BCrypt Composite ML-DSA

[PranavSenthilnathan]

Windows Insider builds support Composite ML-DSA in BCrypt. Documentation of public API can be found here.

Note this changes the default implementation on Windows from managed to BCrypt. On versions that support Composite ML-DSA, this reduces the number of supported algorithms to the 4 listed in the docs above. And for Windows versions that don't support Composite ML-DSA, our default implementation also doesn't support it now.

Fixes #116999

[dotnet-policy-service]

Tagging subscribers to this area: @bartonjs, @vcsjones, @dotnet/area-system-security
See info in area-owners.md if you want to be subscribed.

[Copilot]

Pull request overview

This PR wires up Windows support for Composite ML-DSA via the BCrypt “single key”/PQDSA blob mechanism (including new parameter-set identifiers and blob magic values), and updates platform-support expectations in tests.

Changes:

• Add Composite ML-DSA PQDSA blob encode/decode support and parameter-set mapping for Windows composite algorithms.
• Implement Windows CompositeMLDsa operations (keygen/import/export/sign/verify) using BCrypt Composite-ML-DSA provider and PQDSA blobs.
• Update Windows algorithm identifiers / magic numbers and adjust support-detection tests accordingly.

Reviewed changes

Copilot reviewed 8 out of 8 changed files in this pull request and generated 4 comments.

Show a summary per file

File	Description
src/libraries/System.Security.Cryptography/src/System.Security.Cryptography.csproj	Removes managed Composite ML-DSA sources from the Windows build item group.
src/libraries/Common/tests/System/Security/Cryptography/AlgorithmImplementations/CompositeMLDsa/CompositeMLDsaFactoryTests.cs	Updates platform support expectations for IsAlgorithmSupported on Windows.
src/libraries/Common/src/System/Security/Cryptography/PqcBlobHelpers.cs	Adds composite parameter-set strings plus composite PQDSA blob encode/decode helpers; adjusts stackalloc threshold.
src/libraries/Common/src/System/Security/Cryptography/CompositeMLDsaImplementation.Windows.cs	Replaces Windows PNSE stub with a BCrypt-backed implementation for composite keygen/import/export/sign/verify.
src/libraries/Common/src/System/Security/Cryptography/CompositeMLDsa.cs	Adds an algorithm support check during PKCS#8 private-key import.
src/libraries/Common/src/Interop/Windows/BCrypt/Interop.Blobs.cs	Adds composite ML-DSA public/private magic numbers for PQDSA blobs.
src/libraries/Common/src/Interop/Windows/BCrypt/Interop.BCryptSignHash.cs	Changes PQC “pure” signing helper to return bytesWritten and relaxes debug assertion.
src/libraries/Common/src/Interop/Windows/BCrypt/Cng.cs	Adds BCrypt algorithm name constant for Composite-ML-DSA.

[Copilot]

Pull request overview

Copilot reviewed 9 out of 9 changed files in this pull request and generated 4 comments.

[Copilot]

Pull request overview

Copilot reviewed 10 out of 10 changed files in this pull request and generated 2 comments.

[Copilot]

Pull request overview

Copilot reviewed 10 out of 10 changed files in this pull request and generated 1 comment.

[Copilot]

Pull request overview

Copilot reviewed 10 out of 10 changed files in this pull request and generated 1 comment.

[Copilot]

Pull request overview

Copilot reviewed 11 out of 11 changed files in this pull request and generated no new comments.