Support SLH-DSA keys in certs (#115212)

Co-authored-by: Kevin Jones <[email protected]>

Author: PranavSenthilnathan

src/libraries/Common/src/Interop/Unix/System.Security.Cryptography.Native/Interop.EvpPkey.cs

@@ -338,6 +338,7 @@ internal enum EvpAlgorithmFamilyId
             DSA = 2,
             ECC = 3,
             MLKem = 4,
+            SlhDsa = 5,
         }
     }
 }

src/libraries/Common/src/System/Security/Cryptography/SlhDsaAlgorithm.cs

@@ -180,7 +180,7 @@ private SlhDsaAlgorithm(string name, int n, int signatureSizeInBytes, string oid
         /// </value>
         public static SlhDsaAlgorithm SlhDsaShake256f { get; } = new SlhDsaAlgorithm("SLH-DSA-SHAKE-256f", 32, 49856, Oids.SlhDsaShake256f);
 
-        internal static SlhDsaAlgorithm? GetAlgorithmFromOid(string oid)
+        internal static SlhDsaAlgorithm? GetAlgorithmFromOid(string? oid)
         {
             return oid switch
             {

src/libraries/Common/src/System/Security/Cryptography/SlhDsaImplementation.NotSupported.cs

@@ -13,7 +13,7 @@ internal sealed partial class SlhDsaImplementation : SlhDsa
         private SlhDsaImplementation(SlhDsaAlgorithm algorithm) : base(algorithm) =>
             throw new PlatformNotSupportedException();
 
-        internal static partial SlhDsa GenerateKeyCore(SlhDsaAlgorithm algorithm) =>
+        internal static partial SlhDsaImplementation GenerateKeyCore(SlhDsaAlgorithm algorithm) =>
             throw new PlatformNotSupportedException();
 
         // The instance override methods are unreachable, as the constructor will always throw.
@@ -32,13 +32,13 @@ protected override void ExportSlhDsaSecretKeyCore(Span<byte> destination) =>
         protected override bool TryExportPkcs8PrivateKeyCore(Span<byte> destination, out int bytesWritten) =>
             throw new PlatformNotSupportedException();
 
-        internal static partial SlhDsa ImportPublicKey(SlhDsaAlgorithm algorithm, ReadOnlySpan<byte> source) =>
+        internal static partial SlhDsaImplementation ImportPublicKey(SlhDsaAlgorithm algorithm, ReadOnlySpan<byte> source) =>
             throw new PlatformNotSupportedException();
 
-        internal static partial SlhDsa ImportPkcs8PrivateKeyValue(SlhDsaAlgorithm algorithm, ReadOnlySpan<byte> source) =>
+        internal static partial SlhDsaImplementation ImportPkcs8PrivateKeyValue(SlhDsaAlgorithm algorithm, ReadOnlySpan<byte> source) =>
             throw new PlatformNotSupportedException();
 
-        internal static partial SlhDsa ImportSecretKey(SlhDsaAlgorithm algorithm, ReadOnlySpan<byte> source) =>
+        internal static partial SlhDsaImplementation ImportSecretKey(SlhDsaAlgorithm algorithm, ReadOnlySpan<byte> source) =>
             throw new PlatformNotSupportedException();
     }
 }

src/libraries/Common/src/System/Security/Cryptography/SlhDsaImplementation.Windows.cs

@@ -14,7 +14,7 @@ internal sealed partial class SlhDsaImplementation : SlhDsa
         private SlhDsaImplementation(/* CngKey key, */ SlhDsaAlgorithm algorithm) : base(algorithm) =>
             throw new PlatformNotSupportedException();
 
-        internal static partial SlhDsa GenerateKeyCore(SlhDsaAlgorithm algorithm) =>
+        internal static partial SlhDsaImplementation GenerateKeyCore(SlhDsaAlgorithm algorithm) =>
             throw new PlatformNotSupportedException();
 
         protected override void SignDataCore(ReadOnlySpan<byte> data, ReadOnlySpan<byte> context, Span<byte> destination) =>
@@ -32,13 +32,13 @@ protected override void ExportSlhDsaSecretKeyCore(Span<byte> destination) =>
         protected override bool TryExportPkcs8PrivateKeyCore(Span<byte> destination, out int bytesWritten) =>
             throw new PlatformNotSupportedException();
 
-        internal static partial SlhDsa ImportPublicKey(SlhDsaAlgorithm algorithm, ReadOnlySpan<byte> source) =>
+        internal static partial SlhDsaImplementation ImportPublicKey(SlhDsaAlgorithm algorithm, ReadOnlySpan<byte> source) =>
             throw new PlatformNotSupportedException();
 
-        internal static partial SlhDsa ImportPkcs8PrivateKeyValue(SlhDsaAlgorithm algorithm, ReadOnlySpan<byte> source) =>
+        internal static partial SlhDsaImplementation ImportPkcs8PrivateKeyValue(SlhDsaAlgorithm algorithm, ReadOnlySpan<byte> source) =>
             throw new PlatformNotSupportedException();
 
-        internal static partial SlhDsa ImportSecretKey(SlhDsaAlgorithm algorithm, ReadOnlySpan<byte> source) =>
+        internal static partial SlhDsaImplementation ImportSecretKey(SlhDsaAlgorithm algorithm, ReadOnlySpan<byte> source) =>
             throw new PlatformNotSupportedException();
     }
 }

src/libraries/Common/src/System/Security/Cryptography/SlhDsaImplementation.cs

@@ -11,9 +11,30 @@ internal sealed partial class SlhDsaImplementation : SlhDsa
     {
         internal static partial bool SupportsAny();
 
-        internal static partial SlhDsa GenerateKeyCore(SlhDsaAlgorithm algorithm);
-        internal static partial SlhDsa ImportPublicKey(SlhDsaAlgorithm algorithm, ReadOnlySpan<byte> source);
-        internal static partial SlhDsa ImportPkcs8PrivateKeyValue(SlhDsaAlgorithm algorithm, ReadOnlySpan<byte> source);
-        internal static partial SlhDsa ImportSecretKey(SlhDsaAlgorithm algorithm, ReadOnlySpan<byte> source);
+        internal static partial SlhDsaImplementation GenerateKeyCore(SlhDsaAlgorithm algorithm);
+        internal static partial SlhDsaImplementation ImportPublicKey(SlhDsaAlgorithm algorithm, ReadOnlySpan<byte> source);
+        internal static partial SlhDsaImplementation ImportPkcs8PrivateKeyValue(SlhDsaAlgorithm algorithm, ReadOnlySpan<byte> source);
+        internal static partial SlhDsaImplementation ImportSecretKey(SlhDsaAlgorithm algorithm, ReadOnlySpan<byte> source);
+
+        /// <summary>
+        ///   Duplicates an SLH-DSA private key by export/import.
+        ///   Only intended to be used when the key type is unknown.
+        /// </summary>
+        internal static SlhDsaImplementation DuplicatePrivateKey(SlhDsa key)
+        {
+            Debug.Assert(key is not SlhDsaImplementation);
+            Debug.Assert(key.Algorithm.SecretKeySizeInBytes <= 128);
+
+            Span<byte> secretKey = (stackalloc byte[128])[..key.Algorithm.SecretKeySizeInBytes];
+            key.ExportSlhDsaSecretKey(secretKey);
+            try
+            {
+                return ImportSecretKey(key.Algorithm, secretKey);
+            }
+            finally
+            {
+                CryptographicOperations.ZeroMemory(secretKey);
+            }
+        }
     }
 }