ML-DSA SignedCMS (#118088)

Author: PranavSenthilnathan

src/libraries/Common/tests/System/Security/Cryptography/AlgorithmImplementations/MLDsa/MLDsaTestsData.cs

@@ -78,14 +78,14 @@ public MLDsaKeyInfo(
         public byte[] EncryptionPasswordBytes => Encoding.UTF8.GetBytes(EncryptionPassword); // Assuming UTF-8 encoding
         public byte[] Certificate => Convert.FromBase64String(CertificateBase64);
 #if !EXCLUDE_PEM_ENCODING_FROM_TEST_DATA
-        public string EncryptedPem_Seed => PemEncoding.WriteString("ENCRYPTED PRIVATE KEY", Pkcs8EncryptedPrivateKey_Seed);
-        public string EncryptedPem_Expanded => PemEncoding.WriteString("ENCRYPTED PRIVATE KEY", Pkcs8EncryptedPrivateKey_Expanded);
-        public string EncryptedPem_Both => PemEncoding.WriteString("ENCRYPTED PRIVATE KEY", Pkcs8EncryptedPrivateKey_Both);
-        public string PrivateKeyPem_Seed => PemEncoding.WriteString("PRIVATE KEY", Pkcs8PrivateKey_Seed);
-        public string PrivateKeyPem_Expanded => PemEncoding.WriteString("PRIVATE KEY", Pkcs8PrivateKey_Expanded);
-        public string PrivateKeyPem_Both => PemEncoding.WriteString("PRIVATE KEY", Pkcs8PrivateKey_Both);
-        public string PublicKeyPem => PemEncoding.WriteString("PUBLIC KEY", Pkcs8PublicKey);
-        public string CertificatePem => PemEncoding.WriteString("CERTIFICATE", Certificate);
+        public string EncryptedPem_Seed => ByteUtils.PemEncode("ENCRYPTED PRIVATE KEY", Pkcs8EncryptedPrivateKey_Seed);
+        public string EncryptedPem_Expanded => ByteUtils.PemEncode("ENCRYPTED PRIVATE KEY", Pkcs8EncryptedPrivateKey_Expanded);
+        public string EncryptedPem_Both => ByteUtils.PemEncode("ENCRYPTED PRIVATE KEY", Pkcs8EncryptedPrivateKey_Both);
+        public string PrivateKeyPem_Seed => ByteUtils.PemEncode("PRIVATE KEY", Pkcs8PrivateKey_Seed);
+        public string PrivateKeyPem_Expanded => ByteUtils.PemEncode("PRIVATE KEY", Pkcs8PrivateKey_Expanded);
+        public string PrivateKeyPem_Both => ByteUtils.PemEncode("PRIVATE KEY", Pkcs8PrivateKey_Both);
+        public string PublicKeyPem => ByteUtils.PemEncode("PUBLIC KEY", Pkcs8PublicKey);
+        public string CertificatePem => ByteUtils.PemEncode("CERTIFICATE", Certificate);
 #endif
         public byte[] Pfx_Seed => Convert.FromBase64String(Pfx_Seed_Base64);
         public byte[] Pfx_Expanded => Convert.FromBase64String(Pfx_Expanded_Base64);

src/libraries/System.Security.Cryptography.Pkcs/ref/System.Security.Cryptography.Pkcs.netcoreapp.cs

@@ -16,8 +16,10 @@ public sealed partial class CmsSigner
     {
         public CmsSigner(System.Security.Cryptography.Pkcs.SubjectIdentifierType signerIdentifierType, System.Security.Cryptography.X509Certificates.X509Certificate2? certificate, System.Security.Cryptography.AsymmetricAlgorithm? privateKey) { }
         [System.Diagnostics.CodeAnalysis.ExperimentalAttribute("SYSLIB5006", UrlFormat="https://aka.ms/dotnet-warnings/{0}")]
-        public CmsSigner(System.Security.Cryptography.Pkcs.SubjectIdentifierType signerIdentifierType, System.Security.Cryptography.X509Certificates.X509Certificate2? certificate, System.Security.Cryptography.SlhDsa? privateKey) { }
+        public CmsSigner(System.Security.Cryptography.Pkcs.SubjectIdentifierType signerIdentifierType, System.Security.Cryptography.X509Certificates.X509Certificate2? certificate, System.Security.Cryptography.MLDsa? privateKey) { }
         public CmsSigner(System.Security.Cryptography.Pkcs.SubjectIdentifierType signerIdentifierType, System.Security.Cryptography.X509Certificates.X509Certificate2? certificate, System.Security.Cryptography.RSA? privateKey, System.Security.Cryptography.RSASignaturePadding? signaturePadding) { }
+        [System.Diagnostics.CodeAnalysis.ExperimentalAttribute("SYSLIB5006", UrlFormat="https://aka.ms/dotnet-warnings/{0}")]
+        public CmsSigner(System.Security.Cryptography.Pkcs.SubjectIdentifierType signerIdentifierType, System.Security.Cryptography.X509Certificates.X509Certificate2? certificate, System.Security.Cryptography.SlhDsa? privateKey) { }
         public System.Security.Cryptography.AsymmetricAlgorithm? PrivateKey { get { throw null; } set { } }
         public System.Security.Cryptography.RSASignaturePadding? SignaturePadding { get { throw null; } set { } }
     }

src/libraries/System.Security.Cryptography.Pkcs/src/Internal/Cryptography/Pal/AnyOS/ManagedPal.cs

@@ -84,6 +84,8 @@ public override byte[] GetSubjectKeyIdentifier(X509Certificate2 certificate)
             if (typeof(T) == typeof(DSA) && Internal.Cryptography.Helpers.IsDSASupported)
                 return (T?)(object?)certificate.GetDSAPrivateKey();
 #endif
+            if (typeof(T) == typeof(MLDsa) && MLDsa.IsSupported)
+                return (T?)(object?)certificate.GetMLDsaPrivateKey();
             if (typeof(T) == typeof(SlhDsa) && SlhDsa.IsSupported)
                 return (T?)(object?)certificate.GetSlhDsaPrivateKey();
 

src/libraries/System.Security.Cryptography.Pkcs/src/Internal/Cryptography/Pal/Windows/PkcsPalWindows.cs

@@ -150,6 +150,8 @@ public sealed override byte[] GetSubjectKeyIdentifier(X509Certificate2 certifica
                                 return (T)(object)new ECDsaCng(cngKey);
                             if (typeof(T) == typeof(DSA))
                                 return (T)(object)new DSACng(cngKey);
+                            if (typeof(T) == typeof(MLDsa))
+                                return (T)(object)new MLDsaCng(cngKey);
                             if (typeof(T) == typeof(SlhDsa))
                                 throw new PlatformNotSupportedException(SR.Format(SR.Cryptography_AlgorithmNotSupported, nameof(SlhDsa)));
 

src/libraries/System.Security.Cryptography.Pkcs/src/System.Security.Cryptography.Pkcs.csproj

@@ -589,6 +589,7 @@ System.Security.Cryptography.Pkcs.EnvelopedCms</PackageDescription>
     <Compile Include="System\Security\Cryptography\Pkcs\CmsSignature.cs" />
     <Compile Include="System\Security\Cryptography\Pkcs\CmsSignature.ECDsa.cs" />
     <Compile Include="System\Security\Cryptography\Pkcs\CmsSignature.RSA.cs" />
+    <Compile Include="System\Security\Cryptography\Pkcs\CmsSignature.MLDsa.cs" />
     <Compile Include="System\Security\Cryptography\Pkcs\CmsSignature.SlhDsa.cs" />
     <Compile Include="System\Security\Cryptography\Pkcs\CmsSigner.cs" />
     <Compile Include="System\Security\Cryptography\Pkcs\SignedCms.cs" />

src/libraries/System.Security.Cryptography.Pkcs/src/System/Security/Cryptography/Pkcs/CmsSignature.MLDsa.cs

@@ -0,0 +1,118 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+
+using System.Collections.Generic;
+using System.Diagnostics.CodeAnalysis;
+using System.Security.Cryptography.X509Certificates;
+
+namespace System.Security.Cryptography.Pkcs
+{
+    internal partial class CmsSignature
+    {
+        static partial void PrepareRegistrationMLDsa(Dictionary<string, CmsSignature> lookup)
+        {
+            lookup.Add(Oids.MLDsa44, new MLDsaCmsSignature(Oids.MLDsa44));
+            lookup.Add(Oids.MLDsa65, new MLDsaCmsSignature(Oids.MLDsa65));
+            lookup.Add(Oids.MLDsa87, new MLDsaCmsSignature(Oids.MLDsa87));
+        }
+
+        private sealed class MLDsaCmsSignature : CmsSignature
+        {
+            private string _signatureAlgorithm;
+
+            internal MLDsaCmsSignature(string signatureAlgorithm)
+            {
+                _signatureAlgorithm = signatureAlgorithm;
+            }
+
+            protected override bool VerifyKeyType(object key) => key is MLDsa;
+            internal override bool NeedsHashedMessage => false;
+
+            internal override RSASignaturePadding? SignaturePadding => null;
+
+            internal override bool VerifySignature(
+#if NET || NETSTANDARD2_1
+                ReadOnlySpan<byte> valueHash,
+                ReadOnlyMemory<byte> signature,
+#else
+                byte[] valueHash,
+                byte[] signature,
+#endif
+                string? digestAlgorithmOid,
+                ReadOnlyMemory<byte>? signatureParameters,
+                X509Certificate2 certificate)
+            {
+                if (signatureParameters.HasValue)
+                {
+                    throw new CryptographicException(
+                        SR.Format(SR.Cryptography_UnknownAlgorithmIdentifier, _signatureAlgorithm));
+                }
+
+                MLDsa? publicKey = certificate.GetMLDsaPublicKey();
+
+                if (publicKey is null)
+                {
+                    return false;
+                }
+
+                using (publicKey)
+                {
+                    return publicKey.VerifyData(
+                        valueHash,
+#if NET || NETSTANDARD2_1
+                        signature.Span
+#else
+                        signature
+#endif
+                    );
+                }
+            }
+
+            protected override bool Sign(
+#if NET || NETSTANDARD2_1
+                ReadOnlySpan<byte> dataHash,
+#else
+                byte[] dataHash,
+#endif
+                string? hashAlgorithmOid,
+                X509Certificate2 certificate,
+                object? key,
+                bool silent,
+                [NotNullWhen(true)] out string? signatureAlgorithm,
+                [NotNullWhen(true)] out byte[]? signatureValue,
+                out byte[]? signatureParameters)
+            {
+                signatureParameters = null;
+                signatureAlgorithm = _signatureAlgorithm;
+
+                using (GetSigningKey(key, certificate, silent, static cert => cert.GetMLDsaPublicKey(), out MLDsa? signingKey))
+                {
+                    if (signingKey is null)
+                    {
+                        signatureValue = null;
+                        return false;
+                    }
+
+                    // Don't pool because we will likely return this buffer to the caller.
+                    byte[] signature = new byte[signingKey.Algorithm.SignatureSizeInBytes];
+                    signingKey.SignData(dataHash, signature);
+
+                    if (key != null)
+                    {
+                        using (MLDsa certKey = certificate.GetMLDsaPublicKey()!)
+                        {
+                            if (!certKey.VerifyData(dataHash, signature))
+                            {
+                                signatureValue = null;
+                                return false;
+                            }
+                        }
+                    }
+
+                    signatureValue = signature;
+                    return true;
+                }
+            }
+        }
+    }
+}

src/libraries/System.Security.Cryptography.Pkcs/src/System/Security/Cryptography/Pkcs/CmsSignature.cs

@@ -21,12 +21,14 @@ static CmsSignature()
             PrepareRegistrationRsa(s_lookup);
             PrepareRegistrationDsa(s_lookup);
             PrepareRegistrationECDsa(s_lookup);
+            PrepareRegistrationMLDsa(s_lookup);
             PrepareRegistrationSlhDsa(s_lookup);
         }
 
         static partial void PrepareRegistrationRsa(Dictionary<string, CmsSignature> lookup);
         static partial void PrepareRegistrationDsa(Dictionary<string, CmsSignature> lookup);
         static partial void PrepareRegistrationECDsa(Dictionary<string, CmsSignature> lookup);
+        static partial void PrepareRegistrationMLDsa(Dictionary<string, CmsSignature> lookup);
         static partial void PrepareRegistrationSlhDsa(Dictionary<string, CmsSignature> lookup);
 
         internal abstract RSASignaturePadding? SignaturePadding { get; }

src/libraries/System.Security.Cryptography.Pkcs/src/System/Security/Cryptography/Pkcs/CmsSigner.cs

@@ -111,6 +111,16 @@ public CmsSigner(SubjectIdentifierType signerIdentifierType, X509Certificate2? c
         {
         }
 
+#if NET || NETSTANDARD2_1
+        [Experimental(Experimentals.PostQuantumCryptographyDiagId, UrlFormat = Experimentals.SharedUrlFormat)]
+        public
+#else
+        private
+#endif
+        CmsSigner(SubjectIdentifierType signerIdentifierType, X509Certificate2? certificate, MLDsa? privateKey)
+            : this(signerIdentifierType, certificate, privateKey, signaturePadding: null)
+        {
+        }
 
 #if NET || NETSTANDARD2_1
         [Experimental(Experimentals.PostQuantumCryptographyDiagId, UrlFormat = Experimentals.SharedUrlFormat)]
@@ -193,7 +203,7 @@ private CmsSigner(
             Certificate = certificate;
             DigestAlgorithm = s_defaultAlgorithm.CopyOid();
 
-            Debug.Assert(privateKey is null or AsymmetricAlgorithm or SlhDsa);
+            Debug.Assert(privateKey is null or AsymmetricAlgorithm or MLDsa or SlhDsa);
             _privateKey = (IDisposable?)privateKey;
 
             _signaturePadding = signaturePadding;
@@ -371,36 +381,8 @@ internal SignerInfoAsn Sign(
 
             if (SignerIdentifierType == SubjectIdentifierType.NoSignature)
             {
-                // The behavior of this scenario should match Windows which currently does not
-                // implement PQC. So we do a best effort determination of whether the algorithm
-                // is a pure algorithm and throw if so. This is subject to change once Windows
-                // implements PQC.
-                string? keyAlgorithm = null;
-                if (Certificate != null)
-                {
-                    try
-                    {
-                        keyAlgorithm = Certificate.GetKeyAlgorithm();
-                    }
-                    catch (CryptographicException)
-                    {
-                    }
-                }
-
-                if (keyAlgorithm != null)
-                {
-                    CmsSignature? processor = CmsSignature.ResolveAndVerifyKeyType(keyAlgorithm, _privateKey, SignaturePadding);
-                    if (processor?.NeedsHashedMessage == false)
-                    {
-                        throw new CryptographicException(SR.Cryptography_Cms_CertificateDoesNotSupportNoSignature);
-                    }
-                }
-
-                ReadOnlyMemory<byte> messageToSign =
-                    GetMessageToSign(shouldHash: true, data, contentTypeOid, out newSignerInfo.SignedAttributes);
-
                 signatureAlgorithm = Oids.NoSignature;
-                signatureValue = messageToSign;
+                signatureValue = GetMessageToSign(shouldHash: true, data, contentTypeOid, out newSignerInfo.SignedAttributes);
                 signed = true;
             }
             else

src/libraries/System.Security.Cryptography.Pkcs/tests/Certificates.cs

@@ -1,8 +1,10 @@
 // Licensed to the .NET Foundation under one or more agreements.
 // The .NET Foundation licenses this file to you under the MIT license.
 
+using System.Collections.Generic;
 using System.Linq;
 using System.Security.Cryptography.SLHDsa.Tests;
+using System.Security.Cryptography.Tests;
 using Test.Cryptography;
 
 namespace System.Security.Cryptography.Pkcs.Tests
@@ -35,12 +37,14 @@ internal static class Certificates
         public static readonly CertLoader RsaOaep2048_Sha256Parameters = new CertLoaderFromRawData(RawData.RsaOaep2048_Sha256ParametersCert, RawData.RsaOaep2048_Sha256ParametersPfx, "1111");
         public static readonly CertLoader RsaOaep2048_NoParameters = new CertLoaderFromRawData(RawData.RsaOaep2048_NoParametersCert, RawData.RsaOaep2048_NoParametersPfx, "1111");
         public static readonly CertLoader SlhDsaSha2_128s_Ietf = new CertLoaderFromRawData(SlhDsaTestData.IetfSlhDsaSha2_128sCertificate, SlhDsaTestData.IetfSlhDsaSha2_128sCertificatePfx, "PLACEHOLDER");
-        public static readonly CertLoader[] SlhDsaGeneratedCerts = LoadSlhDsaCerts();
+        public static readonly CertLoader[] SlhDsaGeneratedCerts = [..SlhDsaTestData.GeneratedKeyInfosRaw.Select(info => new CertLoaderFromRawData(info.Certificate, info.SelfSignedCertificatePfx, info.EncryptionPassword))];
 
-        private static CertLoader[] LoadSlhDsaCerts() =>
-            SlhDsaTestData.GeneratedKeyInfosRaw
-                .Select(info => new CertLoaderFromRawData(info.Certificate, info.SelfSignedCertificatePfx, info.EncryptionPassword))
-                .ToArray();
+        public static readonly Dictionary<MLDsaAlgorithm, CertLoader> MLDsaIetf = new()
+        {
+            { MLDsaAlgorithm.MLDsa44, new CertLoaderFromRawData(MLDsaTestsData.IetfMLDsa44.Certificate, MLDsaTestsData.IetfMLDsa44.Pfx_Seed, "PLACEHOLDER") },
+            { MLDsaAlgorithm.MLDsa65, new CertLoaderFromRawData(MLDsaTestsData.IetfMLDsa65.Certificate, MLDsaTestsData.IetfMLDsa65.Pfx_Seed, "PLACEHOLDER") },
+            { MLDsaAlgorithm.MLDsa87, new CertLoaderFromRawData(MLDsaTestsData.IetfMLDsa87.Certificate, MLDsaTestsData.IetfMLDsa87.Pfx_Seed, "PLACEHOLDER") },
+        };
 
         // Note: the raw data is its own (nested) class to avoid problems with static field initialization ordering.
         private static class RawData