Add more logic before PNSE where possible

Author: PranavSenthilnathan

src/libraries/Microsoft.Bcl.Cryptography/src/System/Security/Cryptography/X509Certificates/X509CertificateKeyAccessors.cs

@@ -416,7 +416,28 @@ public static X509Certificate2 CopyWithPrivateKey(this X509Certificate2 certific
         [Experimental(Experimentals.PostQuantumCryptographyDiagId, UrlFormat = Experimentals.SharedUrlFormat)]
         public static CompositeMLDsa? GetCompositeMLDsaPublicKey(this X509Certificate2 certificate)
         {
-            throw new PlatformNotSupportedException();
+            ArgumentNullException.ThrowIfNull(certificate);
+
+#if NET10_0_OR_GREATER
+            return certificate.GetCompositeMLDsaPublicKey();
+#else
+            if (CompositeMLDsaAlgorithm.GetAlgorithmFromOid(certificate.GetKeyAlgorithm()) is null)
+            {
+                return null;
+            }
+
+            ArraySegment<byte> encoded = GetCertificateSubjectPublicKeyInfo(certificate);
+
+            try
+            {
+                return CompositeMLDsa.ImportSubjectPublicKeyInfo(encoded);
+            }
+            finally
+            {
+                // SubjectPublicKeyInfo does not need to clear since it's public
+                CryptoPool.Return(encoded, clearSize: 0);
+            }
+#endif
         }
 
         /// <summary>
@@ -440,7 +461,18 @@ public static X509Certificate2 CopyWithPrivateKey(this X509Certificate2 certific
         [Experimental(Experimentals.PostQuantumCryptographyDiagId, UrlFormat = Experimentals.SharedUrlFormat)]
         public static CompositeMLDsa? GetCompositeMLDsaPrivateKey(this X509Certificate2 certificate)
         {
+            ArgumentNullException.ThrowIfNull(certificate);
+
+#if NET10_0_OR_GREATER
+            return certificate.GetCompositeMLDsaPrivateKey();
+#else
+            if (CompositeMLDsaAlgorithm.GetAlgorithmFromOid(certificate.GetKeyAlgorithm()) is null)
+            {
+                return null;
+            }
+
             throw new PlatformNotSupportedException();
+#endif
         }
 
         /// <summary>
@@ -472,7 +504,43 @@ public static X509Certificate2 CopyWithPrivateKey(this X509Certificate2 certific
         [Experimental(Experimentals.PostQuantumCryptographyDiagId, UrlFormat = Experimentals.SharedUrlFormat)]
         public static X509Certificate2 CopyWithPrivateKey(this X509Certificate2 certificate, CompositeMLDsa privateKey)
         {
+            ArgumentNullException.ThrowIfNull(certificate);
+            ArgumentNullException.ThrowIfNull(privateKey);
+
+#if NET10_0_OR_GREATER
+            return certificate.CopyWithPrivateKey(privateKey);
+#elif NETSTANDARD
+            throw new PlatformNotSupportedException(SR.Format(SR.Cryptography_AlgorithmNotSupported, nameof(CompositeMLDsa)));
+#else
+            if (!Helpers.IsOSPlatformWindows)
+                throw new PlatformNotSupportedException();
+
+            if (certificate.HasPrivateKey)
+                throw new InvalidOperationException(SR.Cryptography_Cert_AlreadyHasPrivateKey);
+
+            using (CompositeMLDsa? publicKey = GetCompositeMLDsaPublicKey(certificate))
+            {
+                if (publicKey is null)
+                {
+                    throw new ArgumentException(SR.Cryptography_PrivateKey_WrongAlgorithm);
+                }
+
+                if (publicKey.Algorithm != privateKey.Algorithm)
+                {
+                    throw new ArgumentException(SR.Cryptography_PrivateKey_DoesNotMatch, nameof(privateKey));
+                }
+
+                byte[] pk1 = publicKey.ExportCompositeMLDsaPublicKey();
+                byte[] pk2 = privateKey.ExportCompositeMLDsaPublicKey();
+
+                if (!pk1.SequenceEqual(pk2))
+                {
+                    throw new ArgumentException(SR.Cryptography_PrivateKey_DoesNotMatch, nameof(privateKey));
+                }
+            }
+
             throw new PlatformNotSupportedException();
+#endif
         }
 
 #if !NET10_0_OR_GREATER

src/libraries/System.Security.Cryptography/ref/System.Security.Cryptography.cs

@@ -646,7 +646,7 @@ internal CompositeMLDsaAlgorithm() { }
         public static bool operator !=(System.Security.Cryptography.CompositeMLDsaAlgorithm? left, System.Security.Cryptography.CompositeMLDsaAlgorithm? right) { throw null; }
         public override string ToString() { throw null; }
     }
-[System.Diagnostics.CodeAnalysis.ExperimentalAttribute("SYSLIB5006", UrlFormat="https://aka.ms/dotnet-warnings/{0}")]
+    [System.Diagnostics.CodeAnalysis.ExperimentalAttribute("SYSLIB5006", UrlFormat="https://aka.ms/dotnet-warnings/{0}")]
     public sealed partial class CompositeMLDsaCng : System.Security.Cryptography.CompositeMLDsa
     {
         [System.Runtime.Versioning.SupportedOSPlatformAttribute("windows")]
@@ -3362,7 +3362,7 @@ namespace System.Security.Cryptography.X509Certificates
     [System.Runtime.Versioning.UnsupportedOSPlatformAttribute("browser")]
     public sealed partial class CertificateRequest
     {
-[System.Diagnostics.CodeAnalysis.ExperimentalAttribute("SYSLIB5006", UrlFormat="https://aka.ms/dotnet-warnings/{0}")]
+        [System.Diagnostics.CodeAnalysis.ExperimentalAttribute("SYSLIB5006", UrlFormat="https://aka.ms/dotnet-warnings/{0}")]
         public CertificateRequest(System.Security.Cryptography.X509Certificates.X500DistinguishedName subjectName, System.Security.Cryptography.CompositeMLDsa key) { }
         public CertificateRequest(System.Security.Cryptography.X509Certificates.X500DistinguishedName subjectName, System.Security.Cryptography.ECDsa key, System.Security.Cryptography.HashAlgorithmName hashAlgorithm) { }
         [System.Diagnostics.CodeAnalysis.ExperimentalAttribute("SYSLIB5006", UrlFormat="https://aka.ms/dotnet-warnings/{0}")]
@@ -3479,7 +3479,7 @@ public Pkcs12LoadLimitExceededException(string propertyName) { }
     public sealed partial class PublicKey
     {
         public PublicKey(System.Security.Cryptography.AsymmetricAlgorithm key) { }
-[System.Diagnostics.CodeAnalysis.ExperimentalAttribute("SYSLIB5006")]
+        [System.Diagnostics.CodeAnalysis.ExperimentalAttribute("SYSLIB5006")]
         public PublicKey(System.Security.Cryptography.CompositeMLDsa key) { }
         [System.Diagnostics.CodeAnalysis.ExperimentalAttribute("SYSLIB5006")]
         public PublicKey(System.Security.Cryptography.MLDsa key) { }
@@ -3495,6 +3495,9 @@ public PublicKey(System.Security.Cryptography.SlhDsa key) { }
         public System.Security.Cryptography.Oid Oid { get { throw null; } }
         public static System.Security.Cryptography.X509Certificates.PublicKey CreateFromSubjectPublicKeyInfo(System.ReadOnlySpan<byte> source, out int bytesRead) { throw null; }
         public byte[] ExportSubjectPublicKeyInfo() { throw null; }
+        [System.Diagnostics.CodeAnalysis.ExperimentalAttribute("SYSLIB5006", UrlFormat="https://aka.ms/dotnet-warnings/{0}")]
+        [System.Runtime.Versioning.UnsupportedOSPlatformAttribute("browser")]
+        public System.Security.Cryptography.CompositeMLDsa? GetCompositeMLDsaPublicKey() { throw null; }
         [System.Runtime.Versioning.UnsupportedOSPlatformAttribute("browser")]
         [System.Runtime.Versioning.UnsupportedOSPlatformAttribute("ios")]
         [System.Runtime.Versioning.UnsupportedOSPlatformAttribute("tvos")]
@@ -3822,7 +3825,7 @@ public X509Certificate2(string fileName, string? password, System.Security.Crypt
         public System.Security.Cryptography.X509Certificates.X500DistinguishedName SubjectName { get { throw null; } }
         public string Thumbprint { get { throw null; } }
         public int Version { get { throw null; } }
-[System.Diagnostics.CodeAnalysis.ExperimentalAttribute("SYSLIB5006", UrlFormat="https://aka.ms/dotnet-warnings/{0}")]
+        [System.Diagnostics.CodeAnalysis.ExperimentalAttribute("SYSLIB5006", UrlFormat="https://aka.ms/dotnet-warnings/{0}")]
         public System.Security.Cryptography.X509Certificates.X509Certificate2 CopyWithPrivateKey(System.Security.Cryptography.CompositeMLDsa privateKey) { throw null; }
         public System.Security.Cryptography.X509Certificates.X509Certificate2 CopyWithPrivateKey(System.Security.Cryptography.ECDiffieHellman privateKey) { throw null; }
         [System.Diagnostics.CodeAnalysis.ExperimentalAttribute("SYSLIB5006", UrlFormat="https://aka.ms/dotnet-warnings/{0}")]
@@ -4254,7 +4257,7 @@ public abstract partial class X509SignatureGenerator
         protected X509SignatureGenerator() { }
         public System.Security.Cryptography.X509Certificates.PublicKey PublicKey { get { throw null; } }
         protected abstract System.Security.Cryptography.X509Certificates.PublicKey BuildPublicKey();
-[System.Diagnostics.CodeAnalysis.ExperimentalAttribute("SYSLIB5006", UrlFormat="https://aka.ms/dotnet-warnings/{0}")]
+        [System.Diagnostics.CodeAnalysis.ExperimentalAttribute("SYSLIB5006", UrlFormat="https://aka.ms/dotnet-warnings/{0}")]
         public static System.Security.Cryptography.X509Certificates.X509SignatureGenerator CreateForCompositeMLDsa(System.Security.Cryptography.CompositeMLDsa key) { throw null; }
         public static System.Security.Cryptography.X509Certificates.X509SignatureGenerator CreateForECDsa(System.Security.Cryptography.ECDsa key) { throw null; }
         [System.Diagnostics.CodeAnalysis.ExperimentalAttribute("SYSLIB5006", UrlFormat="https://aka.ms/dotnet-warnings/{0}")]

src/libraries/System.Security.Cryptography/src/System.Security.Cryptography.csproj

@@ -1,4 +1,4 @@
-<Project Sdk="Microsoft.NET.Sdk">
+<Project Sdk="Microsoft.NET.Sdk">
 
   <PropertyGroup>
     <TargetFrameworks>$(NetCoreAppCurrent)-windows;$(NetCoreAppCurrent)-unix;$(NetCoreAppCurrent)-android;$(NetCoreAppCurrent)-osx;$(NetCoreAppCurrent)-ios;$(NetCoreAppCurrent)-tvos;$(NetCoreAppCurrent)-browser;$(NetCoreAppCurrent)</TargetFrameworks>

src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/CertificateRequest.cs

@@ -309,6 +309,9 @@ public CertificateRequest(
             string subjectName,
             CompositeMLDsa key)
         {
+            ArgumentNullException.ThrowIfNull(subjectName);
+            ArgumentNullException.ThrowIfNull(key);
+
             throw new PlatformNotSupportedException();
         }
 
@@ -330,6 +333,9 @@ public CertificateRequest(
             X500DistinguishedName subjectName,
             CompositeMLDsa key)
         {
+            ArgumentNullException.ThrowIfNull(subjectName);
+            ArgumentNullException.ThrowIfNull(key);
+
             throw new PlatformNotSupportedException();
         }
 

src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/PublicKey.cs

@@ -123,7 +123,6 @@ public PublicKey(SlhDsa key) : this(key.ExportSubjectPublicKeyInfo())
         [Experimental(Experimentals.PostQuantumCryptographyDiagId)]
         public PublicKey(CompositeMLDsa key) : this(key.ExportSubjectPublicKeyInfo())
         {
-            throw new PlatformNotSupportedException();
         }
 
         private PublicKey(byte[] subjectPublicKeyInfo)
@@ -412,6 +411,29 @@ public static PublicKey CreateFromSubjectPublicKeyInfo(ReadOnlySpan<byte> source
                 ? EncodeSubjectPublicKeyInfo().Encode(SlhDsa.ImportSubjectPublicKeyInfo)
                 : null;
 
+        /// <summary>
+        ///   Gets the <see cref="CompositeMLDsa"/> public key, or <see langword="null" />
+        ///   if the key is not a Composite ML-DSA key.
+        /// </summary>
+        /// <returns>
+        ///   The public key, or <see langword="null"/> if the key is not a Composite ML-DSA key.
+        /// </returns>
+        /// <exception cref="PlatformNotSupportedException">
+        ///   The object represents a Composite ML-DSA public key, but the platform does not support the algorithm.
+        /// </exception>
+        /// <exception cref="CryptographicException">
+        ///   The key contents are corrupt or could not be read successfully.
+        /// </exception>
+        [Experimental(Experimentals.PostQuantumCryptographyDiagId, UrlFormat = Experimentals.SharedUrlFormat)]
+        [UnsupportedOSPlatform("browser")]
+        public CompositeMLDsa? GetCompositeMLDsaPublicKey()
+        {
+            if (CompositeMLDsaAlgorithm.GetAlgorithmFromOid(_oid.Value) is null)
+                return null;
+
+            return EncodeSubjectPublicKeyInfo().Encode(CompositeMLDsa.ImportSubjectPublicKeyInfo);
+        }
+
         internal AsnWriter EncodeSubjectPublicKeyInfo()
         {
             SubjectPublicKeyInfoAsn spki = new SubjectPublicKeyInfoAsn

src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/X509Certificate2.cs

@@ -1101,7 +1101,13 @@ public X509Certificate2 CopyWithPrivateKey(SlhDsa privateKey)
         [Experimental(Experimentals.PostQuantumCryptographyDiagId, UrlFormat = Experimentals.SharedUrlFormat)]
         public CompositeMLDsa? GetCompositeMLDsaPublicKey()
         {
-            throw new PlatformNotSupportedException();
+            if (CompositeMLDsaAlgorithm.GetAlgorithmFromOid(GetKeyAlgorithm()) is null)
+            {
+                return null;
+            }
+
+            Debug.Assert(!OperatingSystem.IsBrowser());
+            return PublicKey.GetCompositeMLDsaPublicKey();
         }
 
         /// <summary>
@@ -1110,12 +1116,20 @@ public X509Certificate2 CopyWithPrivateKey(SlhDsa privateKey)
         /// <returns>
         ///   The private key, or <see langword="null"/> if this certificate does not have a Composite ML-DSA private key.
         /// </returns>
+        /// <exception cref="PlatformNotSupportedException">
+        ///   Retrieving a Composite ML-DSA private key from a certificate is not supported on this platform.
+        /// </exception>
         /// <exception cref="CryptographicException">
         ///   An error occurred accessing the private key.
         /// </exception>
         [Experimental(Experimentals.PostQuantumCryptographyDiagId, UrlFormat = Experimentals.SharedUrlFormat)]
         public CompositeMLDsa? GetCompositeMLDsaPrivateKey()
         {
+            if (CompositeMLDsaAlgorithm.GetAlgorithmFromOid(GetKeyAlgorithm()) is null)
+            {
+                return null;
+            }
+
             throw new PlatformNotSupportedException();
         }
 
@@ -1139,9 +1153,38 @@ public X509Certificate2 CopyWithPrivateKey(SlhDsa privateKey)
         /// <exception cref="InvalidOperationException">
         ///   The certificate already has an associated private key.
         /// </exception>
+        /// <exception cref="PlatformNotSupportedException">
+        ///   Combining a certificate and a Composite ML-DSA private key is not supported on this platform.
+        /// </exception>
         [Experimental(Experimentals.PostQuantumCryptographyDiagId, UrlFormat = Experimentals.SharedUrlFormat)]
         public X509Certificate2 CopyWithPrivateKey(CompositeMLDsa privateKey)
         {
+            ArgumentNullException.ThrowIfNull(privateKey);
+
+            if (HasPrivateKey)
+                throw new InvalidOperationException(SR.Cryptography_Cert_AlreadyHasPrivateKey);
+
+            using (CompositeMLDsa? publicKey = GetCompositeMLDsaPublicKey())
+            {
+                if (publicKey is null)
+                {
+                    throw new ArgumentException(SR.Cryptography_PrivateKey_WrongAlgorithm);
+                }
+
+                if (publicKey.Algorithm != privateKey.Algorithm)
+                {
+                    throw new ArgumentException(SR.Cryptography_PrivateKey_DoesNotMatch, nameof(privateKey));
+                }
+
+                byte[] pk1 = publicKey.ExportCompositeMLDsaPublicKey();
+                byte[] pk2 = privateKey.ExportCompositeMLDsaPublicKey();
+
+                if (!pk1.SequenceEqual(pk2))
+                {
+                    throw new ArgumentException(SR.Cryptography_PrivateKey_DoesNotMatch, nameof(privateKey));
+                }
+            }
+
             throw new PlatformNotSupportedException();
         }
 

src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/X509SignatureGenerator.cs

@@ -90,6 +90,8 @@ public static X509SignatureGenerator CreateForSlhDsa(SlhDsa key)
         [Experimental(Experimentals.PostQuantumCryptographyDiagId, UrlFormat = Experimentals.SharedUrlFormat)]
         public static X509SignatureGenerator CreateForCompositeMLDsa(CompositeMLDsa key)
         {
+            ArgumentNullException.ThrowIfNull(key);
+
             throw new PlatformNotSupportedException();
         }
     }