-
Enhancement
-
Resolution: Unresolved
-
P3
-
None
-
None
-
None
Background
OpenJDK already supports verification of LMS (Leighton–Micali Signature) and HSS (Hierarchical Signature System) digital signatures, as defined in RFC 8554. These are stateful hash-based post-quantum signature schemes based on hash trees (Merkle trees). Support was added earlier via OpenJDK bugs such asJDK-8305973 and JDK-8308896 (verification only).
In October 2025, RFC 9858 – “Additional Parameter Sets for HSS/LMS Hash-Based Signatures” was published. This RFC introduces new parameter sets for LMS/HSS that use: SHA-256/192 (truncated output), and SHAKE-based hash functions (SHAKE256/256 and SHAKE256/192). These new sets enable more compact signatures and compatibility with newer hardware security modules (HSMs) that implement the updated standard.
Motivation for the RFE
Some HSM vendors are beginning to generate LMS/HSS signatures using SHA-3 / SHAKE variants. The current JDK verifier only recognizes the original parameter sets from RFC 8554. Without RFC 9858 parameter set support, verification of such new signatures will fail. The new RFC now defines final, stable identifiers (IDs / OIDs) for those parameter sets, removing the last blocker for JDK adoption.
OpenJDK already supports verification of LMS (Leighton–Micali Signature) and HSS (Hierarchical Signature System) digital signatures, as defined in RFC 8554. These are stateful hash-based post-quantum signature schemes based on hash trees (Merkle trees). Support was added earlier via OpenJDK bugs such as
In October 2025, RFC 9858 – “Additional Parameter Sets for HSS/LMS Hash-Based Signatures” was published. This RFC introduces new parameter sets for LMS/HSS that use: SHA-256/192 (truncated output), and SHAKE-based hash functions (SHAKE256/256 and SHAKE256/192). These new sets enable more compact signatures and compatibility with newer hardware security modules (HSMs) that implement the updated standard.
Motivation for the RFE
Some HSM vendors are beginning to generate LMS/HSS signatures using SHA-3 / SHAKE variants. The current JDK verifier only recognizes the original parameter sets from RFC 8554. Without RFC 9858 parameter set support, verification of such new signatures will fail. The new RFC now defines final, stable identifiers (IDs / OIDs) for those parameter sets, removing the last blocker for JDK adoption.