SPKI and PKCS8 for Composite ML-DSA

[PranavSenthilnathan]

Closes #116998

[dotnet-policy-service]

Tagging subscribers to this area: @dotnet/area-system-security, @bartonjs, @vcsjones
See info in area-owners.md if you want to be subscribed.

[Copilot]

Pull Request Overview

This PR implements SPKI (Subject Public Key Info) and PKCS#8 support for Composite ML-DSA cryptographic algorithms. The primary purpose is to extend the existing Composite ML-DSA implementation to support standard cryptographic key formats for interoperability.

Key changes include:

• Added support for importing and exporting keys in SPKI and PKCS#8 formats
• Implemented encrypted PKCS#8 private key support with PEM encoding
• Extended test infrastructure with comprehensive validation for the new formats

Reviewed Changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 7 comments.

Show a summary per file

File	Description
CompositeMLDsaTestHelpers.cs	Added extensive helper methods for testing SPKI/PKCS#8 import/export operations
CompositeMLDsaMockImplementation.cs	Updated mock implementation to support PKCS#8 export testing
CompositeMLDsaImplementationTests.cs	Added comprehensive roundtrip tests for all new key formats
CompositeMLDsaFactoryTests.cs	Added validation tests for malformed ASN.1 encodings and PEM formats
CompositeMLDsaContractTests.cs	Added contract tests for new export methods and error handling
CompositeMLDsaManaged.cs	Implemented actual PKCS#8 private key export functionality
CompositeMLDsa.cs	Updated private key reader to handle raw key data instead of ASN.1 wrapper

[bartonjs]

Just the one comment throwing a 2 into a binary number, then LGTM. And should be backported to 10 when ready.

[PranavSenthilnathan]

/backport to release/10.0

[github-actions]

Started backporting to release/10.0: https://github.com/dotnet/runtime/actions/runs/17869205178

[github-actions]

@PranavSenthilnathan backporting to "release/10.0" failed, the patch most likely resulted in conflicts:

$ git am --3way --empty=keep --ignore-whitespace --keep-non-patch changes.patch

Applying: SPKI and PKCS8 for Composite ML-DSA
Using index info to reconstruct a base tree...
M	src/libraries/Common/tests/System/Security/Cryptography/AlgorithmImplementations/CompositeMLDsa/CompositeMLDsaFactoryTests.cs
Falling back to patching base and 3-way merge...
Auto-merging src/libraries/Common/tests/System/Security/Cryptography/AlgorithmImplementations/CompositeMLDsa/CompositeMLDsaFactoryTests.cs
CONFLICT (content): Merge conflict in src/libraries/Common/tests/System/Security/Cryptography/AlgorithmImplementations/CompositeMLDsa/CompositeMLDsaFactoryTests.cs
error: Failed to merge in the changes.
hint: Use 'git am --show-current-patch=diff' to see the failed patch
hint: When you have resolved this problem, run "git am --continue".
hint: If you prefer to skip this patch, run "git am --skip" instead.
hint: To restore the original branch and stop patching, run "git am --abort".
hint: Disable this message with "git config set advice.mergeConflict false"
Patch failed at 0001 SPKI and PKCS8 for Composite ML-DSA
Error: The process '/usr/bin/git' failed with exit code 128

Please backport manually!