8372526: Add support for ZLIB TLS Certificate Compression

src/java.base/share/classes/javax/net/ssl/SSLParameters.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2005, 2025, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2005, 2026, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -86,6 +86,7 @@ public class SSLParameters {
     private String[] applicationProtocols = new String[0];
     private String[] signatureSchemes = null;
     private String[] namedGroups = null;
+    private boolean enableCertificateCompression = true;
 
     /**
      * Constructs SSLParameters.
@@ -960,4 +961,38 @@ public void setNamedGroups(String[] namedGroups) {
 
         this.namedGroups = tempGroups;
     }
+
+    /**
+     * Sets whether TLS certificate compression should be enabled.
+     * <p>
+     * This method only applies to TLSv1.3.
+     *
+     * @param   enableCertificateCompression
+     *          {@code true} indicates that TLS certificate compression
+     *          should be enabled; {@code false} indicates that TLS certificate
+     *          compression should be disabled
+     *
+     * @see     #getEnableCertificateCompression()
+     *
+     * @since 27
+     */
+    public void setEnableCertificateCompression(
+            boolean enableCertificateCompression) {
+        this.enableCertificateCompression = enableCertificateCompression;
+    }
+
+    /**
+     * Returns whether TLS certificate compression should be enabled
+     * <p>
+     * This method only applies to TLSv1.3.
+     *
+     * @return  true, if TLS certificate compression should be enabled
+     *
+     * @see     #setEnableCertificateCompression(boolean)
+     *
+     * @since 27
+     */
+    public boolean getEnableCertificateCompression() {
+        return this.enableCertificateCompression;
+    }
 }

src/java.base/share/classes/sun/security/ssl/Alert.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2003, 2025, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2003, 2026, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -281,6 +281,8 @@ public void consume(ConnectionContext context,
                         // consumer so the state machine doesn't expect it.
                         tc.handshakeContext.handshakeConsumers.remove(
                                 SSLHandshake.CERTIFICATE.id);
+                        tc.handshakeContext.handshakeConsumers.remove(
+                                SSLHandshake.COMPRESSED_CERTIFICATE.id);
                         tc.handshakeContext.handshakeConsumers.remove(
                                 SSLHandshake.CERTIFICATE_VERIFY.id);
                     }

src/java.base/share/classes/sun/security/ssl/CertificateMessage.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2015, 2025, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2015, 2026, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -917,16 +917,26 @@ public byte[] produce(ConnectionContext context,
                 HandshakeMessage message) throws IOException {
             // The producing happens in handshake context only.
             HandshakeContext hc = (HandshakeContext)context;
-            if (hc.sslConfig.isClientMode) {
-                return onProduceCertificate(
-                        (ClientHandshakeContext)context, message);
-            } else {
-                return onProduceCertificate(
+            T13CertificateMessage cm = hc.sslConfig.isClientMode ?
+                onProduceCertificate(
+                        (ClientHandshakeContext)context, message) :
+                onProduceCertificate(
                         (ServerHandshakeContext)context, message);
+
+            // Output the handshake message.
+            if (hc.certDeflater == null) {
+                cm.write(hc.handshakeOutput);
+                hc.handshakeOutput.flush();
+            } else {
+                // Replace with CompressedCertificate message
+                CompressedCertificate.handshakeProducer.produce(hc, cm);
             }
+
+            // The handshake message has been delivered.
+            return null;
         }
 
-        private byte[] onProduceCertificate(ServerHandshakeContext shc,
+        private T13CertificateMessage onProduceCertificate(ServerHandshakeContext shc,
                 HandshakeMessage message) throws IOException {
             ClientHelloMessage clientHello = (ClientHelloMessage)message;
 
@@ -984,12 +994,7 @@ private byte[] onProduceCertificate(ServerHandshakeContext shc,
                 SSLLogger.fine("Produced server Certificate message", cm);
             }
 
-            // Output the handshake message.
-            cm.write(shc.handshakeOutput);
-            shc.handshakeOutput.flush();
-
-            // The handshake message has been delivered.
-            return null;
+            return cm;
         }
 
         private static SSLPossession choosePossession(
@@ -1028,7 +1033,7 @@ private static SSLPossession choosePossession(
             return pos;
         }
 
-        private byte[] onProduceCertificate(ClientHandshakeContext chc,
+        private T13CertificateMessage onProduceCertificate(ClientHandshakeContext chc,
                 HandshakeMessage message) throws IOException {
             ClientHelloMessage clientHello = (ClientHelloMessage)message;
             SSLPossession pos = choosePossession(chc, clientHello);
@@ -1071,12 +1076,7 @@ private byte[] onProduceCertificate(ClientHandshakeContext chc,
                 SSLLogger.fine("Produced client Certificate message", cm);
             }
 
-            // Output the handshake message.
-            cm.write(chc.handshakeOutput);
-            chc.handshakeOutput.flush();
-
-            // The handshake message has been delivered.
-            return null;
+            return cm;
         }
     }
 
@@ -1096,6 +1096,7 @@ public void consume(ConnectionContext context,
             HandshakeContext hc = (HandshakeContext)context;
 
             // clean up this consumer
+            hc.handshakeConsumers.remove(SSLHandshake.COMPRESSED_CERTIFICATE.id);
             hc.handshakeConsumers.remove(SSLHandshake.CERTIFICATE.id);
 
             // Ensure that the Certificate message has not been sent w/o

src/java.base/share/classes/sun/security/ssl/CertificateRequest.java

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2015, 2025, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2015, 2026, Oracle and/or its affiliates. All rights reserved.
  * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
  *
  * This code is free software; you can redistribute it and/or modify it
@@ -945,6 +945,11 @@ public byte[] produce(ConnectionContext context,
             // update
             //
             shc.certRequestContext = crm.requestContext.clone();
+            if (shc.certInflaters != null && !shc.certInflaters.isEmpty()) {
+                    shc.handshakeConsumers.put(
+                        SSLHandshake.COMPRESSED_CERTIFICATE.id,
+                        SSLHandshake.COMPRESSED_CERTIFICATE);
+            }
             shc.handshakeConsumers.put(SSLHandshake.CERTIFICATE.id,
                     SSLHandshake.CERTIFICATE);
             shc.handshakeConsumers.put(SSLHandshake.CERTIFICATE_VERIFY.id,