Improve exceptions thrown by MLKem and MLDsaOpenSsl when key types aren't available

Author: vcsjones

src/libraries/Common/src/System/Security/Cryptography/MLDsaImplementation.Windows.cs

@@ -132,7 +132,7 @@ protected override void ExportMLDsaPrivateSeedCore(Span<byte> destination)
         {
             if (!_hasSeed)
             {
-                throw new CryptographicException(SR.Cryptography_MLDsaNoSeed);
+                throw new CryptographicException(SR.Cryptography_PqcNoSeed);
             }
 
             ExportKey(

src/libraries/Common/src/System/Security/Cryptography/MLKem.cs

@@ -1843,6 +1843,22 @@ private static string EncodeAsnWriterToPem(string label, AsnWriter writer, bool
 #endif
         }
 
+        private protected static void ThrowIfNoSeed(bool hasSeed)
+        {
+            if (!hasSeed)
+            {
+                throw new CryptographicException(SR.Cryptography_PqcNoSeed);
+            }
+        }
+
+        private protected static void ThrowIfNoDecapsulationKey(bool hasDecapsulationKey)
+        {
+            if (!hasDecapsulationKey)
+            {
+                throw new CryptographicException(SR.Cryptography_KemNoDecapsulationKey);
+            }
+        }
+
         private delegate TResult ExportPkcs8PrivateKeyFunc<TResult>(ReadOnlySpan<byte> pkcs8);
 
         private delegate AsnWriter WriteEncryptedPkcs8Func<TChar>(

src/libraries/Common/src/System/Security/Cryptography/MLKemImplementation.Windows.cs

@@ -82,6 +82,9 @@ protected override void DecapsulateCore(ReadOnlySpan<byte> ciphertext, Span<byte
             Debug.Assert(IsSupported);
             Debug.Assert(ciphertext.Length == Algorithm.CiphertextSizeInBytes);
             Debug.Assert(sharedSecret.Length == Algorithm.SharedSecretSizeInBytes);
+
+            ThrowIfNoDecapsulationKey(_hasDecapsulationKey);
+
             uint written = Interop.BCrypt.BCryptDecapsulate(_key, ciphertext, sharedSecret, 0);
             Debug.Assert(written == (uint)sharedSecret.Length);
         }
@@ -105,12 +108,16 @@ protected override void EncapsulateCore(Span<byte> ciphertext, Span<byte> shared
         protected override void ExportPrivateSeedCore(Span<byte> destination)
         {
             Debug.Assert(destination.Length == Algorithm.PrivateSeedSizeInBytes);
+
+            ThrowIfNoSeed(_hasSeed);
             ExportKey(KeyBlobMagicNumber.BCRYPT_MLKEM_PRIVATE_SEED_MAGIC, destination);
         }
 
         protected override void ExportDecapsulationKeyCore(Span<byte> destination)
         {
             Debug.Assert(destination.Length == Algorithm.DecapsulationKeySizeInBytes);
+
+            ThrowIfNoDecapsulationKey(_hasDecapsulationKey);
             ExportKey(KeyBlobMagicNumber.BCRYPT_MLKEM_PRIVATE_MAGIC, destination);
         }
 

src/libraries/Common/tests/System/Security/Cryptography/MLKemBaseTests.cs

@@ -48,8 +48,8 @@ public void ExportPrivateSeed_OnlyHasDecapsulationKey()
         {
             using MLKem kem = ImportDecapsulationKey(MLKemAlgorithm.MLKem512, MLKemTestData.MLKem512DecapsulationKey);
 
-            Assert.ThrowsAny<CryptographicException>(() => kem.ExportPrivateSeed());
-            Assert.ThrowsAny<CryptographicException>(() => kem.ExportPrivateSeed(
+            Assert.Throws<CryptographicException>(() => kem.ExportPrivateSeed());
+            Assert.Throws<CryptographicException>(() => kem.ExportPrivateSeed(
                 new byte[MLKemAlgorithm.MLKem512.PrivateSeedSizeInBytes]));
         }
 
@@ -58,8 +58,8 @@ public void ExportPrivateSeed_OnlyHasEncapsulationKey()
         {
             using MLKem kem = ImportEncapsulationKey(MLKemAlgorithm.MLKem512, MLKemTestData.MLKem512EncapsulationKey);
 
-            Assert.ThrowsAny<CryptographicException>(() => kem.ExportPrivateSeed());
-            Assert.ThrowsAny<CryptographicException>(() => kem.ExportPrivateSeed(
+            Assert.Throws<CryptographicException>(() => kem.ExportPrivateSeed());
+            Assert.Throws<CryptographicException>(() => kem.ExportPrivateSeed(
                 new byte[MLKemAlgorithm.MLKem512.PrivateSeedSizeInBytes]));
         }
 
@@ -68,8 +68,8 @@ public void ExportDecapsulationKey_OnlyHasEncapsulationKey()
         {
             using MLKem kem = ImportEncapsulationKey(MLKemAlgorithm.MLKem512, MLKemTestData.MLKem512EncapsulationKey);
 
-            Assert.ThrowsAny<CryptographicException>(() => kem.ExportDecapsulationKey());
-            Assert.ThrowsAny<CryptographicException>(() => kem.ExportDecapsulationKey(
+            Assert.Throws<CryptographicException>(() => kem.ExportDecapsulationKey());
+            Assert.Throws<CryptographicException>(() => kem.ExportDecapsulationKey(
                 new byte[MLKemAlgorithm.MLKem512.DecapsulationKeySizeInBytes]));
         }
 
@@ -344,7 +344,7 @@ public void ExportPkcs8PrivateKey_DecapsulationKey_Roundtrip()
                 using MLKem imported = MLKem.ImportPkcs8PrivateKey(pkcs8);
                 Assert.Equal(MLKemAlgorithm.MLKem512, imported.Algorithm);
 
-                Assert.ThrowsAny<CryptographicException>(() => kem.ExportPrivateSeed());
+                Assert.Throws<CryptographicException>(() => kem.ExportPrivateSeed());
                 AssertExtensions.SequenceEqual(MLKemTestData.MLKem512DecapsulationKey, kem.ExportDecapsulationKey());
             });
         }
@@ -370,7 +370,7 @@ public void ExportEncryptedPkcs8PrivateKey_DecapsulationKey_Roundtrip()
                 AssertExtensions.SequenceEqual(
                     MLKemTestData.MLKem512DecapsulationKey,
                     imported.ExportDecapsulationKey());
-                Assert.ThrowsAny<CryptographicException>(() => imported.ExportPrivateSeed());
+                Assert.Throws<CryptographicException>(() => imported.ExportPrivateSeed());
             });
         }
 

src/libraries/Microsoft.Bcl.Cryptography/src/Resources/Strings.resx

@@ -168,15 +168,15 @@
   <data name="Cryptography_KemPkcs8KeyMismatch" xml:space="preserve">
     <value>The specified PKCS#8 key contains a seed that does not match the expanded key.</value>
   </data>
+  <data name="Cryptography_KemNoDecapsulationKey" xml:space="preserve">
+    <value>The current instance does not contain a decapsulation key.</value>
+  </data>
   <data name="Cryptography_KeyWrongSizeForAlgorithm" xml:space="preserve">
     <value>The specified key is not the correct size for the indicated algorithm.</value>
   </data>
   <data name="Cryptography_MLDsaNoSecretKey" xml:space="preserve">
     <value>The current instance does not contain a secret key.</value>
   </data>
-  <data name="Cryptography_MLDsaNoSeed" xml:space="preserve">
-    <value>The current instance does not contain a seed.</value>
-  </data>
   <data name="Cryptography_MLDsaPkcs8KeyMismatch" xml:space="preserve">
     <value>The specified PKCS#8 key contains a seed that does not match the expanded key.</value>
   </data>
@@ -201,6 +201,9 @@
   <data name="Cryptography_PlaintextCiphertextLengthMismatch" xml:space="preserve">
     <value>Plaintext and ciphertext must have the same length.</value>
   </data>
+  <data name="Cryptography_PqcNoSeed" xml:space="preserve">
+    <value>The current instance does not contain a seed.</value>
+  </data>
   <data name="Cryptography_UnknownAlgorithmIdentifier" xml:space="preserve">
     <value>The algorithm identified by '{0}' is unknown, not valid for the requested usage, or was not handled.</value>
   </data>

src/libraries/System.Security.Cryptography/src/Resources/Strings.resx

@@ -525,6 +525,9 @@
   <data name="Cryptography_KemInvalidAlgorithmHandle" xml:space="preserve">
     <value>The specified EVP_PKEY handle is not a known ML-KEM algorithm.</value>
   </data>
+  <data name="Cryptography_KemNoDecapsulationKey" xml:space="preserve">
+    <value>The current instance does not contain a decapsulation key.</value>
+  </data>
   <data name="Cryptography_KemPkcs8KeyMismatch" xml:space="preserve">
     <value>The specified PKCS#8 key contains a seed that does not match the expanded key.</value>
   </data>
@@ -552,9 +555,6 @@
   <data name="Cryptography_MLDsaNoSecretKey" xml:space="preserve">
     <value>The current instance does not contain a secret key.</value>
   </data>
-  <data name="Cryptography_MLDsaNoSeed" xml:space="preserve">
-    <value>The current instance does not contain a seed.</value>
-  </data>
   <data name="Cryptography_MLDsaPkcs8KeyMismatch" xml:space="preserve">
     <value>The specified PKCS#8 key contains a seed that does not match the expanded key.</value>
   </data>
@@ -690,6 +690,9 @@
   <data name="Cryptography_PlaintextTooLarge" xml:space="preserve">
     <value>The specified plaintext size is too large.</value>
   </data>
+  <data name="Cryptography_PqcNoSeed" xml:space="preserve">
+    <value>The current instance does not contain a seed.</value>
+  </data>
   <data name="Cryptography_PrivateKey_DoesNotMatch" xml:space="preserve">
     <value>The provided key does not match the public key for this certificate.</value>
   </data>

src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/MLDsaImplementation.OpenSsl.cs

@@ -73,7 +73,7 @@ protected override void ExportMLDsaPrivateSeedCore(Span<byte> destination)
         {
             if (!_hasSeed)
             {
-                throw new CryptographicException(SR.Cryptography_MLDsaNoSeed);
+                throw new CryptographicException(SR.Cryptography_PqcNoSeed);
             }
 
             Interop.Crypto.MLDsaExportSeed(_key, destination);

src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/MLDsaOpenSsl.OpenSsl.cs

@@ -81,12 +81,26 @@ protected override void ExportMLDsaPublicKeyCore(Span<byte> destination) =>
             Interop.Crypto.MLDsaExportPublicKey(_key, destination);
 
         /// <inheritdoc />
-        protected override void ExportMLDsaSecretKeyCore(Span<byte> destination) =>
+        protected override void ExportMLDsaSecretKeyCore(Span<byte> destination)
+        {
+            if (!_hasSecretKey)
+            {
+                throw new CryptographicException(SR.Cryptography_MLDsaNoSecretKey);
+            }
+
             Interop.Crypto.MLDsaExportSecretKey(_key, destination);
+        }
 
         /// <inheritdoc />
-        protected override void ExportMLDsaPrivateSeedCore(Span<byte> destination) =>
+        protected override void ExportMLDsaPrivateSeedCore(Span<byte> destination)
+        {
+            if (!_hasSeed)
+            {
+                throw new CryptographicException(SR.Cryptography_PqcNoSeed);
+            }
+
             Interop.Crypto.MLDsaExportSeed(_key, destination);
+        }
 
         /// <inheritdoc />
         protected override bool TryExportPkcs8PrivateKeyCore(Span<byte> destination, out int bytesWritten)

src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/MLKemImplementation.OpenSsl.cs

@@ -76,6 +76,7 @@ protected override void Dispose(bool disposing)
 
         protected override void DecapsulateCore(ReadOnlySpan<byte> ciphertext, Span<byte> sharedSecret)
         {
+            ThrowIfNoDecapsulationKey(_hasDecapsulationKey);
             Interop.Crypto.EvpKemDecapsulate(_key, ciphertext, sharedSecret);
         }
 
@@ -86,11 +87,13 @@ protected override void EncapsulateCore(Span<byte> ciphertext, Span<byte> shared
 
         protected override void ExportPrivateSeedCore(Span<byte> destination)
         {
+            ThrowIfNoSeed(_hasSeed);
             Interop.Crypto.EvpKemExportPrivateSeed(_key, destination);
         }
 
         protected override void ExportDecapsulationKeyCore(Span<byte> destination)
         {
+            ThrowIfNoDecapsulationKey(_hasDecapsulationKey);
             Interop.Crypto.EvpKemExportDecapsulationKey(_key, destination);
         }
 

src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/MLKemOpenSsl.OpenSsl.cs

@@ -70,6 +70,9 @@ protected override void Dispose(bool disposing)
         /// <inheritdoc />
         protected override void DecapsulateCore(ReadOnlySpan<byte> ciphertext, Span<byte> sharedSecret)
         {
+            // This cannot use _hasDecapsulationKey here because this field only indicates if it is exportable, not if
+            // it is usable. This instance could represent an ML-KEM instance with a decapsulation key in hardware,
+            // for example.
             Interop.Crypto.EvpKemDecapsulate(_key, ciphertext, sharedSecret);
         }
 
@@ -82,12 +85,14 @@ protected override void EncapsulateCore(Span<byte> ciphertext, Span<byte> shared
         /// <inheritdoc />
         protected override void ExportPrivateSeedCore(Span<byte> destination)
         {
+            ThrowIfNoSeed(_hasSeed);
             Interop.Crypto.EvpKemExportPrivateSeed(_key, destination);
         }
 
         /// <inheritdoc />
         protected override void ExportDecapsulationKeyCore(Span<byte> destination)
         {
+            ThrowIfNoDecapsulationKey(_hasDecapsulationKey);
             Interop.Crypto.EvpKemExportDecapsulationKey(_key, destination);
         }