[release/10.0] Composite ML-DSA Draft 12 and 13 updates (#120601, #120961) (#121555)

Backport of #120601 and #120961 to release/10.0

# Description

Backports Draft 12 and Draft 13 spec changes for Composite ML-DSA. This
PR combines two related updates:

**Draft 12 changes (#120601):**
- Mandate parameters field in ECPrivateKey (previously omitted)
- `CompositeMLDsaAlgorithm.cs`: Calculate parameters field size for EC
curves (P256/P384/P521/brainpool variants)
- `CompositeMLDsaManaged.ECDsa.cs`: Validate parameters presence and
curve match; write parameters with context-specific tag [0]
- `CompositeMLDsaManaged.cs`: Update spec references from draft-08 to
draft-12
- Test updates: Add validation for wrong/missing/implicit/explicit
curves; update expected key sizes per spec Table 4

**Draft 13 changes (#120961):**
- Update OIDs from experimental range (2.16.840.1.114027.80.9.1.*) to
official IANA-assigned range (1.3.6.1.5.5.7.6.*)
- `Oids.cs`: Update all Composite ML-DSA OID constants to new range
- `CompositeMLDsaManaged.cs`: Add "ECDSA" to domain separation strings
(e.g., "COMPSIG-MLDSA65-P256-SHA512" →
"COMPSIG-MLDSA65-ECDSA-P256-SHA512")
- Test data and helpers: Update to reflect new OIDs and domain strings

# Customer Impact

Without these fixes, Composite ML-DSA keys generated in .NET 10 would
not conform to Draft 12 and Draft 13 of the IETF spec, causing
interoperability failures with other implementations following the
updated standards.

# Regression

No. This updates implementation to match spec evolution from Draft 8 to
Draft 13.

# Testing

All 1,015 CompositeMLDsa tests pass. Added test coverage for:
- Wrong curve OID rejection
- Missing parameters rejection  
- Implicit curve parameters rejection
- Explicit curve parameters rejection
- Correct parameter serialization for all supported curves
- New OID and domain string validation

# Risk

Low. Changes are confined to Composite ML-DSA implementation (preview
feature). Validates existing behavior is maintained while adding
required spec compliance. Breaking changes are intentional and necessary
for spec conformance.

<!-- START COPILOT CODING AGENT TIPS -->
---

✨ Let Copilot coding agent [set things up for
you](https://github.com/dotnet/runtime/issues/new?title=✨+Set+up+Copilot+instructions&body=Configure%20instructions%20for%20this%20repository%20as%20documented%20in%20%5BBest%20practices%20for%20Copilot%20coding%20agent%20in%20your%20repository%5D%28https://gh.io/copilot-coding-agent-tips%29%2E%0A%0A%3COnboard%20this%20repo%3E&assignees=copilot)
— coding agent works faster and does higher quality work when set up for
your repo.

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: Pranav Senthilnathan <pranas@microsoft.com>
Co-authored-by: Kevin Jones <vcsjones@github.com>

Author: 3 people

src/libraries/Common/src/System/Security/Cryptography/CompositeMLDsaAlgorithm.cs

@@ -473,23 +473,67 @@ private static CompositeMLDsaAlgorithm CreateECDsa(
             //   publicKey  [1] BIT STRING OPTIONAL
             // }
 
+            // version
+
             int versionSizeInBytes =
                 1 + // Tag for INTEGER
                 1 + // Length field
                 1;  // Value (always 1)
 
+            // privateKey
+
             int privateKeySizeInBytes =
                 1 +                                     // Tag for OCTET STRING
                 GetDerLengthLength(keySizeInBytes) +    // Length field
                 keySizeInBytes;                         // Value
 
-            // parameters and publicKey must be omitted for Composite ML-DSA
+            // parameters
+
+            int namedCurveSizeInBytes =
+                oid switch
+                {
+                    Oids.MLDsa44WithECDsaP256PreHashSha256 or
+                    Oids.MLDsa65WithECDsaP256PreHashSha512 =>
+                        // 1.2.840.10045.3.1.7
+                        // 06 08 2A 86 48 CE 3D 03 01 07
+                        10,
+                    Oids.MLDsa65WithECDsaP384PreHashSha512 or
+                    Oids.MLDsa87WithECDsaP384PreHashSha512 =>
+                        // 1.3.132.0.34
+                        // 06 05 2B 81 04 00 22
+                        7,
+                    Oids.MLDsa87WithECDsaP521PreHashSha512 =>
+                        // 1.3.132.0.35
+                        // 06 05 2B 81 04 00 23
+                        7,
+                    Oids.MLDsa65WithECDsaBrainpoolP256r1PreHashSha512 =>
+                        // 1.3.36.3.3.2.8.1.1.7
+                        // 06 09 2B 24 03 03 02 08 01 01 07
+                        11,
+                    Oids.MLDsa87WithECDsaBrainpoolP384r1PreHashSha512 =>
+                        // 1.3.36.3.3.2.8.1.1.11
+                        // 06 09 2B 24 03 03 02 08 01 01 0B
+                        11,
+                    _ => AssertAndThrow(oid),
+                };
+
+            static int AssertAndThrow(string oid)
+            {
+                Debug.Fail($"Unsupported OID: {oid}.");
+                throw new CryptographicException();
+            }
+
+            int parametersSizeInBytes =
+                1 +                                         // Context-specific tag for [0]
+                GetDerLengthLength(namedCurveSizeInBytes) + // Length field
+                namedCurveSizeInBytes;                      // Value
+
+            // publicKey must be omitted for Composite ML-DSA
 
             int ecPrivateKeySizeInBytes =
-                1 +                                                                 // Tag for SEQUENCE
-                GetDerLengthLength(versionSizeInBytes + privateKeySizeInBytes) +    // Length field
-                versionSizeInBytes +                                                // Version
-                privateKeySizeInBytes;
+                1 +                                                                                         // Tag for SEQUENCE
+                GetDerLengthLength(versionSizeInBytes + privateKeySizeInBytes + parametersSizeInBytes) +    // Length field
+                versionSizeInBytes + privateKeySizeInBytes + parametersSizeInBytes;                         // Value
 
             return new CompositeMLDsaAlgorithm(
                 name,

src/libraries/Common/src/System/Security/Cryptography/CompositeMLDsaManaged.ECDsa.cs

@@ -72,12 +72,17 @@ public static unsafe ECDsaComponent ImportPrivateKey(ECDsaAlgorithm algorithm, R
                         ECPrivateKey ecPrivateKey = ECPrivateKey.Decode(manager.Memory, AsnEncodingRules.BER);
 
                         if (ecPrivateKey.Version != 1 ||
-                            ecPrivateKey.Parameters is not null ||
                             ecPrivateKey.PublicKey is not null)
                         {
                             throw new CryptographicException(SR.Cryptography_Der_Invalid_Encoding);
                         }
 
+                        if (ecPrivateKey.Parameters?.Named != algorithm.CurveOidValue)
+                        {
+                            // The curve specified must be named and match the required curve for the Composite ML-DSA algorithm.
+                            throw new CryptographicException(SR.Cryptography_Der_Invalid_Encoding);
+                        }
+
                         byte[] d = new byte[ecPrivateKey.PrivateKey.Length];
 
                         using (PinAndClear.Track(d))
@@ -206,7 +211,7 @@ internal override bool TryExportPrivateKey(Span<byte> destination, out int bytes
 
                     try
                     {
-                        WriteKey(ecParameters.D, writer);
+                        WriteKey(ecParameters.D, _algorithm.CurveOidValue, writer);
                         return writer.TryEncode(destination, out bytesWritten);
                     }
                     finally
@@ -239,7 +244,7 @@ internal override bool TryExportPrivateKey(Span<byte> destination, out int bytes
                                         throw new CryptographicException();
                                     }
 
-                                    WriteKey(d, writer);
+                                    WriteKey(d, _algorithm.CurveOidValue, writer);
                                     return true;
                                 });
                         });
@@ -252,7 +257,7 @@ internal override bool TryExportPrivateKey(Span<byte> destination, out int bytes
                 }
 #endif
 
-                static void WriteKey(byte[] d, AsnWriter writer)
+                static void WriteKey(byte[] d, string curveOid, AsnWriter writer)
                 {
                     // ECPrivateKey
                     using (writer.PushSequence())
@@ -262,6 +267,12 @@ static void WriteKey(byte[] d, AsnWriter writer)
 
                         // privateKey
                         writer.WriteOctetString(d);
+
+                        // parameters
+                        using (writer.PushSequence(new Asn1Tag(TagClass.ContextSpecific, 0, isConstructed: true)))
+                        {
+                            writer.WriteObjectIdentifier(curveOid);
+                        }
                     }
                 }
             }

src/libraries/Common/src/System/Security/Cryptography/CompositeMLDsaManaged.cs

@@ -62,7 +62,7 @@ internal static CompositeMLDsa GenerateKeyImpl(CompositeMLDsaAlgorithm algorithm
 
             AlgorithmMetadata metadata = s_algorithmMetadata[algorithm];
 
-            // draft-ietf-lamps-pq-composite-sigs-08, 4.1
+            // draft-ietf-lamps-pq-composite-sigs-12, 4.1
             // 1. Generate component keys
             //
             //    mldsaSeed = Random(32)
@@ -115,7 +115,7 @@ internal static CompositeMLDsa ImportCompositeMLDsaPublicKeyImpl(CompositeMLDsaA
 
             AlgorithmMetadata metadata = s_algorithmMetadata[algorithm];
 
-            // draft-ietf-lamps-pq-composite-sigs-08, 5.1
+            // draft-ietf-lamps-pq-composite-sigs-12, 5.1
             // 1. Parse each constituent encoded public key.
             //    The length of the mldsaKey is known based on the
             //    size of the ML-DSA component key length specified
@@ -167,7 +167,7 @@ internal static CompositeMLDsa ImportCompositeMLDsaPrivateKeyImpl(CompositeMLDsa
 
             AlgorithmMetadata metadata = s_algorithmMetadata[algorithm];
 
-            // draft-ietf-lamps-pq-composite-sigs-08, 5.2
+            // draft-ietf-lamps-pq-composite-sigs-12, 5.2
             // 1. Parse each constituent encoded key.
             //
             //    mldsaSeed = bytes[:32]
@@ -203,7 +203,7 @@ static CryptographicException FailAndGetException()
 
         protected override int SignDataCore(ReadOnlySpan<byte> data, ReadOnlySpan<byte> context, Span<byte> destination)
         {
-            // draft-ietf-lamps-pq-composite-sigs-08, 4.2
+            // draft-ietf-lamps-pq-composite-sigs-12, 4.2
             // 1. If len(ctx) > 255:
             //     return error
 
@@ -287,7 +287,7 @@ protected override int SignDataCore(ReadOnlySpan<byte> data, ReadOnlySpan<byte>
 
         protected override bool VerifyDataCore(ReadOnlySpan<byte> data, ReadOnlySpan<byte> context, ReadOnlySpan<byte> signature)
         {
-            // draft-ietf-lamps-pq-composite-sigs-08, 4.3
+            // draft-ietf-lamps-pq-composite-sigs-12, 4.3
             // 1. If len(ctx) > 255
             //      return error
 
@@ -375,7 +375,7 @@ protected override bool TryExportPkcs8PrivateKeyCore(Span<byte> destination, out
 
         protected override int ExportCompositeMLDsaPublicKeyCore(Span<byte> destination)
         {
-            // draft-ietf-lamps-pq-composite-sigs-08, 5.1
+            // draft-ietf-lamps-pq-composite-sigs-12, 5.1
             // 1. Combine and output the encoded public key
             //
             //    output mldsaPK || tradPK
@@ -397,7 +397,7 @@ protected override int ExportCompositeMLDsaPublicKeyCore(Span<byte> destination)
 
         protected override int ExportCompositeMLDsaPrivateKeyCore(Span<byte> destination)
         {
-            // draft-ietf-lamps-pq-composite-sigs-08, 5.2
+            // draft-ietf-lamps-pq-composite-sigs-12, 5.2
             // 1. Combine and output the encoded private key.
             //
             //    output mldsaSeed || tradSK
@@ -626,23 +626,23 @@ private static Dictionary<CompositeMLDsaAlgorithm, AlgorithmMetadata> CreateAlgo
                     new AlgorithmMetadata(
                         MLDsaAlgorithm.MLDsa65,
                         ECDsaAlgorithm.CreateP256(HashAlgorithmName.SHA256),
-                        [.."COMPSIG-MLDSA65-P256-SHA512"u8],
+                        [.."COMPSIG-MLDSA65-ECDSA-P256-SHA512"u8],
                         HashAlgorithmName.SHA512)
                 },
                 {
                     CompositeMLDsaAlgorithm.MLDsa65WithECDsaP384,
                     new AlgorithmMetadata(
                         MLDsaAlgorithm.MLDsa65,
                         ECDsaAlgorithm.CreateP384(HashAlgorithmName.SHA384),
-                        [.."COMPSIG-MLDSA65-P384-SHA512"u8],
+                        [.."COMPSIG-MLDSA65-ECDSA-P384-SHA512"u8],
                         HashAlgorithmName.SHA512)
                 },
                 {
                     CompositeMLDsaAlgorithm.MLDsa65WithECDsaBrainpoolP256r1,
                     new AlgorithmMetadata(
                         MLDsaAlgorithm.MLDsa65,
                         ECDsaAlgorithm.CreateBrainpoolP256r1(HashAlgorithmName.SHA256),
-                        [.."COMPSIG-MLDSA65-BP256-SHA512"u8],
+                        [.."COMPSIG-MLDSA65-ECDSA-BP256-SHA512"u8],
                         HashAlgorithmName.SHA512)
                 },
                 {
@@ -658,15 +658,15 @@ private static Dictionary<CompositeMLDsaAlgorithm, AlgorithmMetadata> CreateAlgo
                     new AlgorithmMetadata(
                         MLDsaAlgorithm.MLDsa87,
                         ECDsaAlgorithm.CreateP384(HashAlgorithmName.SHA384),
-                        [.."COMPSIG-MLDSA87-P384-SHA512"u8],
+                        [.."COMPSIG-MLDSA87-ECDSA-P384-SHA512"u8],
                         HashAlgorithmName.SHA512)
                 },
                 {
                     CompositeMLDsaAlgorithm.MLDsa87WithECDsaBrainpoolP384r1,
                     new AlgorithmMetadata(
                         MLDsaAlgorithm.MLDsa87,
                         ECDsaAlgorithm.CreateBrainpoolP384r1(HashAlgorithmName.SHA384),
-                        [.."COMPSIG-MLDSA87-BP384-SHA512"u8],
+                        [.."COMPSIG-MLDSA87-ECDSA-BP384-SHA512"u8],
                         HashAlgorithmName.SHA512)
                 },
                 {
@@ -698,7 +698,7 @@ private static Dictionary<CompositeMLDsaAlgorithm, AlgorithmMetadata> CreateAlgo
                     new AlgorithmMetadata(
                         MLDsaAlgorithm.MLDsa87,
                         ECDsaAlgorithm.CreateP521(HashAlgorithmName.SHA512),
-                        [.."COMPSIG-MLDSA87-P521-SHA512"u8],
+                        [.."COMPSIG-MLDSA87-ECDSA-P521-SHA512"u8],
                         HashAlgorithmName.SHA512)
                 }
             };

src/libraries/Common/src/System/Security/Cryptography/Oids.cs

@@ -135,24 +135,24 @@ internal static partial class Oids
         internal const string Mgf1 = "1.2.840.113549.1.1.8";
         internal const string PSpecified = "1.2.840.113549.1.1.9";
 
-        internal const string MLDsa44WithRSA2048PssPreHashSha256 = "2.16.840.1.114027.80.9.1.20";
-        internal const string MLDsa44WithRSA2048Pkcs15PreHashSha256 = "2.16.840.1.114027.80.9.1.21";
-        internal const string MLDsa44WithEd25519PreHashSha512 = "2.16.840.1.114027.80.9.1.22";
-        internal const string MLDsa44WithECDsaP256PreHashSha256 = "2.16.840.1.114027.80.9.1.23";
-        internal const string MLDsa65WithRSA3072PssPreHashSha512 = "2.16.840.1.114027.80.9.1.24";
-        internal const string MLDsa65WithRSA3072Pkcs15PreHashSha512 = "2.16.840.1.114027.80.9.1.25";
-        internal const string MLDsa65WithRSA4096PssPreHashSha512 = "2.16.840.1.114027.80.9.1.26";
-        internal const string MLDsa65WithRSA4096Pkcs15PreHashSha512 = "2.16.840.1.114027.80.9.1.27";
-        internal const string MLDsa65WithECDsaP256PreHashSha512 = "2.16.840.1.114027.80.9.1.28";
-        internal const string MLDsa65WithECDsaP384PreHashSha512 = "2.16.840.1.114027.80.9.1.29";
-        internal const string MLDsa65WithECDsaBrainpoolP256r1PreHashSha512 = "2.16.840.1.114027.80.9.1.30";
-        internal const string MLDsa65WithEd25519PreHashSha512 = "2.16.840.1.114027.80.9.1.31";
-        internal const string MLDsa87WithECDsaP384PreHashSha512 = "2.16.840.1.114027.80.9.1.32";
-        internal const string MLDsa87WithECDsaBrainpoolP384r1PreHashSha512 = "2.16.840.1.114027.80.9.1.33";
-        internal const string MLDsa87WithEd448PreHashShake256_512 = "2.16.840.1.114027.80.9.1.34";
-        internal const string MLDsa87WithRSA3072PssPreHashSha512 = "2.16.840.1.114027.80.9.1.35";
-        internal const string MLDsa87WithRSA4096PssPreHashSha512 = "2.16.840.1.114027.80.9.1.36";
-        internal const string MLDsa87WithECDsaP521PreHashSha512 = "2.16.840.1.114027.80.9.1.37";
+        internal const string MLDsa44WithRSA2048PssPreHashSha256 = "1.3.6.1.5.5.7.6.37";
+        internal const string MLDsa44WithRSA2048Pkcs15PreHashSha256 = "1.3.6.1.5.5.7.6.38";
+        internal const string MLDsa44WithEd25519PreHashSha512 = "1.3.6.1.5.5.7.6.39";
+        internal const string MLDsa44WithECDsaP256PreHashSha256 = "1.3.6.1.5.5.7.6.40";
+        internal const string MLDsa65WithRSA3072PssPreHashSha512 = "1.3.6.1.5.5.7.6.41";
+        internal const string MLDsa65WithRSA3072Pkcs15PreHashSha512 = "1.3.6.1.5.5.7.6.42";
+        internal const string MLDsa65WithRSA4096PssPreHashSha512 = "1.3.6.1.5.5.7.6.43";
+        internal const string MLDsa65WithRSA4096Pkcs15PreHashSha512 = "1.3.6.1.5.5.7.6.44";
+        internal const string MLDsa65WithECDsaP256PreHashSha512 = "1.3.6.1.5.5.7.6.45";
+        internal const string MLDsa65WithECDsaP384PreHashSha512 = "1.3.6.1.5.5.7.6.46";
+        internal const string MLDsa65WithECDsaBrainpoolP256r1PreHashSha512 = "1.3.6.1.5.5.7.6.47";
+        internal const string MLDsa65WithEd25519PreHashSha512 = "1.3.6.1.5.5.7.6.48";
+        internal const string MLDsa87WithECDsaP384PreHashSha512 = "1.3.6.1.5.5.7.6.49";
+        internal const string MLDsa87WithECDsaBrainpoolP384r1PreHashSha512 = "1.3.6.1.5.5.7.6.50";
+        internal const string MLDsa87WithEd448PreHashShake256_512 = "1.3.6.1.5.5.7.6.51";
+        internal const string MLDsa87WithRSA3072PssPreHashSha512 = "1.3.6.1.5.5.7.6.52";
+        internal const string MLDsa87WithRSA4096PssPreHashSha512 = "1.3.6.1.5.5.7.6.53";
+        internal const string MLDsa87WithECDsaP521PreHashSha512 = "1.3.6.1.5.5.7.6.54";
 
         // PKCS#7
         internal const string NoSignature = "1.3.6.1.5.5.7.6.2";