[ML-DSA]: Improve error message for Windows MLDsaImplementation when signing with missing private key

src/libraries/Common/src/System/Security/Cryptography/MLDsaImplementation.Windows.cs

@@ -34,8 +34,15 @@ private MLDsaImplementation(
         [MemberNotNullWhen(true, nameof(s_algHandle))]
         internal static partial bool SupportsAny() => s_algHandle is not null;
 
-        protected override void SignDataCore(ReadOnlySpan<byte> data, ReadOnlySpan<byte> context, Span<byte> destination) =>
+        protected override void SignDataCore(ReadOnlySpan<byte> data, ReadOnlySpan<byte> context, Span<byte> destination)
+        {
+            if (!_hasSecretKey)
+            {
+                throw new CryptographicException(SR.Cryptography_MLDsaNoSecretKey);
+            }
+
             Interop.BCrypt.BCryptSignHashPqcPure(_key, data, context, destination);
+        }
 
         protected override bool VerifyDataCore(ReadOnlySpan<byte> data, ReadOnlySpan<byte> context, ReadOnlySpan<byte> signature) =>
             Interop.BCrypt.BCryptVerifySignaturePqcPure(_key, data, context, signature);

src/libraries/Common/tests/System/Security/Cryptography/AlgorithmImplementations/MLDsa/MLDsaCngTests.Windows.cs

@@ -234,5 +234,19 @@ public void MLDsaCng_DuplicateHandle(string? name)
                 key.Delete();
             }
         }
+
+        [Theory]
+        [MemberData(nameof(MLDsaTestsData.AllMLDsaAlgorithms), MemberType = typeof(MLDsaTestsData))]
+        public void SignData_WithPublicKey_ThrowsCryptographicException(MLDsaAlgorithm algorithm)
+        {
+            using MLDsa full = MLDsa.GenerateKey(algorithm);
+            using MLDsa pub = MLDsa.ImportSubjectPublicKeyInfo(full.ExportSubjectPublicKeyInfo());
+
+            byte[] data = new byte[1];
+            byte[] signature = new byte[algorithm.SignatureSizeInBytes];
+
+            CryptographicException ex = Assert.Throws<CryptographicException>(() => pub.SignData(data, signature));
+            Assert.Equal("The current instance does not contain a secret key.", ex.Message);
+        }
     }
 }

src/libraries/Common/tests/System/Security/Cryptography/AlgorithmImplementations/MLDsa/MLDsaImplementationTests.cs

@@ -587,6 +587,23 @@ public void RoundTrip_EncryptedPrivateKey(MLDsaKeyInfo info)
                 }, validPasswordTypes), validPasswordTypes);
         }
 
+        [Theory]
+        [MemberData(nameof(MLDsaTestsData.AllMLDsaAlgorithms), MemberType = typeof(MLDsaTestsData))]
+        public static void SignData_WithPublicKey_ThrowsCryptographicException(MLDsaAlgorithm algorithm)
+        {
+            AssertThrowIfNotSupported(() =>
+            {
+                using MLDsa full = MLDsa.GenerateKey(algorithm);
+                using MLDsa pub = MLDsa.ImportSubjectPublicKeyInfo(full.ExportSubjectPublicKeyInfo());
+
+                byte[] data = new byte[1];
+                byte[] signature = new byte[algorithm.SignatureSizeInBytes];
+
+                CryptographicException ex = Assert.Throws<CryptographicException>(() => pub.SignData(data, signature));
+                Assert.Equal("The current instance does not contain a secret key.", ex.Message);
+            });
+        }
+
         /// <summary>
         /// Asserts that on platforms that do not support ML-DSA, the input test throws PlatformNotSupportedException.
         /// If the test does pass, it implies that the test is validating code after the platform check.