dotnet · vcsjones · Apr 17, 2025 · Apr 15, 2025 · Apr 16, 2025 · Apr 16, 2025
diff --git a/src/libraries/Common/src/System/Security/Cryptography/MLKemImplementation.NotSupported.cs b/src/libraries/Common/src/System/Security/Cryptography/MLKemImplementation.NotSupported.cs
@@ -5,7 +5,7 @@
 
 namespace System.Security.Cryptography
 {
-    internal sealed class MLKemImplementation : MLKem
+    internal sealed partial class MLKemImplementation : MLKem
     {
         internal static new bool IsSupported => false;
 
@@ -15,30 +15,30 @@ private MLKemImplementation(MLKemAlgorithm algorithm) : base(algorithm)
             throw new PlatformNotSupportedException();
         }
 
-        internal static MLKem GenerateKeyImpl(MLKemAlgorithm algorithm)
+        internal static MLKemImplementation GenerateKeyImpl(MLKemAlgorithm algorithm)
         {
             _ = algorithm;
             Debug.Fail("Caller should have checked platform availability.");
             throw new PlatformNotSupportedException();
         }
 
-        internal static MLKem ImportPrivateSeedImpl(MLKemAlgorithm algorithm, ReadOnlySpan<byte> source)
+        internal static MLKemImplementation ImportPrivateSeedImpl(MLKemAlgorithm algorithm, ReadOnlySpan<byte> source)
         {
             _ = algorithm;
             _ = source;
             Debug.Fail("Caller should have checked platform availability.");
             throw new PlatformNotSupportedException();
         }
 
-        internal static MLKem ImportDecapsulationKeyImpl(MLKemAlgorithm algorithm, ReadOnlySpan<byte> source)
+        internal static MLKemImplementation ImportDecapsulationKeyImpl(MLKemAlgorithm algorithm, ReadOnlySpan<byte> source)
         {
             _ = algorithm;
             _ = source;
             Debug.Fail("Caller should have checked platform availability.");
             throw new PlatformNotSupportedException();
         }
 
-        internal static MLKem ImportEncapsulationKeyImpl(MLKemAlgorithm algorithm, ReadOnlySpan<byte> source)
+        internal static MLKemImplementation ImportEncapsulationKeyImpl(MLKemAlgorithm algorithm, ReadOnlySpan<byte> source)
         {
             _ = algorithm;
             _ = source;

diff --git a/src/libraries/Common/src/System/Security/Cryptography/MLKemImplementation.cs b/src/libraries/Common/src/System/Security/Cryptography/MLKemImplementation.cs
@@ -0,0 +1,45 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+
+using System.Diagnostics;
+
+namespace System.Security.Cryptography
+{
+    internal sealed partial class MLKemImplementation : MLKem
+    {
+        /// <summary>
+        ///   Duplicates an ML-KEM private key by export/import.
+        ///   Only intended to be used when the key type is unknown.
+        /// </summary>
+        internal static MLKemImplementation DuplicatePrivateKey(MLKem key)
+        {
+            // The implementation type and any platform types (e.g. MLKemOpenSsl)
+            // should inherently know how to clone themselves without the crudeness
+            // of export/import.
+            Debug.Assert(key is not (MLKemImplementation or MLKemOpenSsl));
+
+            MLKemAlgorithm alg = key.Algorithm;
+            byte[] rented = CryptoPool.Rent(alg.DecapsulationKeySizeInBytes);
+            int size = 0;
+
+            try
+            {
+                size = alg.PrivateSeedSizeInBytes;
+                Span<byte> buffer = rented.AsSpan(0, size);
+                key.ExportPrivateSeed(buffer);
+                return ImportPrivateSeedImpl(alg, buffer);
+            }
+            catch (CryptographicException)
+            {
+                size = alg.DecapsulationKeySizeInBytes;
+                Span<byte> buffer = rented.AsSpan(0, size);
+                key.ExportDecapsulationKey(buffer);
+                return ImportDecapsulationKeyImpl(alg, buffer);
+            }
+            finally
+            {
+                CryptoPool.Return(rented, size);
+            }
+        }
+    }
+}
diff --git a/src/libraries/Common/tests/System/Security/Cryptography/MLKemTestData.cs b/src/libraries/Common/tests/System/Security/Cryptography/MLKemTestData.cs
@@ -54,12 +54,20 @@ public static class MLKemTestData
             MFQCAQAwCwYJYIZIAWUDBAQBBEKAQAABAgMEBQYHCAkKCwwNDg8QERITFBUWFxgZ
             GhscHR4fICEiIyQlJicoKSorLC0uLzAxMjM0NTY3ODk6Ozw9Pj8=");
 
+        internal static string IetfMlKem512PrivateKeySeedPem => field ??= PemEncoding.WriteString(
+            "PRIVATE KEY",
+            IetfMlKem512PrivateKeySeed);
+
         internal static byte[] IetfMlKem512EncryptedPrivateKeySeed => field ??= Convert.FromBase64String(@"
             MIGyMFYGCSqGSIb3DQEFDTBJMDEGCSqGSIb3DQEFDDAkBBBu4zqgXqt7HTK6mTmr
             5B/aAgIIADAMBggqhkiG9w0CCQUAMBQGCCqGSIb3DQMHBAioOjwRcwdjBwRYSGy/
             LN0wpvceGrPIQr/FTvN2wRvoozbkYMC1Tzs4phJh8lbMgdLgbTA0mCK16lBWgjdi
             /vxAu7Wn/wmKjFTqvST9vKxgu8sotadxpERtJaecmAaHqMjFtA==");
 
+        internal static string IetfMlKem512EncryptedPrivateKeySeedPem => field ??= PemEncoding.WriteString(
+            "ENCRYPTED PRIVATE KEY",
+            IetfMlKem512EncryptedPrivateKeySeed);
+
         internal static byte[] IetfMlKem512PrivateKeyExpandedKey => field ??= Convert.FromBase64String(@"
             MIIGeAIBADALBglghkgBZQMEBAEEggZkBIIGYHBVT9Q2NE8nhbGzsbrBhLZnkAMz
             bCbxWn3oeMSCXGvgPzxKSA91t0hqrTHToAUYYj/SB6tSjdYnIUlYNa4AYsNnt0px
@@ -97,6 +105,10 @@ public static class MLKemTestData
             uBw7xZoGWhttY7JsgvEB/2SAY7N24rtsW3RV9lWlDC/q2t4VDvoODm82WuogISIj
             JCUmJygpKissLS4vMDEyMzQ1Njc4OTo7PD0+Pw==");
 
+        internal static string IetfMlKem512PrivateKeyExpandedKeyPem => field ??= PemEncoding.WriteString(
+            "PRIVATE KEY",
+            IetfMlKem512PrivateKeyExpandedKey);
+
         internal static byte[] IetfMlKem512EncryptedPrivateKeyExpandedKey => field ??= Convert.FromBase64String(@"
             MIIG3DBWBgkqhkiG9w0BBQ0wSTAxBgkqhkiG9w0BBQwwJAQQlj5FxGXOP5cuSHuH
             VZ+GkAICCAAwDAYIKoZIhvcNAgkFADAUBggqhkiG9w0DBwQI7I35SG76s0YEggaA
@@ -136,6 +148,10 @@ public static class MLKemTestData
             9bO6Iz/eChNTAJkI0gAyZmqkScYOiBxORGaclfQFGLznOD2umXKrv0Mb4pqXiVP8
             L6AcpfWf8A/oue1gG6wJpQeFrQJ6z+yWa/G6C/lJazw=");
 
+        internal static string IetfMlKem512EncryptedPrivateKeyExpandedKeyPem => field ??= PemEncoding.WriteString(
+            "ENCRYPTED PRIVATE KEY",
+            IetfMlKem512EncryptedPrivateKeyExpandedKey);
+
         internal static byte[] IetfMlKem512PrivateKeyBoth => field ??= Convert.FromBase64String(@"
             MIIGvgIBADALBglghkgBZQMEBAEEggaqMIIGpgRAAAECAwQFBgcICQoLDA0ODxAR
             EhMUFRYXGBkaGxwdHh8gISIjJCUmJygpKissLS4vMDEyMzQ1Njc4OTo7PD0+PwSC
@@ -175,6 +191,10 @@ public static class MLKemTestData
             VfZVpQwv6treFQ76Dg5vNlrqICEiIyQlJicoKSorLC0uLzAxMjM0NTY3ODk6Ozw9
             Pj8=");
 
+        internal static string IetfMlKem512PrivateKeyBothPem => field ??= PemEncoding.WriteString(
+            "PRIVATE KEY",
+            IetfMlKem512PrivateKeyBoth);
+
         internal static byte[] IetfMlKem512EncryptedPrivateKeyBoth => field ??= Convert.FromBase64String(@"
             MIIHJDBWBgkqhkiG9w0BBQ0wSTAxBgkqhkiG9w0BBQwwJAQQ5zTKk8w8fC1UNK4+
             tIDqMAICCAAwDAYIKoZIhvcNAgkFADAUBggqhkiG9w0DBwQINW2WksGdFJ0EggbI
@@ -216,6 +236,10 @@ public static class MLKemTestData
             d/TwrYq/C1f/xaKue2pvMrjj909cxDZVq7X9E9s9aBR8m1FzUPoNkfoGIVZANitT
             1ZBGWJKA1Fw=");
 
+        internal static string IetfMlKem512EncryptedPrivateKeyBothPem => field ??= PemEncoding.WriteString(
+            "ENCRYPTED PRIVATE KEY",
+            IetfMlKem512EncryptedPrivateKeyBoth);
+
         internal static byte[] IetfMlKem512PrivateKeyDecapsulationKey => field ??= (
             "70554fd436344f2785b1b3b1bac184b6679003336c26f15a7de878c4825c6be03f3c4a480f75b7486aad31d3a00518623fd2" +
             "07ab528dd62721495835ae0062c367b74a71baf10aad0e8a2902076be31348beb15ccc0957cdebb4aff226756bbc601b6568" +
@@ -362,12 +386,20 @@ public static class MLKemTestData
             MFQCAQAwCwYJYIZIAWUDBAQCBEKAQAABAgMEBQYHCAkKCwwNDg8QERITFBUWFxgZ
             GhscHR4fICEiIyQlJicoKSorLC0uLzAxMjM0NTY3ODk6Ozw9Pj8=");
 
+        internal static string IetfMlKem768PrivateKeySeedPem => field ??= PemEncoding.WriteString(
+            "PRIVATE KEY",
+            IetfMlKem768PrivateKeySeed);
+
         internal static byte[] IetfMlKem768EncryptedPrivateKeySeed => field ??= Convert.FromBase64String(@"
             MIGyMFYGCSqGSIb3DQEFDTBJMDEGCSqGSIb3DQEFDDAkBBDVvN7dPv1xeTQ5V4S4
             lNYAAgIIADAMBggqhkiG9w0CCQUAMBQGCCqGSIb3DQMHBAhxYX16f/Or8ARY98/3
             tAF57U+XfDsiweIKGW37VcOMgrJr4jl8Tn6E1MC9sNiSKXd5Ge93Oscm46wIYOG/
             ltLe5Ba3maubTj7Sj1UHsFIRE0NGcpha09u2JH8iHIBR4tvBtg==");
 
+        internal static string IetfMlKem768EncryptedPrivateKeySeedPem => field ??= PemEncoding.WriteString(
+            "ENCRYPTED PRIVATE KEY",
+            IetfMlKem768EncryptedPrivateKeySeed);
+
         internal static byte[] IetfMlKem768PrivateKeyExpandedKey => field ??= Convert.FromBase64String(@"
             MIIJeAIBADALBglghkgBZQMEBAIEgglkBIIJYCfSp38zdW9hII7xE6voJZWHPUq8
             cw5bXWeVKb9qTOtjg0JyMahhL0FVBRWsulLkjq2LlCgzu+aGXRPRSnnSxcPgfwoF
@@ -421,6 +453,10 @@ public static class MLKemTestData
             4ssy2ovDQvpN6gV4ok4W2Pj5ODqVt3BQ9Nn9L1cz7sHWPvPCPr+ZGBc2aacgISIj
             JCUmJygpKissLS4vMDEyMzQ1Njc4OTo7PD0+Pw==");
 
+        internal static string IetfMlKem768PrivateKeyExpandedKeyPem => field ??= PemEncoding.WriteString(
+            "PRIVATE KEY",
+            IetfMlKem768PrivateKeyExpandedKey);
+
         internal static byte[] IetfMlKem768EncryptedPrivateKeyExpandedKey => field ??= Convert.FromBase64String(@"
             MIIJ3DBWBgkqhkiG9w0BBQ0wSTAxBgkqhkiG9w0BBQwwJAQQdV5wgVIICzzniNpD
             y7WD9gICCAAwDAYIKoZIhvcNAgkFADAUBggqhkiG9w0DBwQIj7uC5kmav+kEggmA
@@ -476,6 +512,10 @@ public static class MLKemTestData
             X3qZc/K8q1BBn9dqcJRIKr/dZ7Mq1U6sa5zg+sDIZvLoS/weutBuPRHP9AofQWpS
             F1JkgTbf0PrGVr3jgdaXCY/7vfsB6+utgcs1F7KfKZA=");
 
+        internal static string IetfMlKem768EncryptedPrivateKeyExpandedKeyPem => field ??= PemEncoding.WriteString(
+            "ENCRYPTED PRIVATE KEY",
+            IetfMlKem768EncryptedPrivateKeyExpandedKey);
+
         internal static byte[] IetfMlKem768PrivateKeyBoth => field ??= Convert.FromBase64String(@"
             MIIJvgIBADALBglghkgBZQMEBAIEggmqMIIJpgRAAAECAwQFBgcICQoLDA0ODxAR
             EhMUFRYXGBkaGxwdHh8gISIjJCUmJygpKissLS4vMDEyMzQ1Njc4OTo7PD0+PwSC
@@ -531,6 +571,10 @@ public static class MLKemTestData
             /S9XM+7B1j7zwj6/mRgXNmmnICEiIyQlJicoKSorLC0uLzAxMjM0NTY3ODk6Ozw9
             Pj8=");
 
+        internal static string IetfMlKem768PrivateKeyBothPem => field ??= PemEncoding.WriteString(
+            "PRIVATE KEY",
+            IetfMlKem768PrivateKeyBoth);
+
         internal static byte[] IetfMlKem768EncryptedPrivateKeyBoth => field ??= Convert.FromBase64String(@"
             MIIKJDBWBgkqhkiG9w0BBQ0wSTAxBgkqhkiG9w0BBQwwJAQQcdUu8kW63IlZ7x2z
             ACye4gICCAAwDAYIKoZIhvcNAgkFADAUBggqhkiG9w0DBwQICqHaOOkCVBQEggnI
@@ -588,6 +632,10 @@ public static class MLKemTestData
             uTR1HHzBYXNcscJfaQZJcS/hbHBaCvKgEvhUYTmXbSgaD1+fNq3gbthRZhNUOfiR
             RDd5KC8EEzk=");
 
+        internal static string IetfMlKem768EncryptedPrivateKeyBothPem => field ??= PemEncoding.WriteString(
+            "ENCRYPTED PRIVATE KEY",
+            IetfMlKem768EncryptedPrivateKeyBoth);
+
         internal static byte[] IetfMlKem768PrivateKeyDecapsulationKey => field ??= (
             "27d2a77f33756f61208ef113abe82595873d4abc730e5b5d679529bf6a4ceb6383427231a8612f41550515acba52e48ead8b" +
             "942833bbe6865d13d14a79d2c5c3e07f0a056d8de7aadfcaba058c493c80b37cab8c562753bb3ba6b6ec8297f885eaa7540d" +
@@ -783,12 +831,20 @@ public static class MLKemTestData
             MFQCAQAwCwYJYIZIAWUDBAQDBEKAQAABAgMEBQYHCAkKCwwNDg8QERITFBUWFxgZ
             GhscHR4fICEiIyQlJicoKSorLC0uLzAxMjM0NTY3ODk6Ozw9Pj8=");
 
+        internal static string IetfMlKem1024PrivateKeySeedPem => field ??= PemEncoding.WriteString(
+            "PRIVATE KEY",
+            IetfMlKem1024PrivateKeySeed);
+
         internal static byte[] IetfMlKem1024EncryptedPrivateKeySeed => field ??= Convert.FromBase64String(@"
             MIGyMFYGCSqGSIb3DQEFDTBJMDEGCSqGSIb3DQEFDDAkBBArGFO1mU77a3ys0aR0
             +mWBAgIIADAMBggqhkiG9w0CCQUAMBQGCCqGSIb3DQMHBAh48Gqhu7YOpwRYPR66
             W02NrqRok/CagC9uo/viGlLLC5CUl4Y9cE3ZCEwfDxFufNeALt2Kusg+gJLMSq16
             g6YgQHQJeKZusLSnwzxOutuyKKgbGuIWxFBmtDZrXDjCO913Ow==");
 
+        internal static string IetfMlKem1024EncryptedPrivateKeySeedPem => field ??= PemEncoding.WriteString(
+            "ENCRYPTED PRIVATE KEY",
+            IetfMlKem1024EncryptedPrivateKeySeed);
+
         internal static byte[] IetfMlKem1024PrivateKeyExpandedKey => field ??= Convert.FromBase64String(@"
             MIIMeAIBADALBglghkgBZQMEBAMEggxkBIIMYPd7f2sVxz/izFRrZ/t3TKGbQs1G
             Pqn7uYTKR3p3tscQh8vwUavkc2qQcsbocMgxHFWWP1AKPHsbjypYVY9JxiUntsWU
@@ -858,6 +914,10 @@ public static class MLKemTestData
             7VjcYod2uYOILhF1YTSeXBMafhFqBGOGHX0YZjxWJ8OMcUfdqt/Uis16RTUgISIj
             JCUmJygpKissLS4vMDEyMzQ1Njc4OTo7PD0+Pw==");
 
+        internal static string IetfMlKem1024PrivateKeyExpandedKeyPem => field ??= PemEncoding.WriteString(
+            "PRIVATE KEY",
+            IetfMlKem1024PrivateKeyExpandedKey);
+
         internal static byte[] IetfMlKem1024EncryptedPrivateKeyExpandedKey => field ??= Convert.FromBase64String(@"
             MIIM3DBWBgkqhkiG9w0BBQ0wSTAxBgkqhkiG9w0BBQwwJAQQE/G+HHo48gCgwImJ
             HbfEggICCAAwDAYIKoZIhvcNAgkFADAUBggqhkiG9w0DBwQIlT+E3yFzlnkEggyA
@@ -929,6 +989,10 @@ public static class MLKemTestData
             hi5UqCzJNmdxMEtwwyVHXuQBnNUlgl2/c4XAFIUwnQ11SM7UFPDwkDYzj529XwqA
             00ExhHl+b5Un8kb2eyOSe9UgG+cAMgA+m892u4ZKOSE=");
 
+        internal static string IetfMlKem1024EncryptedPrivateKeyExpandedKeyPem => field ??= PemEncoding.WriteString(
+            "ENCRYPTED PRIVATE KEY",
+            IetfMlKem1024EncryptedPrivateKeyExpandedKey);
+
         internal static byte[] IetfMlKem1024PrivateKeyBoth => field ??= Convert.FromBase64String(@"
             MIIMvgIBADALBglghkgBZQMEBAMEggyqMIIMpgRAAAECAwQFBgcICQoLDA0ODxAR
             EhMUFRYXGBkaGxwdHh8gISIjJCUmJygpKissLS4vMDEyMzQ1Njc4OTo7PD0+PwSC
@@ -1000,6 +1064,10 @@ public static class MLKemTestData
             GGY8VifDjHFH3arf1IrNekU1ICEiIyQlJicoKSorLC0uLzAxMjM0NTY3ODk6Ozw9
             Pj8=");
 
+        internal static string IetfMlKem1024PrivateKeyBothPem => field ??= PemEncoding.WriteString(
+            "PRIVATE KEY",
+            IetfMlKem1024PrivateKeyBoth);
+
         internal static byte[] IetfMlKem1024EncryptedPrivateKeyBoth => field ??= Convert.FromBase64String(@"
             MIINJDBWBgkqhkiG9w0BBQ0wSTAxBgkqhkiG9w0BBQwwJAQQVR0rwDXJnxYGA7N9
             /eveiQICCAAwDAYIKoZIhvcNAgkFADAUBggqhkiG9w0DBwQIzvch3uhQ1pEEggzI
@@ -1073,6 +1141,10 @@ public static class MLKemTestData
             9xpeir1cJ7dnmi2BncLvSCQDgnPUfs4awqmONkcqE4VtYzi10s588zWtXZcH3ar7
             FIgRVDi1lQg=");
 
+        internal static string IetfMlKem1024EncryptedPrivateKeyBothPem => field ??= PemEncoding.WriteString(
+            "ENCRYPTED PRIVATE KEY",
+            IetfMlKem1024EncryptedPrivateKeyBoth);
+
         internal static byte[] IetfMlKem1024PrivateKeyDecapsulationKey => field ??= (
             "f77b7f6b15c73fe2cc546b67fb774ca19b42cd463ea9fbb984ca477a77b6c71087cbf051abe4736a9072c6e870c8311c5596" +
             "3f500a3c7b1b8f2a58558f49c62527b6c594b5e7acb3bcf597273a5743517d151208bd4aa61e75ba67b0bd594a994919627a" +

diff --git a/src/libraries/System.Security.Cryptography/ref/System.Security.Cryptography.cs b/src/libraries/System.Security.Cryptography/ref/System.Security.Cryptography.cs
@@ -3520,6 +3520,8 @@ public X509Certificate2(string fileName, string? password, System.Security.Crypt
         public System.Security.Cryptography.X509Certificates.X509Certificate2 CopyWithPrivateKey(System.Security.Cryptography.ECDiffieHellman privateKey) { throw null; }
         [System.Diagnostics.CodeAnalysis.ExperimentalAttribute("SYSLIB5006")]
         public System.Security.Cryptography.X509Certificates.X509Certificate2 CopyWithPrivateKey(System.Security.Cryptography.MLDsa privateKey) { throw null; }
+        [System.Diagnostics.CodeAnalysis.ExperimentalAttribute("SYSLIB5006")]
+        public System.Security.Cryptography.X509Certificates.X509Certificate2 CopyWithPrivateKey(System.Security.Cryptography.MLKem privateKey) { throw null; }
         [System.Runtime.Versioning.UnsupportedOSPlatformAttribute("browser")]
         public static System.Security.Cryptography.X509Certificates.X509Certificate2 CreateFromEncryptedPem(System.ReadOnlySpan<char> certPem, System.ReadOnlySpan<char> keyPem, System.ReadOnlySpan<char> password) { throw null; }
         [System.Runtime.Versioning.UnsupportedOSPlatformAttribute("browser")]
@@ -3544,6 +3546,8 @@ public X509Certificate2(string fileName, string? password, System.Security.Crypt
         [System.Diagnostics.CodeAnalysis.ExperimentalAttribute("SYSLIB5006")]
         public System.Security.Cryptography.MLDsa? GetMLDsaPublicKey() { throw null; }
         [System.Diagnostics.CodeAnalysis.ExperimentalAttribute("SYSLIB5006")]
+        public System.Security.Cryptography.MLKem? GetMLKemPrivateKey() { throw null; }
+        [System.Diagnostics.CodeAnalysis.ExperimentalAttribute("SYSLIB5006")]
         public System.Security.Cryptography.MLKem? GetMLKemPublicKey() { throw null; }
         public string GetNameInfo(System.Security.Cryptography.X509Certificates.X509NameType nameType, bool forIssuer) { throw null; }
         [System.ObsoleteAttribute("X509Certificate and X509Certificate2 are immutable. Use X509CertificateLoader to create a new certificate.", DiagnosticId="SYSLIB0026", UrlFormat="https://aka.ms/dotnet-warnings/{0}")]