Make CertificateRequest et al work with ML-DSA #114471

bartonjs · 2025-04-10T04:37:06Z

Add ctors to CertificateRequest
Enlighten CertificateRequest that future signing algorithms might not require a HashAlgorithmName
Add support to CertificateRequestListBuilder
Add cert.GetMLDsaPublicKey/GetMLDsaPrivateKey/CopyWithPrivateKey to power the above.

This is the ML-DSA specific parts from #114357.
Contributes to #113502.

* Add ctors to CertificateRequest * Enlighten CertificateRequest that future signing algorithms might not require a HashAlgorithmName * Add support to CertificateRequestListBuilder * Add cert.GetMLDsaPublicKey/GetMLDsaPrivateKey/CopyWithPrivateKey to power the above.

ghost · 2025-04-10T04:37:13Z

Note regarding the new-api-needs-documentation label:

This serves as a reminder for when your PR is modifying a ref *.cs file and adding/modifying public APIs, please make sure the API implementation in the src *.cs file is documented with triple slash comments, so the PR reviewers can sign off that change.

ghost · 2025-04-10T04:37:14Z

Note regarding the new-api-needs-documentation label:

This serves as a reminder for when your PR is modifying a ref *.cs file and adding/modifying public APIs, please make sure the API implementation in the src *.cs file is documented with triple slash comments, so the PR reviewers can sign off that change.

Copilot

Copilot reviewed 30 out of 32 changed files in this pull request and generated no comments.

Files not reviewed (2)

src/libraries/System.Security.Cryptography/src/Resources/Strings.resx: Language not supported
src/libraries/System.Security.Cryptography/src/System.Security.Cryptography.csproj: Language not supported

Comments suppressed due to low confidence (2)

src/libraries/Common/tests/System/Security/Cryptography/AlgorithmImplementations/MLDsa/MLDsaTestImplementation.cs:41

xUnit does not provide an Assert.Fail() method by default. Consider replacing Assert.Fail() with Assert.True(false, 'Failure message') or throwing an appropriate exception (e.g. new Xunit.Sdk.XunitException('Failure')) to indicate test failure.

ExportMLDsaPrivateSeedHook = _ => Assert.Fail(),

src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/CertificateRequest.cs:24

[nitpick] Changing the type of _key from AsymmetricAlgorithm? to object? reduces type safety and clarity regarding supported key types. Consider renaming the field or adding a comment to clearly indicate that it can hold multiple key types (e.g. RSA, ECDsa, MLDsa).

private readonly object? _key;

dotnet-policy-service · 2025-04-10T04:37:56Z

Tagging subscribers to this area: @dotnet/area-system-security, @bartonjs, @vcsjones
See info in area-owners.md if you want to be subscribed.

vcsjones · 2025-04-10T14:36:11Z

@vcsjones-bot test e9cb11d with openssl-3.5

src/libraries/Common/src/System/Security/Cryptography/MLDsaImplementation.cs

...libraries/Common/tests/System/Security/Cryptography/X509Certificates/CertificateAuthority.cs

src/libraries/System.Security.Cryptography/ref/System.Security.Cryptography.cs

src/libraries/System.Security.Cryptography/src/Resources/Strings.resx

...ecurity.Cryptography/src/System/Security/Cryptography/X509Certificates/CertificateRequest.cs

....Security.Cryptography/src/System/Security/Cryptography/X509Certificates/X509Certificate2.cs

...ity.Cryptography/src/System/Security/Cryptography/X509Certificates/X509SignatureGenerator.cs

...curity.Cryptography/tests/X509Certificates/CertificateCreation/CertificateRequestApiTests.cs

...s/System.Security.Cryptography/tests/X509Certificates/CertificateCreation/CrlBuilderTests.cs

bartonjs added the area-System.Security label Apr 10, 2025

bartonjs added this to the 10.0.0 milestone Apr 10, 2025

bartonjs self-assigned this Apr 10, 2025

Copilot AI review requested due to automatic review settings April 10, 2025 04:37

ghost added the new-api-needs-documentation label Apr 10, 2025

Copilot AI reviewed Apr 10, 2025

View reviewed changes