Stabilize ML-DSA X.509 PKIs with published RFC 9881.

src/libraries/Common/src/System/Security/Cryptography/Asn1/MLDsaPrivateKeyAsn.xml

@@ -6,7 +6,7 @@
   emitType="ref">
 
   <!--
-    https://github.com/lamps-wg/dilithium-certificates/blob/5b23428b08a53aacdb89d93422b81228433e34d8/draft-ietf-lamps-dilithium-certificates.md
+    https://datatracker.ietf.org/doc/rfc9881/ Appendix A.
 
 ML-DSA-44-PrivateKey ::= CHOICE {
   seed [0] OCTET STRING (SIZE (32)),

src/libraries/Common/src/System/Security/Cryptography/Asn1/MLDsaPrivateKeyBothAsn.xml

@@ -6,11 +6,11 @@
   emitType="ref">
 
   <!--
-    https://github.com/lamps-wg/dilithium-certificates/blob/5b23428b08a53aacdb89d93422b81228433e34d8/draft-ietf-lamps-dilithium-certificates.md
+    https://datatracker.ietf.org/doc/rfc9881/ Appendix A.
 
   both SEQUENCE {
       seed OCTET STRING (SIZE (32)),
-      expandedKey OCTET STRING (SIZE (2560))
+      expandedKey OCTET STRING (SIZE (2560 / 4032 / 4896))
       }
   -->
   <asn:OctetString name="Seed" />

src/libraries/Common/src/System/Security/Cryptography/MLDsa.cs

@@ -665,7 +665,6 @@ public bool VerifyMu(ReadOnlySpan<byte> externalMu, ReadOnlySpan<byte> signature
         /// <exception cref="CryptographicException">
         ///   An error occurred while exporting the key.
         /// </exception>
-        [Experimental(Experimentals.PostQuantumCryptographyDiagId, UrlFormat = Experimentals.SharedUrlFormat)]
         public byte[] ExportSubjectPublicKeyInfo()
         {
             ThrowIfDisposed();
@@ -695,7 +694,6 @@ public byte[] ExportSubjectPublicKeyInfo()
         /// <exception cref="CryptographicException">
         ///   An error occurred while exporting the key.
         /// </exception>
-        [Experimental(Experimentals.PostQuantumCryptographyDiagId, UrlFormat = Experimentals.SharedUrlFormat)]
         public bool TryExportSubjectPublicKeyInfo(Span<byte> destination, out int bytesWritten)
         {
             ThrowIfDisposed();
@@ -718,7 +716,6 @@ public bool TryExportSubjectPublicKeyInfo(Span<byte> destination, out int bytesW
         /// <exception cref="CryptographicException">
         ///   An error occurred while exporting the key.
         /// </exception>
-        [Experimental(Experimentals.PostQuantumCryptographyDiagId, UrlFormat = Experimentals.SharedUrlFormat)]
         public string ExportSubjectPublicKeyInfoPem()
         {
             ThrowIfDisposed();
@@ -745,7 +742,6 @@ public string ExportSubjectPublicKeyInfoPem()
         ///   <para>-or-</para>
         ///   <para>An error occurred while exporting the key.</para>
         /// </exception>
-        [Experimental(Experimentals.PostQuantumCryptographyDiagId, UrlFormat = Experimentals.SharedUrlFormat)]
         public byte[] ExportPkcs8PrivateKey()
         {
             ThrowIfDisposed();
@@ -774,7 +770,6 @@ public byte[] ExportPkcs8PrivateKey()
         /// <exception cref="CryptographicException">
         ///   An error occurred while exporting the key.
         /// </exception>
-        [Experimental(Experimentals.PostQuantumCryptographyDiagId, UrlFormat = Experimentals.SharedUrlFormat)]
         public bool TryExportPkcs8PrivateKey(Span<byte> destination, out int bytesWritten)
         {
             ThrowIfDisposed();
@@ -818,7 +813,6 @@ public bool TryExportPkcs8PrivateKey(Span<byte> destination, out int bytesWritte
         /// <exception cref="CryptographicException">
         ///   An error occurred while exporting the key.
         /// </exception>
-        [Experimental(Experimentals.PostQuantumCryptographyDiagId, UrlFormat = Experimentals.SharedUrlFormat)]
         protected abstract bool TryExportPkcs8PrivateKeyCore(Span<byte> destination, out int bytesWritten);
 
         /// <summary>
@@ -834,7 +828,6 @@ public bool TryExportPkcs8PrivateKey(Span<byte> destination, out int bytesWritte
         /// <exception cref="CryptographicException">
         ///   An error occurred while exporting the key.
         /// </exception>
-        [Experimental(Experimentals.PostQuantumCryptographyDiagId, UrlFormat = Experimentals.SharedUrlFormat)]
         public string ExportPkcs8PrivateKeyPem()
         {
             ThrowIfDisposed();
@@ -869,7 +862,6 @@ public string ExportPkcs8PrivateKeyPem()
         ///   <para>-or-</para>
         ///   <para>An error occurred while exporting the key.</para>
         /// </exception>
-        [Experimental(Experimentals.PostQuantumCryptographyDiagId, UrlFormat = Experimentals.SharedUrlFormat)]
         public byte[] ExportEncryptedPkcs8PrivateKey(ReadOnlySpan<char> password, PbeParameters pbeParameters)
         {
             ArgumentNullException.ThrowIfNull(pbeParameters);
@@ -917,7 +909,6 @@ public byte[] ExportEncryptedPkcs8PrivateKey(ReadOnlySpan<char> password, PbePar
         ///   <para>-or-</para>
         ///   <para>An error occurred while exporting the key.</para>
         /// </exception>
-        [Experimental(Experimentals.PostQuantumCryptographyDiagId, UrlFormat = Experimentals.SharedUrlFormat)]
         public byte[] ExportEncryptedPkcs8PrivateKey(ReadOnlySpan<byte> passwordBytes, PbeParameters pbeParameters)
         {
             ArgumentNullException.ThrowIfNull(pbeParameters);
@@ -940,7 +931,6 @@ public byte[] ExportEncryptedPkcs8PrivateKey(ReadOnlySpan<byte> passwordBytes, P
         /// <exception cref="ArgumentNullException">
         ///   <paramref name="password"/> or <paramref name="pbeParameters"/> is <see langword="null"/>.
         /// </exception>
-        [Experimental(Experimentals.PostQuantumCryptographyDiagId, UrlFormat = Experimentals.SharedUrlFormat)]
         public byte[] ExportEncryptedPkcs8PrivateKey(string password, PbeParameters pbeParameters)
         {
             ArgumentNullException.ThrowIfNull(password);
@@ -984,7 +974,6 @@ public byte[] ExportEncryptedPkcs8PrivateKey(string password, PbeParameters pbeP
         ///   <para>-or-</para>
         ///   <para>An error occurred while exporting the key.</para>
         /// </exception>
-        [Experimental(Experimentals.PostQuantumCryptographyDiagId, UrlFormat = Experimentals.SharedUrlFormat)]
         public bool TryExportEncryptedPkcs8PrivateKey(
             ReadOnlySpan<char> password,
             PbeParameters pbeParameters,
@@ -1045,7 +1034,6 @@ public bool TryExportEncryptedPkcs8PrivateKey(
         ///   <para>-or-</para>
         ///   <para>An error occurred while exporting the key.</para>
         /// </exception>
-        [Experimental(Experimentals.PostQuantumCryptographyDiagId, UrlFormat = Experimentals.SharedUrlFormat)]
         public bool TryExportEncryptedPkcs8PrivateKey(
             ReadOnlySpan<byte> passwordBytes,
             PbeParameters pbeParameters,
@@ -1072,7 +1060,6 @@ public bool TryExportEncryptedPkcs8PrivateKey(
         /// <exception cref="ArgumentNullException">
         ///   <paramref name="password"/> or <paramref name="pbeParameters"/> is <see langword="null"/>.
         /// </exception>
-        [Experimental(Experimentals.PostQuantumCryptographyDiagId, UrlFormat = Experimentals.SharedUrlFormat)]
         public bool TryExportEncryptedPkcs8PrivateKey(
             string password,
             PbeParameters pbeParameters,
@@ -1112,7 +1099,6 @@ public bool TryExportEncryptedPkcs8PrivateKey(
         ///   <para>-or-</para>
         ///   <para>An error occurred while exporting the key.</para>
         /// </exception>
-        [Experimental(Experimentals.PostQuantumCryptographyDiagId, UrlFormat = Experimentals.SharedUrlFormat)]
         public string ExportEncryptedPkcs8PrivateKeyPem(
             ReadOnlySpan<char> password,
             PbeParameters pbeParameters)
@@ -1157,7 +1143,6 @@ public string ExportEncryptedPkcs8PrivateKeyPem(
         ///   <para>-or-</para>
         ///   <para>An error occurred while exporting the key.</para>
         /// </exception>
-        [Experimental(Experimentals.PostQuantumCryptographyDiagId, UrlFormat = Experimentals.SharedUrlFormat)]
         public string ExportEncryptedPkcs8PrivateKeyPem(
             ReadOnlySpan<byte> passwordBytes,
             PbeParameters pbeParameters)
@@ -1176,7 +1161,6 @@ public string ExportEncryptedPkcs8PrivateKeyPem(
         /// <exception cref="ArgumentNullException">
         ///   <paramref name="password"/> or <paramref name="pbeParameters"/> is <see langword="null"/>.
         /// </exception>
-        [Experimental(Experimentals.PostQuantumCryptographyDiagId, UrlFormat = Experimentals.SharedUrlFormat)]
         public string ExportEncryptedPkcs8PrivateKeyPem(
             string password,
             PbeParameters pbeParameters)
@@ -1370,7 +1354,6 @@ public static MLDsa GenerateKey(MLDsaAlgorithm algorithm)
         ///   The platform does not support ML-DSA. Callers can use the <see cref="IsSupported" /> property
         ///   to determine if the platform supports ML-DSA.
         /// </exception>
-        [Experimental(Experimentals.PostQuantumCryptographyDiagId, UrlFormat = Experimentals.SharedUrlFormat)]
         public static MLDsa ImportSubjectPublicKeyInfo(ReadOnlySpan<byte> source)
         {
             Helpers.ThrowIfAsnInvalidLength(source);
@@ -1397,7 +1380,6 @@ static void SubjectPublicKeyReader(ReadOnlySpan<byte> key, in ValueAlgorithmIden
         /// <exception cref="ArgumentNullException">
         ///   <paramref name="source" /> is <see langword="null" />.
         /// </exception>
-        [Experimental(Experimentals.PostQuantumCryptographyDiagId, UrlFormat = Experimentals.SharedUrlFormat)]
         public static MLDsa ImportSubjectPublicKeyInfo(byte[] source)
         {
             ArgumentNullException.ThrowIfNull(source);
@@ -1435,7 +1417,6 @@ public static MLDsa ImportSubjectPublicKeyInfo(byte[] source)
         ///   The platform does not support ML-DSA. Callers can use the <see cref="IsSupported" /> property
         ///   to determine if the platform supports ML-DSA.
         /// </exception>
-        [Experimental(Experimentals.PostQuantumCryptographyDiagId, UrlFormat = Experimentals.SharedUrlFormat)]
         public static MLDsa ImportPkcs8PrivateKey(ReadOnlySpan<byte> source)
         {
             Helpers.ThrowIfAsnInvalidLength(source);
@@ -1450,7 +1431,6 @@ public static MLDsa ImportPkcs8PrivateKey(ReadOnlySpan<byte> source)
         /// <exception cref="ArgumentNullException">
         ///   <paramref name="source" /> is <see langword="null" />.
         /// </exception>
-        [Experimental(Experimentals.PostQuantumCryptographyDiagId, UrlFormat = Experimentals.SharedUrlFormat)]
         public static MLDsa ImportPkcs8PrivateKey(byte[] source)
         {
             ArgumentNullException.ThrowIfNull(source);
@@ -1500,7 +1480,6 @@ public static MLDsa ImportPkcs8PrivateKey(byte[] source)
         ///   The platform does not support ML-DSA. Callers can use the <see cref="IsSupported" /> property
         ///   to determine if the platform supports ML-DSA.
         /// </exception>
-        [Experimental(Experimentals.PostQuantumCryptographyDiagId, UrlFormat = Experimentals.SharedUrlFormat)]
         public static MLDsa ImportEncryptedPkcs8PrivateKey(ReadOnlySpan<byte> passwordBytes, ReadOnlySpan<byte> source)
         {
             Helpers.ThrowIfAsnInvalidLength(source);
@@ -1550,7 +1529,6 @@ public static MLDsa ImportEncryptedPkcs8PrivateKey(ReadOnlySpan<byte> passwordBy
         ///   The platform does not support ML-DSA. Callers can use the <see cref="IsSupported" /> property
         ///   to determine if the platform supports ML-DSA.
         /// </exception>
-        [Experimental(Experimentals.PostQuantumCryptographyDiagId, UrlFormat = Experimentals.SharedUrlFormat)]
         public static MLDsa ImportEncryptedPkcs8PrivateKey(ReadOnlySpan<char> password, ReadOnlySpan<byte> source)
         {
             Helpers.ThrowIfAsnInvalidLength(source);
@@ -1567,7 +1545,6 @@ public static MLDsa ImportEncryptedPkcs8PrivateKey(ReadOnlySpan<char> password,
         /// <exception cref="ArgumentNullException">
         ///   <paramref name="password" /> or <paramref name="source" /> is <see langword="null" />.
         /// </exception>
-        [Experimental(Experimentals.PostQuantumCryptographyDiagId, UrlFormat = Experimentals.SharedUrlFormat)]
         public static MLDsa ImportEncryptedPkcs8PrivateKey(string password, byte[] source)
         {
             ArgumentNullException.ThrowIfNull(password);
@@ -1612,7 +1589,6 @@ public static MLDsa ImportEncryptedPkcs8PrivateKey(string password, byte[] sourc
         ///     </list>
         ///   </para>
         /// </remarks>
-        [Experimental(Experimentals.PostQuantumCryptographyDiagId, UrlFormat = Experimentals.SharedUrlFormat)]
         public static MLDsa ImportFromPem(ReadOnlySpan<char> source)
         {
             ThrowIfNotSupported();
@@ -1630,7 +1606,6 @@ public static MLDsa ImportFromPem(ReadOnlySpan<char> source)
         /// <exception cref="ArgumentNullException">
         ///   <paramref name="source" /> is <see langword="null" />.
         /// </exception>
-        [Experimental(Experimentals.PostQuantumCryptographyDiagId, UrlFormat = Experimentals.SharedUrlFormat)]
         public static MLDsa ImportFromPem(string source)
         {
             ArgumentNullException.ThrowIfNull(source);
@@ -1698,7 +1673,6 @@ public static MLDsa ImportFromPem(string source)
         ///   </para>
         ///   <para>This method supports the <c>ENCRYPTED PRIVATE KEY</c> PEM label.</para>
         /// </remarks>
-        [Experimental(Experimentals.PostQuantumCryptographyDiagId, UrlFormat = Experimentals.SharedUrlFormat)]
         public static MLDsa ImportFromEncryptedPem(ReadOnlySpan<char> source, ReadOnlySpan<char> password)
         {
             ThrowIfNotSupported();
@@ -1763,7 +1737,6 @@ public static MLDsa ImportFromEncryptedPem(ReadOnlySpan<char> source, ReadOnlySp
         ///   </para>
         ///   <para>This method supports the <c>ENCRYPTED PRIVATE KEY</c> PEM label.</para>
         /// </remarks>
-        [Experimental(Experimentals.PostQuantumCryptographyDiagId, UrlFormat = Experimentals.SharedUrlFormat)]
         public static MLDsa ImportFromEncryptedPem(ReadOnlySpan<char> source, ReadOnlySpan<byte> passwordBytes)
         {
             ThrowIfNotSupported();
@@ -1778,7 +1751,6 @@ public static MLDsa ImportFromEncryptedPem(ReadOnlySpan<char> source, ReadOnlySp
         /// <exception cref="ArgumentNullException">
         ///   <paramref name="source" /> or <paramref name="password" /> is <see langword="null" />.
         /// </exception>
-        [Experimental(Experimentals.PostQuantumCryptographyDiagId, UrlFormat = Experimentals.SharedUrlFormat)]
         public static MLDsa ImportFromEncryptedPem(string source, string password)
         {
             ArgumentNullException.ThrowIfNull(source);
@@ -1792,7 +1764,6 @@ public static MLDsa ImportFromEncryptedPem(string source, string password)
         /// <exception cref="ArgumentNullException">
         ///   <paramref name="source" /> or <paramref name="passwordBytes" /> is <see langword="null" />.
         /// </exception>
-        [Experimental(Experimentals.PostQuantumCryptographyDiagId, UrlFormat = Experimentals.SharedUrlFormat)]
         public static MLDsa ImportFromEncryptedPem(string source, byte[] passwordBytes)
         {
             ArgumentNullException.ThrowIfNull(source);

src/libraries/Common/tests/System/Security/Cryptography/AlgorithmImplementations/MLDsa/MLDsaTestsData.Ietf.cs

@@ -11,7 +11,7 @@ namespace System.Security.Cryptography.Tests
 {
     public static partial class MLDsaTestsData
     {
-        // Data is from https://datatracker.ietf.org/doc/draft-ietf-lamps-dilithium-certificates/09/
+        // Data is from https://datatracker.ietf.org/doc/rfc9881/ Appendix C.
         internal static partial MLDsaKeyInfo IetfMLDsa44 => field ??= new MLDsaKeyInfo(
             MLDsaAlgorithm.MLDsa44,
                                  "d7b2b47254aae0db45e7930d4a98d2c97d8f1397d17" +