ML-KEM: PKCS12/PFX Loading and Exporting

Author: vcsjones

src/libraries/Common/src/Interop/Unix/System.Security.Cryptography.Native/Interop.EvpPkey.cs

@@ -47,6 +47,9 @@ internal static int UpRefEvpPkey(SafeEvpPKeyHandle handle)
         [LibraryImport(Libraries.CryptoNative, EntryPoint = "CryptoNative_EvpPKeyType")]
         internal static partial EvpAlgorithmId EvpPKeyType(SafeEvpPKeyHandle handle);
 
+        [LibraryImport(Libraries.CryptoNative, EntryPoint = "CryptoNative_EvpPKeyFamily")]
+        internal static partial EvpAlgorithmFamilyId EvpPKeyFamily(SafeEvpPKeyHandle handle);
+
         [LibraryImport(Libraries.CryptoNative)]
         private static unsafe partial SafeEvpPKeyHandle CryptoNative_DecodeSubjectPublicKeyInfo(
             byte* buf,
@@ -327,5 +330,14 @@ internal enum EvpAlgorithmId
             DSA = 116,
             ECC = 408,
         }
+
+        internal enum EvpAlgorithmFamilyId
+        {
+            Unknown = 0,
+            RSA = 1,
+            DSA = 2,
+            ECC = 3,
+            MLKem = 4,
+        }
     }
 }

src/libraries/Common/tests/System/Security/Cryptography/MLKemTestData.cs

@@ -30,17 +30,33 @@ protected override byte[] ExportPkcs8(
                 throw new CryptographicException(SR.Cryptography_OpenInvalidHandle);
             }
 
-            Interop.Crypto.EvpAlgorithmId evpAlgId = Interop.Crypto.EvpPKeyType(privateKey);
+            Interop.Crypto.EvpAlgorithmFamilyId evpAlgId = Interop.Crypto.EvpPKeyFamily(privateKey);
 
-            AsymmetricAlgorithm alg = evpAlgId switch
+            AsymmetricAlgorithm? alg = evpAlgId switch
             {
-                Interop.Crypto.EvpAlgorithmId.RSA => new RSAOpenSsl(privateKey),
-                Interop.Crypto.EvpAlgorithmId.ECC => new ECDsaOpenSsl(privateKey),
-                Interop.Crypto.EvpAlgorithmId.DSA => new DSAOpenSsl(privateKey),
-                _ => throw new CryptographicException(SR.Cryptography_InvalidHandle),
+                Interop.Crypto.EvpAlgorithmFamilyId.RSA => new RSAOpenSsl(privateKey),
+                Interop.Crypto.EvpAlgorithmFamilyId.ECC => new ECDsaOpenSsl(privateKey),
+                Interop.Crypto.EvpAlgorithmFamilyId.DSA => new DSAOpenSsl(privateKey),
+                _ => null,
             };
 
-            return alg.ExportEncryptedPkcs8PrivateKey(password, pbeParameters);
+            if (alg is not null)
+            {
+                using (alg)
+                {
+                    return alg.ExportEncryptedPkcs8PrivateKey(password, pbeParameters);
+                }
+            }
+
+            if (evpAlgId == Interop.Crypto.EvpAlgorithmFamilyId.MLKem)
+            {
+                using (MLKem kem = new MLKemOpenSsl(privateKey))
+                {
+                    return kem.ExportEncryptedPkcs8PrivateKey(password, pbeParameters);
+                }
+            }
+
+            throw new CryptographicException(SR.Cryptography_InvalidHandle);
         }
 
         private static void PushHandle(IntPtr certPtr, SafeX509StackHandle publicCerts)

src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/OpenSslExportProvider.cs

@@ -1,6 +1,7 @@
 // Licensed to the .NET Foundation under one or more agreements.
 // The .NET Foundation licenses this file to you under the MIT license.
 
+using System.Diagnostics;
 using System.Formats.Asn1;
 using System.IO;
 
@@ -52,24 +53,43 @@ private static partial Pkcs12Return FromCertAndKey(CertAndKey certAndKey, Import
         {
             AndroidCertificatePal pal = (AndroidCertificatePal)certAndKey.Cert!;
 
-            if (certAndKey.Key != null)
+            if (certAndKey.Key is not null)
             {
-                pal.SetPrivateKey(GetPrivateKey(certAndKey.Key));
-                certAndKey.Key.Dispose();
+                if (certAndKey.Key is { Key: AsymmetricAlgorithm alg })
+                {
+                    pal.SetPrivateKey(GetPrivateKey(alg));
+                    certAndKey.Key.Dispose();
+                }
+                else
+                {
+                    Debug.Fail($"Unhandled key type '{certAndKey.Key.Key?.GetType()?.FullName}'.");
+                    throw new CryptographicException();
+                }
             }
 
             return new Pkcs12Return(pal);
         }
 
-        private static partial AsymmetricAlgorithm? CreateKey(string algorithm)
+        private static partial Pkcs12Key? CreateKey(string algorithm, ReadOnlySpan<byte> pkcs8)
         {
-            return algorithm switch
+            switch (algorithm)
             {
-                Oids.Rsa or Oids.RsaPss => new RSAImplementation.RSAAndroid(),
-                Oids.EcPublicKey or Oids.EcDiffieHellman => new ECDsaImplementation.ECDsaAndroid(),
-                Oids.Dsa => new DSAImplementation.DSAAndroid(),
-                _ => null,
-            };
+                case Oids.Rsa or Oids.RsaPss:
+                    return new AsymmetricAlgorithmPkcs12PrivateKey(
+                        pkcs8,
+                        static () => new RSAImplementation.RSAAndroid());
+                case Oids.EcPublicKey or Oids.EcDiffieHellman:
+                    return new AsymmetricAlgorithmPkcs12PrivateKey(
+                        pkcs8,
+                        static () => new ECDsaImplementation.ECDsaAndroid());
+                case Oids.Dsa:
+                    return new AsymmetricAlgorithmPkcs12PrivateKey(
+                        pkcs8,
+                        static () => new DSAImplementation.DSAAndroid());
+                default:
+                    // No PQC support on Android.
+                    return null;
+            }
         }
 
         internal static SafeKeyHandle GetPrivateKey(AsymmetricAlgorithm key)

src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/X509CertificateLoader.Android.cs

@@ -59,30 +59,44 @@ private static partial Pkcs12Return FromCertAndKey(CertAndKey certAndKey, Import
             return new Pkcs12Return(pal);
         }
 
-        private static partial AsymmetricAlgorithm? CreateKey(string algorithm)
+        private static partial Pkcs12Key? CreateKey(string algorithm, ReadOnlySpan<byte> pkcs8)
         {
-            return algorithm switch
+            switch (algorithm)
             {
-                Oids.Rsa or Oids.RsaPss => new RSAOpenSsl(),
-                Oids.EcPublicKey or Oids.EcDiffieHellman => new ECDiffieHellmanOpenSsl(),
-                Oids.Dsa => new DSAOpenSsl(),
-                _ => null,
-            };
+                case Oids.Rsa or Oids.RsaPss:
+                    return new AsymmetricAlgorithmPkcs12PrivateKey(pkcs8, static () => new RSAOpenSsl());
+                case Oids.EcPublicKey or Oids.EcDiffieHellman:
+                    return new AsymmetricAlgorithmPkcs12PrivateKey(pkcs8, static () => new ECDiffieHellmanOpenSsl());
+                case Oids.Dsa:
+                    return new AsymmetricAlgorithmPkcs12PrivateKey(pkcs8, static () => new DSAOpenSsl());
+                case Oids.MlKem512 or Oids.MlKem768 or Oids.MlKem1024:
+                    return new MLKemPkcs12PrivateKey(pkcs8);
+                default:
+                    return null;
+            }
         }
 
-        internal static SafeEvpPKeyHandle GetPrivateKey(AsymmetricAlgorithm key)
+        internal static SafeEvpPKeyHandle GetPrivateKey(Pkcs12Key key)
         {
-            if (key is RSAOpenSsl rsa)
+            if (key.Key is RSAOpenSsl rsa)
             {
                 return rsa.DuplicateKeyHandle();
             }
 
-            if (key is DSAOpenSsl dsa)
+            if (key.Key is DSAOpenSsl dsa)
             {
                 return dsa.DuplicateKeyHandle();
             }
 
-            return ((ECDiffieHellmanOpenSsl)key).DuplicateKeyHandle();
+            if (key.Key is MLKem kem)
+            {
+                // We should always get back an MLKemImplementation from PKCS8 loading.
+                MLKemImplementation? impl = kem as MLKemImplementation;
+                Debug.Assert(impl is not null, "MLKem implementation is not handled for duplicating a handle.");
+                return impl.DuplicateHandle();
+            }
+
+            return ((ECDiffieHellmanOpenSsl)key.Key).DuplicateKeyHandle();
         }
 
         private static partial ICertificatePalCore LoadX509Der(ReadOnlyMemory<byte> data)

src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/X509CertificateLoader.OpenSsl.cs

@@ -14,7 +14,7 @@ public static partial class X509CertificateLoader
     {
         private static partial Pkcs12Return FromCertAndKey(CertAndKey certAndKey, ImportState importState);
 
-        private static partial AsymmetricAlgorithm? CreateKey(string algorithm);
+        private static partial Pkcs12Key? CreateKey(string algorithm, ReadOnlySpan<byte> pkcs8);
 
         private static partial ICertificatePalCore LoadX509Der(ReadOnlyMemory<byte> data);
 
@@ -196,7 +196,7 @@ internal ReadOnlySpan<SafeBagAsn> GetKeysSpan()
         private struct CertAndKey
         {
             internal ICertificatePalCore? Cert;
-            internal AsymmetricAlgorithm? Key;
+            internal Pkcs12Key? Key;
 
             internal void Dispose()
             {
@@ -209,7 +209,7 @@ private struct CertKeyMatcher
         {
             private CertAndKey[] _certAndKeys;
             private int _certCount;
-            private AsymmetricAlgorithm?[] _keys;
+            private Pkcs12Key?[] _keys;
             private RentedSubjectPublicKeyInfo[] _rentedSpki;
             private int _keyCount;
 
@@ -247,11 +247,11 @@ internal void LoadKeys(ref BagState bagState)
                     return;
                 }
 
-                _keys = ArrayPool<AsymmetricAlgorithm?>.Shared.Rent(bagState.KeyCount);
+                _keys = ArrayPool<Pkcs12Key?>.Shared.Rent(bagState.KeyCount);
 
                 foreach (SafeBagAsn safeBag in bagState.GetKeysSpan())
                 {
-                    AsymmetricAlgorithm? key = null;
+                    Pkcs12Key? key = null;
 
                     try
                     {
@@ -260,12 +260,10 @@ internal void LoadKeys(ref BagState bagState)
                             PrivateKeyInfoAsn privateKeyInfo =
                                 PrivateKeyInfoAsn.Decode(safeBag.BagValue, AsnEncodingRules.BER);
 
-                            key = CreateKey(privateKeyInfo.PrivateKeyAlgorithm.Algorithm);
+                            key = CreateKey(privateKeyInfo.PrivateKeyAlgorithm.Algorithm, safeBag.BagValue.Span);
 
                             if (key is not null)
                             {
-                                ImportPrivateKey(key, safeBag.BagValue.Span);
-
                                 if (_rentedSpki is null)
                                 {
                                     _rentedSpki =
@@ -376,7 +374,7 @@ internal CertAndKey[] MatchCertAndKeys(ref BagState bagState, bool allowDoubleBi
                             if (allowDoubleBind)
                             {
 
-                                AsymmetricAlgorithm? key = CreateKey(cert.KeyAlgorithm);
+                                Pkcs12Key? key = CreateKey(cert.KeyAlgorithm, keyBag.BagValue.Span);
 
                                 if (key is null)
                                 {
@@ -388,7 +386,6 @@ internal CertAndKey[] MatchCertAndKeys(ref BagState bagState, bool allowDoubleBi
                                 }
 
                                 _certAndKeys[certBagIdx].Key = key;
-                                ImportPrivateKey(key, keyBag.BagValue.Span);
                             }
                             else
                             {
@@ -492,6 +489,8 @@ certKeyParameters is not null &&
                             publicKeyInfo.Algorithm.Parameters.Value.Span.SequenceEqual(certKeyParameters);
                 }
 
+                // ML-KEM requires parameters to match exactly. ML-KEM also prohibits parameters, but that is checked
+                // by MLKem when loading the key.
                 // Any other algorithm matches null/empty parameters as equivalent
                 if (!publicKeyInfo.Algorithm.Parameters.HasValue)
                 {
@@ -504,7 +503,7 @@ certKeyParameters is not null &&
 
             private static void ExtractPublicKey(
                 ref RentedSubjectPublicKeyInfo spki,
-                AsymmetricAlgorithm key,
+                Pkcs12Key key,
                 int sizeHint)
             {
                 Debug.Assert(sizeHint > 0);
@@ -550,7 +549,7 @@ internal void Dispose()
                         _keys[i]?.Dispose();
                     }
 
-                    ArrayPool<AsymmetricAlgorithm?>.Shared.Return(_keys, clearArray: true);
+                    ArrayPool<Pkcs12Key?>.Shared.Return(_keys, clearArray: true);
                 }
 
                 if (_rentedSpki is not null)
@@ -619,4 +618,73 @@ internal void Dispose()
             }
         }
     }
+
+    internal abstract class Pkcs12Key : IDisposable
+    {
+        internal abstract IDisposable Key { get; }
+
+        internal abstract bool TryExportSubjectPublicKeyInfo(Span<byte> destination, out int bytesWritten);
+
+        public void Dispose() => Key.Dispose();
+    }
+
+    internal sealed class MLKemPkcs12PrivateKey : Pkcs12Key
+    {
+        private readonly MLKem _key;
+
+        internal MLKemPkcs12PrivateKey(ReadOnlySpan<byte> pkcs8)
+        {
+            try
+            {
+                _key = MLKem.ImportPkcs8PrivateKey(pkcs8);
+            }
+            catch (PlatformNotSupportedException nse)
+            {
+                // PKCS12 loader turns PNSE in to a CryptographicException
+                throw new CryptographicException(SR.Cryptography_NotValidPrivateKey, nse);
+            }
+        }
+
+        internal override bool TryExportSubjectPublicKeyInfo(Span<byte> destination, out int bytesWritten) =>
+            _key.TryExportSubjectPublicKeyInfo(destination, out bytesWritten);
+
+        internal override MLKem Key => _key;
+    }
+
+    internal sealed class AsymmetricAlgorithmPkcs12PrivateKey : Pkcs12Key
+    {
+        private readonly AsymmetricAlgorithm _key;
+
+        internal AsymmetricAlgorithmPkcs12PrivateKey(ReadOnlySpan<byte> pkcs8, Func<AsymmetricAlgorithm> factory)
+        {
+            _key = factory();
+
+            try
+            {
+                _key.ImportPkcs8PrivateKey(pkcs8, out int bytesRead);
+                Debug.Assert(bytesRead == pkcs8.Length);
+            }
+            catch (Exception ex)
+            {
+                _key.Dispose();
+
+                if (ex is PlatformNotSupportedException nse)
+                {
+                    // Turn a "curve not supported" PNSE (or other PNSE)
+                    // into a standardized CryptographicException.
+                    throw new CryptographicException(SR.Cryptography_NotValidPrivateKey, nse);
+                }
+                else
+                {
+                    throw;
+                }
+            }
+
+        }
+
+        internal override bool TryExportSubjectPublicKeyInfo(Span<byte> destination, out int bytesWritten) =>
+            _key.TryExportSubjectPublicKeyInfo(destination, out bytesWritten);
+
+        internal override AsymmetricAlgorithm Key => _key;
+    }
 }