Skip to content

Improve exceptions thrown by MLKem when key types aren't available. #116590

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 7 commits into from
Jun 16, 2025
Merged

Improve exceptions thrown by MLKem when key types aren't available. #116590

merged 7 commits into from
Jun 16, 2025

Conversation

vcsjones
Copy link
Member

@vcsjones vcsjones commented Jun 12, 2025
edited
Loading

Win32 bcrypt gives us unhelpful errors for ML-KEM when certain key types are not available. For example, if you created the ML-KEM instance with an expanded decapsulation key, but you ask it for a seed. In that scenario, we are throwing an exception like:

CryptographicException : Unknown error (0xc10000bb)

This improves the exception to something understandable when we have enough information about the key.

Fixes #116509

@Copilot Copilot AI review requested due to automatic review settings June 12, 2025 17:13
@vcsjones vcsjones requested a review from bartonjs June 12, 2025 17:13
@vcsjones vcsjones added this to the 10.0.0 milestone Jun 12, 2025
@dotnet-policy-service Dotnet Policy Service
Copy link
Contributor

Tagging subscribers to this area: @dotnet/area-system-security, @bartonjs, @vcsjones
See info in area-owners.md if you want to be subscribed.

Copilot
Copilot AI reviewed Jun 12, 2025
View reviewed changes
Copy link
Contributor

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR enhances MLKEM error handling by throwing clearer exceptions when a key or seed isn’t available, instead of surfacing low-level errors.

  • Introduces ThrowExceptionIfNoSeed and ThrowExceptionIfNoDecapsulationKey helpers.
  • Adds precondition checks before export/decapsulation operations in OpenSSL and Windows implementations.
  • Supplies new localized exception messages and updates tests to expect CryptographicException.

Reviewed Changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 4 comments.

Show a summary per file
File Description
src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/MLKemOpenSsl.OpenSsl.cs Added checks before exporting seed/decapsulation key
src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/MLKemImplementation.OpenSsl.cs Added availability checks before decapsulation and exports
src/libraries/System.Security.Cryptography/src/Resources/Strings.resx Added new messages for missing seed/decapsulation key
src/libraries/Microsoft.Bcl.Cryptography/src/Resources/Strings.resx Added new messages for missing seed/decapsulation key
src/libraries/Common/tests/System/Security/Cryptography/MLKemBaseTests.cs Switched from ThrowsAny to Throws in key-missing tests
src/libraries/Common/src/System/Security/Cryptography/MLKemImplementation.Windows.cs Added checks before decrypt/export operations on Windows
src/libraries/Common/src/System/Security/Cryptography/MLKem.cs Introduced helper methods to throw when seed/decap key are absent

bartonjs
bartonjs reviewed Jun 12, 2025
View reviewed changes
@build-analysis build-analysis bot mentioned this pull request Jun 12, 2025
Open
This was referenced Jun 12, 2025
Open
Open
@vcsjones vcsjones force-pushed the ml-kem-good-exceptions branch from 669e132 to 2122bb7 Compare June 13, 2025 22:54
@vcsjones vcsjones enabled auto-merge (squash) June 13, 2025 23:15
@build-analysis build-analysis bot mentioned this pull request Jun 14, 2025
Closed
This was referenced Jun 15, 2025
Open
Closed
Closed
@PranavSenthilnathan
Copy link
Member

/ba-g #116695 #116647 #116558 and #106319. This PR isn't related to ios/tvos/wasm

@vcsjones vcsjones merged commit 1a52cd6 into dotnet:main Jun 16, 2025
81 of 86 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot

@bartonjs bartonjs

@PranavSenthilnathan PranavSenthilnathan

Assignees

@vcsjones vcsjones

Labels
area-System.Security
Projects
None yet
Milestone
10.0.0
Development

Successfully merging this pull request may close these issues.

ML-KEM: Improve exceptions from exports
3 participants
@vcsjones @PranavSenthilnathan @bartonjs