Skip to content

[WIP] feat(auth): expand ECP custom TLS signer signature buffer for PQC#17656

Draft
ohmayr wants to merge 3 commits into
mainfrom
pqc-ecp-buffer-fix
Draft

[WIP] feat(auth): expand ECP custom TLS signer signature buffer for PQC#17656
ohmayr wants to merge 3 commits into
mainfrom
pqc-ecp-buffer-fix

Conversation

@ohmayr

@ohmayr ohmayr commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

This PR expands the Enterprise Certificate Proxy (ECP) custom TLS signer signature buffer (sig_holder_len) in google.auth.transport._custom_tls_signer from 2,000 bytes to 65,536 bytes (64 KiB) and adds a defensive bounds check to gracefully handle invalid signature lengths. Legacy 2,000-byte allocations were designed for classical RSA/ECDSA signatures (256–512 B) and caused C-callback IndexError exceptions during mTLS handshakes when offloading Post-Quantum Cryptography (PQC) client certificates under NIST FIPS 204 (ML-DSA-65 at 3,309 B; ML-DSA-87 at 4,627 B) and FIPS 205 (SLH-DSA-128f at 17,088 B; SLH-DSA-256f at 49,856 B). The new 64 KiB buffer size aligns with the maximum signature payload permitted by the TLS 1.3 specification (RFC 8446 Section 4.4.3), ensuring full future-proof compatibility across all FIPS-standardized PQC parameter sets without breaking or modifying non-mTLS authentication flows.

@gemini-code-assist

Copy link
Copy Markdown
Contributor

Warning

Gemini encountered an error creating the review. You can try again by commenting /gemini review.

@ohmayr

ohmayr commented Jul 8, 2026

Copy link
Copy Markdown
Contributor Author

/gemini review

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request increases the signature buffer size from 2000 to 16384 bytes in the custom TLS signer to accommodate Post-Quantum Cryptography (PQC) signatures, and adds a corresponding unit test. The reviewer recommends dynamically sizing the allocated buffer array in the new test to match the mocked signature length of 3309 bytes, ensuring consistency and robustness.

Comment thread packages/google-auth/tests/transport/test__custom_tls_signer.py Outdated
@ohmayr ohmayr changed the title wip - feat(auth): expand ECP custom TLS signer signature buffer for PQC [WIP] feat(auth): expand ECP custom TLS signer signature buffer for PQC Jul 8, 2026
@ohmayr ohmayr self-assigned this Jul 8, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant