test/Dockerfile new file mode 100644 index 000000000000..09a8d923ba74 --- /dev/null +++ b/pq-tls-test/Dockerfile @@ -0,0 +1,29 @@ +FROM ubuntu:22.04 + +# Install Java 11 and Maven +RUN apt-get update && \ + apt-get install -y openjdk-11-jdk maven && \ + apt-get clean && \ + rm -rf /var/lib/apt/lists/* + +# Set Java home dynamically (works for both amd64 and arm64) +RUN echo "export JAVA_HOME=\$(dirname \$(dirname \$(readlink -f \$(which java))))" >> /etc/profile +ENV JAVA_HOME=/usr/lib/jvm/java-11-openjdk-arm64 +ENV PATH="${JAVA_HOME}/bin:${PATH}" + +# Create app directory +WORKDIR /app + +# Copy the Maven project +COPY pom.xml . +COPY src ./src + +# Copy the locally built AWS SDK artifacts from host Maven repository +# This ensures we use the snapshot with PQ TLS opt-out changes +RUN mkdir -p /root/.m2/repository + +# Note: We don't download dependencies here because SNAPSHOT versions +# will be provided via volume mount at runtime + +# Default command - compile and run +CMD ["sh", "-c", "mvn compile && mvn exec:java"] diff --git a/pq-tls-test/README.md b/pq-tls-test/README.md new file mode 100644 index 000000000000..1cf66573c7b2 --- /dev/null +++ b/pq-tls-test/README.md @@ -0,0 +1,88 @@ +# Post-Quantum TLS Opt-Out Test + +This is a simple test program to verify the Post-Quantum TLS opt-out functionality in the AWS SDK for Java v2. + +## What This Program Does + +1. Creates an `AwsCrtHttpClient` with `postQuantumTlsEnabled(false)` to explicitly disable PQ TLS +2. Uses the CRT client to make a KMS `ListKeys` API call +3. Prints the results + +When PQ TLS is disabled, the SDK will use the `TLS_CIPHER_PREF_TLSv1_0_2023` cipher preference instead of the default `TLS_CIPHER_SYSTEM_DEFAULT` (which enables PQ). + +## Prerequisites + +1. **AWS Credentials**: Ensure you have AWS credentials configured (via `~/.aws/credentials`, environment variables, or IAM role) +2. **AWS Region**: The program uses `us-east-1` by default +3. **KMS Access**: Your AWS credentials should have permission to call `kms:ListKeys` +4. **Local SDK Build**: The locally built AWS SDK v2 snapshot (2.41.23-SNAPSHOT) must be installed in your local Maven repository + +## Building and Running + +### Option 1: Using Maven Exec Plugin (Recommended) + +```bash +cd /Users/childw/workplace/github/WillChilds-Klein/pq-tls-test +mvn compile exec:java +``` + +### Option 2: Build JAR and Run + +```bash +cd /Users/childw/workplace/github/WillChilds-Klein/pq-tls-test +mvn clean package +java -cp target/pq-tls-test-1.0-SNAPSHOT.jar com.example.PqTlsTest +``` + +## Expected Output + +``` +=== Post-Quantum TLS Opt-Out Test === + +Creating AwsCrtHttpClient with postQuantumTlsEnabled=false... +CRT HTTP Client created successfully. + +Creating KMS client... +KMS client created successfully. + +Calling KMS ListKeys API... +✓ API call successful! + +Found X KMS key(s): +---------------------------------------- +Key ID: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx +Key ARN: arn:aws:kms:us-east-1:123456789012:key/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx + +... + +=== Test completed successfully === + +NOTE: The connection used TLS cipher preference: TLS_CIPHER_PREF_TLSv1_0_2023 + (Non-PQ cipher suite, as Post-Quantum TLS was disabled) +``` + +## Verifying the Behavior + +To verify that the opt-out is working correctly: + +1. **Check the logs**: Look for any TLS-related logs from the AWS CRT +2. **Compare with default**: Run a similar program without `postQuantumTlsEnabled(false)` and compare the cipher suites used +3. **Network capture**: Use Wireshark or similar tools to inspect the TLS handshake and verify the cipher suite + +## Testing with PQ Enabled (Default) + +To test with PQ TLS enabled (the default behavior), simply change: + +```java +AwsCrtHttpClient crtHttpClient = AwsCrtHttpClient.builder() + .postQuantumTlsEnabled(true) // or omit this line entirely + .build(); +``` + +With PQ enabled, the connection will use `TLS_CIPHER_SYSTEM_DEFAULT` which prefers PQ cipher suites. + +## Notes + +- This uses AWS SDK v2 version `2.41.23-SNAPSHOT` from your local build +- The program limits results to 10 keys for brevity +- Make sure your AWS credentials have appropriate KMS permissions diff --git a/pq-tls-test/pom.xml b/pq-tls-test/pom.xml new file mode 100644 index 000000000000..11a7171caf1a --- /dev/null +++ b/pq-tls-test/pom.xml @@ -0,0 +1,53 @@ + + + 4.0.0 + + com.example + pq-tls-test + 1.0-SNAPSHOT + + + 8 + 8 + UTF-8 + 2.41.23-SNAPSHOT + + + + + + software.amazon.awssdk + kms + ${aws.java.sdk.version} + + + + + software.amazon.awssdk + aws-crt-client + ${aws.java.sdk.version} + + + + + org.slf4j + slf4j-simple + 1.7.36 + + + + + + + org.codehaus.mojo + exec-maven-plugin + 3.1.0 + + com.example.PqTlsTest + + + + + diff --git a/pq-tls-test/run-docker.sh b/pq-tls-test/run-docker.sh new file mode 100755 index 000000000000..0b3e2c7fd94e --- /dev/null +++ b/pq-tls-test/run-docker.sh @@ -0,0 +1,41 @@ +#!/bin/bash + +# Script to build and run the PQ TLS test in an Ubuntu Docker container + +set -e + +echo "Extracting AWS credentials from s3_pq_tls_test profile..." + +# Get AWS credentials using AWS CLI from specific profile +export AWS_ACCESS_KEY_ID=$(aws configure get aws_access_key_id --profile default) +export AWS_SECRET_ACCESS_KEY=$(aws configure get aws_secret_access_key --profile default) + +# If session token is empty, unset it +if [ -z "$AWS_SESSION_TOKEN" ]; then + unset AWS_SESSION_TOKEN +fi + +echo "Credentials extracted successfully" +echo "Access Key: ${AWS_ACCESS_KEY_ID:0:10}..." +echo "" +echo "Building Docker image..." +docker build -t pq-tls-test:latest . + +echo "" +echo "Running test in Ubuntu Linux container..." +echo "===========================================" +echo "" + +# Run the container with: +# - Local Maven repo mounted (for the SNAPSHOT SDK) +# - AWS credentials as environment variables +docker run --rm \ + -v ~/.m2:/root/.m2 \ + -e AWS_ACCESS_KEY_ID="${AWS_ACCESS_KEY_ID}" \ + -e AWS_SECRET_ACCESS_KEY="${AWS_SECRET_ACCESS_KEY}" \ + -e AWS_REGION=us-east-1 \ + pq-tls-test:latest + +echo "" +echo "===========================================" +echo "Test completed in Docker container" diff --git a/pq-tls-test/src/main/java/com/example/PqTlsTest.java b/pq-tls-test/src/main/java/com/example/PqTlsTest.java new file mode 100644 index 000000000000..dc4a191b8d5f --- /dev/null +++ b/pq-tls-test/src/main/java/com/example/PqTlsTest.java @@ -0,0 +1,142 @@ +package com.example; + +import software.amazon.awssdk.auth.credentials.DefaultCredentialsProvider; +import software.amazon.awssdk.http.SdkHttpClient; +import software.amazon.awssdk.http.crt.AwsCrtHttpClient; +import software.amazon.awssdk.regions.Region; +import software.amazon.awssdk.services.kms.KmsClient; +import software.amazon.awssdk.services.kms.model.ListKeysRequest; +import software.amazon.awssdk.services.kms.model.ListKeysResponse; + +/** + * Test program to verify Post-Quantum TLS configuration options. + * + * This program tests three different PQ TLS configurations: + * 1. Default (postQuantumTlsEnabled not set) - uses system default + * 2. postQuantumTlsEnabled(true) - explicitly enables PQ TLS + * 3. postQuantumTlsEnabled(false) - explicitly disables PQ TLS (opt-out) + */ +public class PqTlsTest { + + public static void main(String[] args) { + System.out.println("========================================"); + System.out.println(" Post-Quantum TLS Configuration Test"); + System.out.println("========================================\n"); + + boolean allTestsPassed = true; + + // Test 1: Default behavior (no postQuantumTlsEnabled set) + allTestsPassed &= testPqConfiguration("DEFAULT (not set)", null); + + // Test 2: Explicitly enable PQ TLS + allTestsPassed &= testPqConfiguration("ENABLED (true)", true); + + // Test 3: Explicitly disable PQ TLS (opt-out) + allTestsPassed &= testPqConfiguration("DISABLED (false)", false); + + // Summary + System.out.println("\n========================================"); + if (allTestsPassed) { + System.out.println(" ✓ ALL TESTS PASSED"); + } else { + System.out.println(" ✗ SOME TESTS FAILED"); + } + System.out.println("========================================\n"); + + System.exit(allTestsPassed ? 0 : 1); + } + + /** + * Test KMS ListKeys with a specific PQ TLS configuration. + * + * @param configName Human-readable name for this configuration + * @param pqEnabled null=default, true=enabled, false=disabled + * @return true if test passed, false otherwise + */ + private static boolean testPqConfiguration(String configName, Boolean pqEnabled) { + System.out.println("----------------------------------------"); + System.out.println("Test: postQuantumTlsEnabled = " + configName); + System.out.println("----------------------------------------"); + + SdkHttpClient httpClient = null; + KmsClient kmsClient = null; + + try { + // Create HTTP client with appropriate PQ configuration + System.out.print("Creating AwsCrtHttpClient... "); + AwsCrtHttpClient.Builder clientBuilder = AwsCrtHttpClient.builder(); + + if (pqEnabled != null) { + clientBuilder.postQuantumTlsEnabled(pqEnabled); + } + // If pqEnabled is null, don't set it (use default) + + httpClient = clientBuilder.build(); + System.out.println("✓"); + + // Create KMS client + System.out.print("Creating KMS client... "); + kmsClient = KmsClient.builder() + .region(Region.US_EAST_1) + .httpClient(httpClient) + .credentialsProvider(DefaultCredentialsProvider.create()) + .build(); + System.out.println("✓"); + + // Make API call + System.out.print("Calling KMS ListKeys API... "); + ListKeysRequest request = ListKeysRequest.builder() + .limit(5) // Just need a few keys to verify connectivity + .build(); + + ListKeysResponse response = kmsClient.listKeys(request); + System.out.println("✓"); + + // Display results + System.out.println("\nResult: SUCCESS"); + System.out.println(" Keys returned: " + response.keys().size()); + System.out.println(" Expected cipher: " + getExpectedCipher(pqEnabled)); + System.out.println(); + + return true; + + } catch (Exception e) { + System.out.println("✗"); + System.out.println("\nResult: FAILED"); + System.out.println(" Error: " + e.getClass().getSimpleName()); + System.out.println(" Message: " + e.getMessage()); + System.out.println(); + return false; + + } finally { + // Clean up resources + if (kmsClient != null) { + try { + kmsClient.close(); + } catch (Exception e) { + // Ignore cleanup errors + } + } + if (httpClient != null) { + try { + httpClient.close(); + } catch (Exception e) { + // Ignore cleanup errors + } + } + } + } + + /** + * Get the expected cipher preference description based on configuration. + */ + private static String getExpectedCipher(Boolean pqEnabled) { + if (pqEnabled == null) { + return "TLS_CIPHER_SYSTEM_DEFAULT (PQ preferred by default since CRT 0.39.3)"; + } else if (pqEnabled) { + return "TLS_CIPHER_SYSTEM_DEFAULT (PQ explicitly enabled)"; + } else { + return "TLS_CIPHER_PREF_TLSv1_0_2023 (PQ explicitly disabled/opted-out)"; + } + } +} From fc68ad3cf42f86a13d3b0cb9a9ffc6e3db4e8bc6 Mon Sep 17 00:00:00 2001 From: Will Childs-Klein Date: Fri, 6 Feb 2026 13:51:55 -0500 Subject: [PATCH 6/7] Revert "Add pq-tls-test confirming everything works" This reverts commit 6871bd98646bb25932abfe5b1aff5a5736e37fe6. --- pq-tls-test/Dockerfile | 29 ---- pq-tls-test/README.md | 88 ----------- pq-tls-test/pom.xml | 53 ------- pq-tls-test/run-docker.sh | 41 ----- .../src/main/java/com/example/PqTlsTest.java | 142 ------------------ 5 files changed, 353 deletions(-) delete mode 100644 pq-tls-test/Dockerfile delete mode 100644 pq-tls-test/README.md delete mode 100644 pq-tls-test/pom.xml delete mode 100755 pq-tls-test/run-docker.sh delete mode 100644 pq-tls-test/src/main/java/com/example/PqTlsTest.java diff --git a/pq-tls-test/Dockerfile b/pq-tls-test/Dockerfile deleted file mode 100644 index 09a8d923ba74..000000000000 --- a/pq-tls-test/Dockerfile +++ /dev/null @@ -1,29 +0,0 @@ -FROM ubuntu:22.04 - -# Install Java 11 and Maven -RUN apt-get update && \ - apt-get install -y openjdk-11-jdk maven && \ - apt-get clean && \ - rm -rf /var/lib/apt/lists/* - -# Set Java home dynamically (works for both amd64 and arm64) -RUN echo "export JAVA_HOME=\$(dirname \$(dirname \$(readlink -f \$(which java))))" >> /etc/profile -ENV JAVA_HOME=/usr/lib/jvm/java-11-openjdk-arm64 -ENV PATH="${JAVA_HOME}/bin:${PATH}" - -# Create app directory -WORKDIR /app - -# Copy the Maven project -COPY pom.xml . -COPY src ./src - -# Copy the locally built AWS SDK artifacts from host Maven repository -# This ensures we use the snapshot with PQ TLS opt-out changes -RUN mkdir -p /root/.m2/repository - -# Note: We don't download dependencies here because SNAPSHOT versions -# will be provided via volume mount at runtime - -# Default command - compile and run -CMD ["sh", "-c", "mvn compile && mvn exec:java"] diff --git a/pq-tls-test/README.md b/pq-tls-test/README.md deleted file mode 100644 index 1cf66573c7b2..000000000000 --- a/pq-tls-test/README.md +++ /dev/null @@ -1,88 +0,0 @@ -# Post-Quantum TLS Opt-Out Test - -This is a simple test program to verify the Post-Quantum TLS opt-out functionality in the AWS SDK for Java v2. - -## What This Program Does - -1. Creates an `AwsCrtHttpClient` with `postQuantumTlsEnabled(false)` to explicitly disable PQ TLS -2. Uses the CRT client to make a KMS `ListKeys` API call -3. Prints the results - -When PQ TLS is disabled, the SDK will use the `TLS_CIPHER_PREF_TLSv1_0_2023` cipher preference instead of the default `TLS_CIPHER_SYSTEM_DEFAULT` (which enables PQ). - -## Prerequisites - -1. **AWS Credentials**: Ensure you have AWS credentials configured (via `~/.aws/credentials`, environment variables, or IAM role) -2. **AWS Region**: The program uses `us-east-1` by default -3. **KMS Access**: Your AWS credentials should have permission to call `kms:ListKeys` -4. **Local SDK Build**: The locally built AWS SDK v2 snapshot (2.41.23-SNAPSHOT) must be installed in your local Maven repository - -## Building and Running - -### Option 1: Using Maven Exec Plugin (Recommended) - -```bash -cd /Users/childw/workplace/github/WillChilds-Klein/pq-tls-test -mvn compile exec:java -``` - -### Option 2: Build JAR and Run - -```bash -cd /Users/childw/workplace/github/WillChilds-Klein/pq-tls-test -mvn clean package -java -cp target/pq-tls-test-1.0-SNAPSHOT.jar com.example.PqTlsTest -``` - -## Expected Output - -``` -=== Post-Quantum TLS Opt-Out Test === - -Creating AwsCrtHttpClient with postQuantumTlsEnabled=false... -CRT HTTP Client created successfully. - -Creating KMS client... -KMS client created successfully. - -Calling KMS ListKeys API... -✓ API call successful! - -Found X KMS key(s): ----------------------------------------- -Key ID: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx -Key ARN: arn:aws:kms:us-east-1:123456789012:key/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx - -... - -=== Test completed successfully === - -NOTE: The connection used TLS cipher preference: TLS_CIPHER_PREF_TLSv1_0_2023 - (Non-PQ cipher suite, as Post-Quantum TLS was disabled) -``` - -## Verifying the Behavior - -To verify that the opt-out is working correctly: - -1. **Check the logs**: Look for any TLS-related logs from the AWS CRT -2. **Compare with default**: Run a similar program without `postQuantumTlsEnabled(false)` and compare the cipher suites used -3. **Network capture**: Use Wireshark or similar tools to inspect the TLS handshake and verify the cipher suite - -## Testing with PQ Enabled (Default) - -To test with PQ TLS enabled (the default behavior), simply change: - -```java -AwsCrtHttpClient crtHttpClient = AwsCrtHttpClient.builder() - .postQuantumTlsEnabled(true) // or omit this line entirely - .build(); -``` - -With PQ enabled, the connection will use `TLS_CIPHER_SYSTEM_DEFAULT` which prefers PQ cipher suites. - -## Notes - -- This uses AWS SDK v2 version `2.41.23-SNAPSHOT` from your local build -- The program limits results to 10 keys for brevity -- Make sure your AWS credentials have appropriate KMS permissions diff --git a/pq-tls-test/pom.xml b/pq-tls-test/pom.xml deleted file mode 100644 index 11a7171caf1a..000000000000 --- a/pq-tls-test/pom.xml +++ /dev/null @@ -1,53 +0,0 @@ - - - 4.0.0 - - com.example - pq-tls-test - 1.0-SNAPSHOT - - - 8 - 8 - UTF-8 - 2.41.23-SNAPSHOT - - - - - - software.amazon.awssdk - kms - ${aws.java.sdk.version} - - - - - software.amazon.awssdk - aws-crt-client - ${aws.java.sdk.version} - - - - - org.slf4j - slf4j-simple - 1.7.36 - - - - - - - org.codehaus.mojo - exec-maven-plugin - 3.1.0 - - com.example.PqTlsTest - - - - - diff --git a/pq-tls-test/run-docker.sh b/pq-tls-test/run-docker.sh deleted file mode 100755 index 0b3e2c7fd94e..000000000000 --- a/pq-tls-test/run-docker.sh +++ /dev/null @@ -1,41 +0,0 @@ -#!/bin/bash - -# Script to build and run the PQ TLS test in an Ubuntu Docker container - -set -e - -echo "Extracting AWS credentials from s3_pq_tls_test profile..." - -# Get AWS credentials using AWS CLI from specific profile -export AWS_ACCESS_KEY_ID=$(aws configure get aws_access_key_id --profile default) -export AWS_SECRET_ACCESS_KEY=$(aws configure get aws_secret_access_key --profile default) - -# If session token is empty, unset it -if [ -z "$AWS_SESSION_TOKEN" ]; then - unset AWS_SESSION_TOKEN -fi - -echo "Credentials extracted successfully" -echo "Access Key: ${AWS_ACCESS_KEY_ID:0:10}..." -echo "" -echo "Building Docker image..." -docker build -t pq-tls-test:latest . - -echo "" -echo "Running test in Ubuntu Linux container..." -echo "===========================================" -echo "" - -# Run the container with: -# - Local Maven repo mounted (for the SNAPSHOT SDK) -# - AWS credentials as environment variables -docker run --rm \ - -v ~/.m2:/root/.m2 \ - -e AWS_ACCESS_KEY_ID="${AWS_ACCESS_KEY_ID}" \ - -e AWS_SECRET_ACCESS_KEY="${AWS_SECRET_ACCESS_KEY}" \ - -e AWS_REGION=us-east-1 \ - pq-tls-test:latest - -echo "" -echo "===========================================" -echo "Test completed in Docker container" diff --git a/pq-tls-test/src/main/java/com/example/PqTlsTest.java b/pq-tls-test/src/main/java/com/example/PqTlsTest.java deleted file mode 100644 index dc4a191b8d5f..000000000000 --- a/pq-tls-test/src/main/java/com/example/PqTlsTest.java +++ /dev/null @@ -1,142 +0,0 @@ -package com.example; - -import software.amazon.awssdk.auth.credentials.DefaultCredentialsProvider; -import software.amazon.awssdk.http.SdkHttpClient; -import software.amazon.awssdk.http.crt.AwsCrtHttpClient; -import software.amazon.awssdk.regions.Region; -import software.amazon.awssdk.services.kms.KmsClient; -import software.amazon.awssdk.services.kms.model.ListKeysRequest; -import software.amazon.awssdk.services.kms.model.ListKeysResponse; - -/** - * Test program to verify Post-Quantum TLS configuration options. - * - * This program tests three different PQ TLS configurations: - * 1. Default (postQuantumTlsEnabled not set) - uses system default - * 2. postQuantumTlsEnabled(true) - explicitly enables PQ TLS - * 3. postQuantumTlsEnabled(false) - explicitly disables PQ TLS (opt-out) - */ -public class PqTlsTest { - - public static void main(String[] args) { - System.out.println("========================================"); - System.out.println(" Post-Quantum TLS Configuration Test"); - System.out.println("========================================\n"); - - boolean allTestsPassed = true; - - // Test 1: Default behavior (no postQuantumTlsEnabled set) - allTestsPassed &= testPqConfiguration("DEFAULT (not set)", null); - - // Test 2: Explicitly enable PQ TLS - allTestsPassed &= testPqConfiguration("ENABLED (true)", true); - - // Test 3: Explicitly disable PQ TLS (opt-out) - allTestsPassed &= testPqConfiguration("DISABLED (false)", false); - - // Summary - System.out.println("\n========================================"); - if (allTestsPassed) { - System.out.println(" ✓ ALL TESTS PASSED"); - } else { - System.out.println(" ✗ SOME TESTS FAILED"); - } - System.out.println("========================================\n"); - - System.exit(allTestsPassed ? 0 : 1); - } - - /** - * Test KMS ListKeys with a specific PQ TLS configuration. - * - * @param configName Human-readable name for this configuration - * @param pqEnabled null=default, true=enabled, false=disabled - * @return true if test passed, false otherwise - */ - private static boolean testPqConfiguration(String configName, Boolean pqEnabled) { - System.out.println("----------------------------------------"); - System.out.println("Test: postQuantumTlsEnabled = " + configName); - System.out.println("----------------------------------------"); - - SdkHttpClient httpClient = null; - KmsClient kmsClient = null; - - try { - // Create HTTP client with appropriate PQ configuration - System.out.print("Creating AwsCrtHttpClient... "); - AwsCrtHttpClient.Builder clientBuilder = AwsCrtHttpClient.builder(); - - if (pqEnabled != null) { - clientBuilder.postQuantumTlsEnabled(pqEnabled); - } - // If pqEnabled is null, don't set it (use default) - - httpClient = clientBuilder.build(); - System.out.println("✓"); - - // Create KMS client - System.out.print("Creating KMS client... "); - kmsClient = KmsClient.builder() - .region(Region.US_EAST_1) - .httpClient(httpClient) - .credentialsProvider(DefaultCredentialsProvider.create()) - .build(); - System.out.println("✓"); - - // Make API call - System.out.print("Calling KMS ListKeys API... "); - ListKeysRequest request = ListKeysRequest.builder() - .limit(5) // Just need a few keys to verify connectivity - .build(); - - ListKeysResponse response = kmsClient.listKeys(request); - System.out.println("✓"); - - // Display results - System.out.println("\nResult: SUCCESS"); - System.out.println(" Keys returned: " + response.keys().size()); - System.out.println(" Expected cipher: " + getExpectedCipher(pqEnabled)); - System.out.println(); - - return true; - - } catch (Exception e) { - System.out.println("✗"); - System.out.println("\nResult: FAILED"); - System.out.println(" Error: " + e.getClass().getSimpleName()); - System.out.println(" Message: " + e.getMessage()); - System.out.println(); - return false; - - } finally { - // Clean up resources - if (kmsClient != null) { - try { - kmsClient.close(); - } catch (Exception e) { - // Ignore cleanup errors - } - } - if (httpClient != null) { - try { - httpClient.close(); - } catch (Exception e) { - // Ignore cleanup errors - } - } - } - } - - /** - * Get the expected cipher preference description based on configuration. - */ - private static String getExpectedCipher(Boolean pqEnabled) { - if (pqEnabled == null) { - return "TLS_CIPHER_SYSTEM_DEFAULT (PQ preferred by default since CRT 0.39.3)"; - } else if (pqEnabled) { - return "TLS_CIPHER_SYSTEM_DEFAULT (PQ explicitly enabled)"; - } else { - return "TLS_CIPHER_PREF_TLSv1_0_2023 (PQ explicitly disabled/opted-out)"; - } - } -} From 05c207ea0c959b205a991ac9297a217d7b7d6f5e Mon Sep 17 00:00:00 2001 From: Will Childs-Klein Date: Fri, 6 Feb 2026 15:01:35 -0500 Subject: [PATCH 7/7] Update javadoc --- .../software/amazon/awssdk/http/crt/AwsCrtHttpClient.java | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/http-clients/aws-crt-client/src/main/java/software/amazon/awssdk/http/crt/AwsCrtHttpClient.java b/http-clients/aws-crt-client/src/main/java/software/amazon/awssdk/http/crt/AwsCrtHttpClient.java index 4270b47862e5..66b876d19b7b 100644 --- a/http-clients/aws-crt-client/src/main/java/software/amazon/awssdk/http/crt/AwsCrtHttpClient.java +++ b/http-clients/aws-crt-client/src/main/java/software/amazon/awssdk/http/crt/AwsCrtHttpClient.java @@ -263,14 +263,13 @@ AwsCrtHttpClient.Builder tcpKeepAliveConfiguration(Consumer * See Using hybrid post-quantum TLS with AWS KMS * *

- * It's disabled by default. + * It's enabled by default. * * @param postQuantumTlsEnabled whether to prefer Post Quantum TLS * @return The builder of the method chaining.