Skip to content

Support HashML-DSA on Windows#117613

Merged
vcsjones merged 9 commits intodotnet:mainfrom
vcsjones:win-prehash-mldsa
Jul 16, 2025
Merged

Support HashML-DSA on Windows#117613
vcsjones merged 9 commits intodotnet:mainfrom
vcsjones:win-prehash-mldsa

Conversation

@vcsjones
Copy link
Member

@vcsjones vcsjones commented Jul 14, 2025
edited
Loading

This introduces HashML-DSA on Windows through CNG ncrypt and bcrypt.

This also restricts what hash algorithms can be used by which ML-DSA parameter set. Windows currently enforces this, which has been brought to the base class for consistency. Windows may relax this requirement in the future.

Contributes to #113502

Copilot AI review requested due to automatic review settings July 14, 2025 17:06
@dotnet-policy-service
Copy link
Contributor

dotnet-policy-service bot commented Jul 14, 2025

Tagging subscribers to this area: @dotnet/area-system-security, @bartonjs, @vcsjones
See info in area-owners.md if you want to be subscribed.

Copilot AI reviewed Jul 14, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR adds support for HashML-DSA (Hash-based ML-DSA) on Windows through CNG (Cryptography Next Generation) APIs. The implementation introduces platform-specific restrictions on hash algorithm and ML-DSA parameter combinations that Windows enforces, unlike the more permissive OpenSSL implementation.

Key changes include:

  • Implementation of HashML-DSA signing and verification for Windows using BCrypt and NCrypt APIs
  • Addition of hash algorithm mapping with Windows-specific restrictions
  • Updated test infrastructure to handle platform-specific algorithm combinations

Reviewed Changes

Copilot reviewed 13 out of 13 changed files in this pull request and generated 4 comments.

Show a summary per file
File Description
src/libraries/System.Security.Cryptography/src/System.Security.Cryptography.csproj Added reference to new MLDsa.Windows.cs file
src/libraries/System.Security.Cryptography/src/Resources/Strings.resx Added error message for unsupported hash/ML-DSA combinations
src/libraries/Microsoft.Bcl.Cryptography/src/System/Security/Cryptography/HashAlgorithmNames.cs Added constants for MD5, SHAKE128, and SHAKE256 hash algorithms
src/libraries/Microsoft.Bcl.Cryptography/src/Resources/Strings.resx Added error message for unsupported hash/ML-DSA combinations
src/libraries/Microsoft.Bcl.Cryptography/src/Microsoft.Bcl.Cryptography.csproj Moved HashAlgorithmNames.cs to be available for all target frameworks
src/libraries/Common/tests/System/Security/Cryptography/HashInfo.cs Updated hash algorithm names from "BOGUS-" prefixed to actual names
src/libraries/Common/tests/System/Security/Cryptography/AlgorithmImplementations/MLDsa/MLDsaTestsData.cs Updated test cases to handle Windows-specific restrictions
src/libraries/Common/tests/System/Security/Cryptography/AlgorithmImplementations/MLDsa/MLDsaTestsBase.cs Updated tests to use SHA-512 instead of SHA-256 and added Windows-specific restriction tests
src/libraries/Common/src/System/Security/Cryptography/MLDsaImplementation.Windows.cs Implemented HashML-DSA signing and verification using BCrypt APIs
src/libraries/Common/src/System/Security/Cryptography/MLDsaCng.Windows.cs Implemented HashML-DSA signing and verification using NCrypt APIs
src/libraries/Common/src/System/Security/Cryptography/MLDsa.Windows.cs Added hash algorithm OID to CNG identifier mapping with Windows restrictions
src/libraries/Common/src/Interop/Windows/BCrypt/Interop.BCryptVerifySignature.cs Added BCrypt signature verification method for pre-hashed data
src/libraries/Common/src/Interop/Windows/BCrypt/Interop.BCryptSignHash.cs Added BCrypt signature creation method for pre-hashed data

@vcsjones
Fix grammar.
6bec51b 
Co-authored-by: Copilot <[email protected]>
PranavSenthilnathan
PranavSenthilnathan reviewed Jul 14, 2025
View reviewed changes
This was referenced Jul 15, 2025
Open
Open
Closed
Closed
Closed
Closed
@build-analysis build-analysis bot mentioned this pull request Jul 16, 2025
Closed
@vcsjones
Copy link
Member Author

vcsjones commented Jul 16, 2025

@bartonjs I think this can be ba-ged.

@bartonjs
Copy link
Member

bartonjs commented Jul 16, 2025

/ba-g None of the failures are relevant; the OSes applicable to this change all ran successfully.

@vcsjones vcsjones merged commit aa122ad into dotnet:main Jul 16, 2025
85 of 89 checks passed
@vcsjones vcsjones deleted the win-prehash-mldsa branch July 16, 2025 21:38
@vcsjones vcsjones added this to the 10.0.0 milestone Jul 24, 2025
@github-actions github-actions bot locked and limited conversation to collaborators Aug 23, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@PranavSenthilnathan PranavSenthilnathan PranavSenthilnathan left review comments

Copilot code review Copilot Copilot left review comments

@bartonjs bartonjs bartonjs approved these changes

Assignees

@vcsjones vcsjones

Labels

area-System.Security

Projects

None yet

Milestone

10.0.0

Development

Successfully merging this pull request may close these issues.

4 participants

@vcsjones @bartonjs @PranavSenthilnathan