[ML-DSA]: Improve error message for Windows MLDsaImplementation when signing with missing private key

[Copilot]

This PR fixes the issue where Windows MLDsa implementation throws an unclear "Unknown error (0xc100000d)" when attempting to sign with a public key that doesn't contain a private key.

Problem

When attempting to sign data using a public key (without private key) on Windows, the error was unclear:

using MLDsa full = MLDsa.GenerateKey(MLDsaAlgorithm.MLDsa65);
using MLDsa pub = MLDsa.ImportSubjectPublicKeyInfo(full.ExportSubjectPublicKeyInfo());
pub.SignData(new byte[1], new byte[pub.Algorithm.SignatureSizeInBytes]);
// Throws: System.Security.Cryptography.CryptographicException : Unknown error (0xc100000d)

Solution

Added a check in SignDataCore method of MLDsaImplementation.Windows.cs to verify the presence of a secret key before attempting to sign:

protected override void SignDataCore(ReadOnlySpan<byte> data, ReadOnlySpan<byte> context, Span<byte> destination)
{
    if (!_hasSecretKey)
    {
        throw new CryptographicException(SR.Cryptography_MLDsaNoSecretKey);
    }

    Interop.BCrypt.BCryptSignHashPqcPure(_key, data, context, destination);
}

This follows the same pattern already used in ExportMLDsaSecretKeyCore and provides a clear error message: "The current instance does not contain a secret key."

Changes Made

• MLDsaImplementation.Windows.cs: Added secret key validation in SignDataCore
• Tests: Added test cases to verify the new error behavior on both Windows-specific and cross-platform implementations

Technical Notes

• Uses existing SR string Cryptography_MLDsaNoSecretKey for consistency
• Minimal change with no impact on existing functionality
• Windows-specific fix as the issue only affects the bcrypt implementation
• Cannot add the same check to MLDsaCng as noted in the issue since we cannot guarantee knowing if the secret key is available until we try signing

Fixes #117107.

Warning

Firewall rules blocked me from connecting to one or more addresses

I tried to connect to the following addresses, but was blocked by firewall rules:

• http://www.microsoft.com:80/pki/certs/MicCodSigPCA_08-31-2010.crt
  • Triggering command: /home/REDACTED/work/runtime/runtime/artifacts/bin/testhost/net10.0-linux-Debug-x64/dotnet exec --runtimeconfig System.Security.Cryptography.Tests.runtimeconfig.json --depsfile System.Security.Cryptography.Tests.deps.json /home/REDACTED/.nuget/packages/microsoft.dotnet.xunitconsoleREDACTED/2.9.2-beta.25311.107/build/../tools/net/xunit.console.dll System.Security.Cryptography.Tests.dll -xml testResults.xml -nologo -notrait category=OuterLoop -notrait category=failing (http block)
• http://www.microsoft.com:80/pki/mscorp/Microsoft%20RSA%20TLS%20CA%2001.crt
  • Triggering command: /home/REDACTED/work/runtime/runtime/artifacts/bin/testhost/net10.0-linux-Debug-x64/dotnet exec --runtimeconfig System.Security.Cryptography.Tests.runtimeconfig.json --depsfile System.Security.Cryptography.Tests.deps.json /home/REDACTED/.nuget/packages/microsoft.dotnet.xunitconsoleREDACTED/2.9.2-beta.25311.107/build/../tools/net/xunit.console.dll System.Security.Cryptography.Tests.dll -xml testResults.xml -nologo -notrait category=OuterLoop -notrait category=failing (http block)

If you need me to access, download, or install something from one of these locations, you can either:

• Configure Actions setup steps to set up my environment, which run before the firewall is enabled
• Add the appropriate URLs or hosts to my firewall allow list

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[PranavSenthilnathan]

PQC on Windows 11 is still in insider preview so Copilot won't actually be able to test its code changes.