Encode ML-DSA priv key as seed, expose MlDsaUtils (#434)

See [PR #434][1] for a detailed description of this commit.

[1]: #434

Author: WillChilds-Klein

CHANGELOG.md

@@ -13,6 +13,7 @@
 * [PR 426:](https://github.com/corretto/amazon-corretto-crypto-provider/pull/426) Add null check to AesCbcSpi
 * [PR 427:](https://github.com/corretto/amazon-corretto-crypto-provider/pull/427) Add provider info string
 * [PR 432:](https://github.com/corretto/amazon-corretto-crypto-provider/pull/432) Support Ed25519ph, bump AWS-LC to v1.46.0yy
+* [PR 434:](https://github.com/corretto/amazon-corretto-crypto-provider/pull/434) Encode ML-DSA priv key as seed, expose MlDsaUtils
 
 ## 2.4.1
 

CMakeLists.txt

@@ -161,10 +161,12 @@ add_custom_command(
 #       detected by CMake.
 if (${CMAKE_VERSION} VERSION_LESS "3.12.0")
     file(GLOB_RECURSE ACCP_SRC "src/com/amazon/corretto/crypto/provider/*.java")
+    file(GLOB_RECURSE ACCP_UTILS_SRC "src/com/amazon/corretto/crypto/utils/*.java")
 else()
     file(GLOB_RECURSE ACCP_SRC CONFIGURE_DEPENDS "src/com/amazon/corretto/crypto/provider/*.java")
+    file(GLOB_RECURSE ACCP_UTILS_SRC CONFIGURE_DEPENDS "src/com/amazon/corretto/crypto/utils/*.java")
 endif()
-set(ACCP_SRC ${ACCP_SRC} ${GENERATED_JAVA_SRC})
+set(ACCP_SRC ${ACCP_SRC} ${ACCP_UTILS_SRC} ${GENERATED_JAVA_SRC})
 
 set(BASE_JAVA_COMPILE_FLAGS ${CMAKE_JAVA_COMPILE_FLAGS} -h "${JNI_HEADER_DIR}" -Werror -Xlint)
 

README.md

@@ -133,7 +133,7 @@ ACCP did not track a FIPS branch/release version of AWS-LC until ACCP v2.3.0. Be
 | 2.3.3               | 1.17.0         | 2.0.2               |
 | 2.4.0               | 1.30.1         | 2.0.13              |
 | 2.4.1               | 1.30.1         | 2.0.13              |
-| 2.5.0               | 1.46.0         | 3.0.0               |
+| 2.5.0               | 1.47.0         | 3.0.0               |
 
 Notable differences between ACCP and ACCP-FIPS:
 * ACCP uses [the latest release of AWS-LC](https://github.com/aws/aws-lc/releases), whereas, ACCP-FIPS uses [the fips-2022-11-02 branch of AWS-LC](https://github.com/aws/aws-lc/tree/fips-2022-11-02).

aws-lc

@@ -14,7 +14,7 @@ plugins {
 
 group = 'software.amazon.cryptools'
 version = '2.5.0'
-ext.awsLcMainTag = 'v1.46.0'
+ext.awsLcMainTag = 'v1.47.0'
 ext.awsLcFipsTag = 'AWS-LC-FIPS-3.0.0'
 ext.isExperimentalFips = Boolean.getBoolean('EXPERIMENTAL_FIPS')
 ext.isFips = ext.isExperimentalFips || Boolean.getBoolean('FIPS')
@@ -78,6 +78,7 @@ spotless {
         target 'csrc/*'
         licenseHeaderFile 'build-tools/license-headers/LicenseHeader.h'
         clangFormat(clangFormatVersion)
+        toggleOffOn()
     }
   }
 }

build.gradle

@@ -117,6 +117,11 @@ class OPENSSL_buffer_auto {
     {
     }
 
+    explicit OPENSSL_buffer_auto(size_t buf_size)
+        : buf((unsigned char*)OPENSSL_malloc(buf_size))
+    {
+    }
+
     virtual ~OPENSSL_buffer_auto() { OPENSSL_free(buf); }
 
     operator unsigned char*() { return buf; }

csrc/auto_free.h

@@ -666,3 +666,52 @@ JNIEXPORT jbyteArray JNICALL Java_com_amazon_corretto_crypto_provider_EvpRsaPriv
 
     return result;
 }
+
+#if !defined(FIPS_BUILD) || defined(EXPERIMENTAL_FIPS_BUILD)
+/*
+ * Class:     com_amazon_corretto_crypto_provider_EvpRsaPrivateKey
+ * Method:    encodeRsaPrivateKey
+ * Signature: (J)[B
+ */
+JNIEXPORT jbyteArray JNICALL Java_com_amazon_corretto_crypto_provider_EvpMlDsaPrivateKey_encodeMlDsaPrivateKey(
+    JNIEnv* pEnv, jclass, jlong keyHandle)
+{
+    jbyteArray result = NULL;
+
+    try {
+        raii_env env(pEnv);
+
+        EVP_PKEY* key = reinterpret_cast<EVP_PKEY*>(keyHandle);
+        CHECK_OPENSSL(EVP_PKEY_id(key) == EVP_PKEY_PQDSA);
+
+        uint8_t* der;
+        size_t der_len;
+        CBB cbb;
+        CHECK_OPENSSL(CBB_init(&cbb, 0));
+        // Failure below may just indicate that we don't have the seed, so retry with |encodeExpandedMLDSAPrivateKey|
+        // and encode in PKCS8 (RFC 5208) format after clearing the error queue.
+        if (EVP_marshal_private_key(&cbb, key)) {
+            if (!CBB_finish(&cbb, &der, &der_len)) {
+                OPENSSL_free(der);
+                throw_java_ex(EX_RUNTIME_CRYPTO, "Error finalizing seed ML-DSA key");
+            }
+        } else {
+            ERR_clear_error();
+            der_len = encodeExpandedMLDSAPrivateKey(key, &der);
+        }
+        CBB_cleanup(&cbb);
+
+        if (!(result = env->NewByteArray(der_len))) {
+            OPENSSL_free(der);
+            throw_java_ex(EX_OOM, "Unable to allocate DER array");
+        }
+        // This may throw, if it does we'll just keep the exception state as we return.
+        env->SetByteArrayRegion(result, 0, der_len, (const jbyte*)der);
+        OPENSSL_free(der);
+    } catch (java_ex& ex) {
+        ex.throw_to_java(pEnv);
+    }
+
+    return result;
+}
+#endif // !defined(FIPS_BUILD) || defined(EXPERIMENTAL_FIPS_BUILD)

csrc/java_evp_keys.cpp

@@ -179,4 +179,55 @@ RSA* new_private_RSA_key_with_no_e(BIGNUM const* n, BIGNUM const* d)
     return result;
 }
 
+#if !defined(FIPS_BUILD) || defined(EXPERIMENTAL_FIPS_BUILD)
+size_t encodeExpandedMLDSAPrivateKey(const EVP_PKEY* key, uint8_t** out)
+{
+    CHECK_OPENSSL(key);
+    CHECK_OPENSSL(EVP_PKEY_id(key) == EVP_PKEY_PQDSA);
+    CHECK_OPENSSL(out);
+    size_t raw_len;
+    int nid = NID_undef;
+    // See Section 4, Table 2 of https://nvlpubs.nist.gov/nistpubs/fips/nist.fips.204.pdf
+    switch (EVP_PKEY_size(key)) { // switch on signature size for |key|'s algorithm
+    case 2420:
+        nid = NID_MLDSA44;
+        raw_len = 2560;
+        break;
+    case 3309:
+        nid = NID_MLDSA65;
+        raw_len = 4032;
+        break;
+    case 4627:
+        nid = NID_MLDSA87;
+        raw_len = 4896;
+        break;
+    default:
+        throw_java_ex(EX_ILLEGAL_ARGUMENT, "Invalid ML-DSA signature size");
+    }
+    OPENSSL_buffer_auto raw_expanded(raw_len);
+    CHECK_OPENSSL(EVP_PKEY_get_raw_private_key(key, raw_expanded, &raw_len));
+    CBB cbb, pkcs8, algorithm, priv, expanded;
+    CBB_init(&cbb, 0);
+    // Encoding below is based on expandedKey CHOICE member of PrivateKey ASN.1 structures in:
+    // https://github.com/lamps-wg/dilithium-certificates/blob/main/X509-ML-DSA-2025.asn
+    // spotless:off
+    if (!CBB_add_asn1(&cbb, &pkcs8, CBS_ASN1_SEQUENCE) ||
+        !CBB_add_asn1_uint64(&pkcs8, 0) ||
+        !CBB_add_asn1(&pkcs8, &algorithm, CBS_ASN1_SEQUENCE) ||
+        !OBJ_nid2cbb(&algorithm, nid) ||
+        !CBB_add_asn1(&pkcs8, &priv, CBS_ASN1_OCTETSTRING) ||
+        !CBB_add_asn1(&priv, &expanded, CBS_ASN1_OCTETSTRING) ||
+        !CBB_add_bytes(&expanded, raw_expanded, raw_len)) {
+        throw_java_ex(EX_RUNTIME_CRYPTO, "Error serializing expanded ML-DSA key");
+    }
+    // spotless:on
+    size_t out_len;
+    if (!CBB_finish(&cbb, out, &out_len)) {
+        OPENSSL_free(*out);
+        throw_java_ex(EX_RUNTIME_CRYPTO, "Error finalizing expanded ML-DSA key");
+    }
+    return out_len;
+}
+#endif // !defined(FIPS_BUILD) || defined(EXPERIMENTAL_FIPS_BUILD)
+
 }

csrc/keyutils.cpp

@@ -145,6 +145,13 @@ const EVP_MD* digestFromJstring(raii_env& env, jstring digestName);
 
 RSA* new_private_RSA_key_with_no_e(BIGNUM const* n, BIGNUM const* d);
 
+#if !defined(FIPS_BUILD) || defined(EXPERIMENTAL_FIPS_BUILD)
+// Expands ML-DSA |key|, allocates appropriately sized buffer to |*out|, writes the PKCS8-encoded expanded key to
+// |*out|, and returns the size of |*out| on success and throws an unchecked exception on failure. The caller takes
+// ownership of |*out|.
+size_t encodeExpandedMLDSAPrivateKey(const EVP_PKEY* key, uint8_t** out);
+#endif
+
 }
 
 #endif

csrc/keyutils.h

@@ -83,4 +83,105 @@ JNIEXPORT jint JNICALL Java_com_amazon_corretto_crypto_provider_Utils_getDigestL
 {
     return EVP_MD_size(reinterpret_cast<const EVP_MD*>(evpMd));
 }
+
+#if !defined(FIPS_BUILD) || defined(EXPERIMENTAL_FIPS_BUILD)
+/*
+ * Class:     com_amazon_corretto_crypto_utils_MlDsaUtils
+ * Method:    expandPrivateKeyInternal
+ * Signature: ([B)[B
+ */
+JNIEXPORT jbyteArray JNICALL Java_com_amazon_corretto_crypto_utils_MlDsaUtils_expandPrivateKeyInternal(
+    JNIEnv* pEnv, jclass, jbyteArray keyBytes)
+{
+    jbyteArray result = NULL;
+    try {
+        raii_env env(pEnv);
+        jsize key_der_len = env->GetArrayLength(keyBytes);
+
+        if (key_der_len > 54) { // If they key is already expanded, return it
+            return keyBytes;
+        }
+        CHECK_OPENSSL(key_der_len == 54); // seed-only keys are always 54 bytes when PKCS8-encoded
+        uint8_t* key_der = (uint8_t*)env->GetByteArrayElements(keyBytes, nullptr);
+        CHECK_OPENSSL(key_der);
+
+        // Parse the seed key
+        BIO* key_bio = BIO_new_mem_buf(key_der, key_der_len);
+        CHECK_OPENSSL(key_bio);
+        PKCS8_PRIV_KEY_INFO_auto pkcs8 = PKCS8_PRIV_KEY_INFO_auto::from(d2i_PKCS8_PRIV_KEY_INFO_bio(key_bio, nullptr));
+        CHECK_OPENSSL(pkcs8.isInitialized());
+        EVP_PKEY_auto key = EVP_PKEY_auto::from(EVP_PKCS82PKEY(pkcs8));
+
+        // Expand the seed key and encode it before returning
+        OPENSSL_buffer_auto new_der;
+        int new_der_len = encodeExpandedMLDSAPrivateKey(key, &new_der);
+        CHECK_OPENSSL(new_der_len > 0);
+        if (!(result = env->NewByteArray(new_der_len))) {
+            throw_java_ex(EX_OOM, "Unable to allocate DER array");
+        }
+        env->SetByteArrayRegion(result, 0, new_der_len, (const jbyte*)new_der);
+    } catch (java_ex& ex) {
+        ex.throw_to_java(pEnv);
+        return 0;
+    }
+    return result;
+}
+
+/*
+ * Class:     com_amazon_corretto_crypto_utils_MlDsaUtils
+ * Method:    computeMuInternal
+ * Signature: ([B[B)[B
+ */
+JNIEXPORT jbyteArray JNICALL Java_com_amazon_corretto_crypto_utils_MlDsaUtils_computeMuInternal(
+    JNIEnv* pEnv, jclass, jbyteArray pubKeyEncodedArr, jbyteArray messageArr)
+{
+    try {
+        raii_env env(pEnv);
+        jsize pub_key_der_len = env->GetArrayLength(pubKeyEncodedArr);
+        jsize message_len = env->GetArrayLength(messageArr);
+        uint8_t* pub_key_der = (uint8_t*)env->GetByteArrayElements(pubKeyEncodedArr, nullptr);
+        CHECK_OPENSSL(pub_key_der);
+        uint8_t* message = (uint8_t*)env->GetByteArrayElements(messageArr, nullptr);
+        CHECK_OPENSSL(message);
+
+        CBS cbs;
+        CBS_init(&cbs, pub_key_der, pub_key_der_len);
+        EVP_PKEY_auto pkey = EVP_PKEY_auto::from((EVP_parse_public_key(&cbs)));
+        EVP_PKEY_CTX_auto ctx = EVP_PKEY_CTX_auto::from(EVP_PKEY_CTX_new(pkey.get(), nullptr));
+        EVP_MD_CTX_auto md_ctx_mu = EVP_MD_CTX_auto::from(EVP_MD_CTX_new());
+        EVP_MD_CTX_auto md_ctx_pk = EVP_MD_CTX_auto::from(EVP_MD_CTX_new());
+
+        size_t pk_len; // fetch the public key length
+        CHECK_OPENSSL(EVP_PKEY_get_raw_public_key(pkey.get(), nullptr, &pk_len));
+        std::vector<uint8_t> pk(pk_len);
+        CHECK_OPENSSL(EVP_PKEY_get_raw_public_key(pkey.get(), pk.data(), &pk_len));
+        uint8_t tr[64] = { 0 };
+        uint8_t mu[64] = { 0 };
+        uint8_t pre[2] = { 0 };
+
+        // get raw public key and hash it
+        CHECK_OPENSSL(EVP_DigestInit_ex(md_ctx_pk.get(), EVP_shake256(), nullptr));
+        CHECK_OPENSSL(EVP_DigestUpdate(md_ctx_pk.get(), pk.data(), pk_len));
+        CHECK_OPENSSL(EVP_DigestFinalXOF(md_ctx_pk.get(), tr, sizeof(tr)));
+
+        // compute mu as defined on line 6 of Algorithm 7 in FIPS 204
+        // https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.204.pdf
+        CHECK_OPENSSL(EVP_DigestInit_ex(md_ctx_mu.get(), EVP_shake256(), nullptr));
+        CHECK_OPENSSL(EVP_DigestUpdate(md_ctx_mu.get(), tr, sizeof(tr)));
+        CHECK_OPENSSL(EVP_DigestUpdate(md_ctx_mu.get(), pre, sizeof(pre)));
+        CHECK_OPENSSL(EVP_DigestUpdate(md_ctx_mu.get(), message, message_len));
+        CHECK_OPENSSL(EVP_DigestFinalXOF(md_ctx_mu.get(), mu, sizeof(mu)));
+
+        env->ReleaseByteArrayElements(pubKeyEncodedArr, (jbyte*)pub_key_der, 0);
+        env->ReleaseByteArrayElements(messageArr, (jbyte*)message, 0);
+
+        jbyteArray ret = env->NewByteArray(sizeof(mu));
+        env->SetByteArrayRegion(ret, 0, sizeof(mu), (const jbyte*)mu);
+        return ret;
+    } catch (java_ex& ex) {
+        ex.throw_to_java(pEnv);
+        return 0;
+    }
 }
+#endif // !defined(FIPS_BUILD) || defined(EXPERIMENTAL_FIPS_BUILD)
+}

csrc/util_class.cpp

@@ -7,6 +7,8 @@
 class EvpMlDsaPrivateKey extends EvpMlDsaKey implements PrivateKey {
   private static final long serialVersionUID = 1;
 
+  private static native byte[] encodeMlDsaPrivateKey(long ptr);
+
   EvpMlDsaPrivateKey(final long ptr) {
     this(new InternalKey(ptr));
   }
@@ -22,4 +24,21 @@ public EvpMlDsaPublicKey getPublicKey() {
     result.sharedKey = true;
     return result;
   }
+
+  @Override
+  protected byte[] internalGetEncoded() {
+    // ML-DSA private keys have special logic to handle presence/absence of seed
+    assertNotDestroyed();
+    byte[] result = encoded;
+    if (result == null) {
+      synchronized (this) {
+        result = encoded;
+        if (result == null) {
+          result = use(EvpMlDsaPrivateKey::encodeMlDsaPrivateKey);
+          encoded = result;
+        }
+      }
+    }
+    return result;
+  }
 }

src/com/amazon/corretto/crypto/provider/EvpMlDsaPrivateKey.java

@@ -0,0 +1,45 @@
+// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+package com.amazon.corretto.crypto.utils;
+
+import java.security.PrivateKey;
+import java.security.PublicKey;
+
+/** Public utility methods */
+public final class MlDsaUtils {
+  private MlDsaUtils() {} // private constructor to prevent instantiation
+
+  private static native byte[] computeMuInternal(byte[] pubKeyEncoded, byte[] message);
+
+  private static native byte[] expandPrivateKeyInternal(byte[] key);
+
+  /**
+   * Computes mu as defined on line 6 of Algorithm 7 and line 7 of Algorithm 8 in NIST FIPS 204.
+   *
+   * <p>See <a href="https://csrc.nist.gov/pubs/fips/204/final">FIPS 204</a>
+   *
+   * @param publicKey ML-DSA public key
+   * @param message byte array of the message over which to compute mu
+   * @return a byte[] of length 64 containing mu
+   */
+  public static byte[] computeMu(PublicKey publicKey, byte[] message) {
+    if (publicKey == null || !publicKey.getAlgorithm().startsWith("ML-DSA") || message == null) {
+      throw new IllegalArgumentException();
+    }
+    return computeMuInternal(publicKey.getEncoded(), message);
+  }
+
+  /**
+   * Returns an expanded ML-DSA private key, whether the key passed in is based on a seed or
+   * expanded. It returns the PKCS8-encoded expanded key.
+   *
+   * @param key an ML-DSA private key
+   * @return a byte[] containing the PKCS8-encoded seed private key
+   */
+  public static byte[] expandPrivateKey(PrivateKey key) {
+    if (key == null || !key.getAlgorithm().startsWith("ML-DSA")) {
+      throw new IllegalArgumentException();
+    }
+    return expandPrivateKeyInternal(key.getEncoded());
+  }
+}

src/com/amazon/corretto/crypto/utils/MlDsaUtils.java

@@ -5,6 +5,7 @@
   requires java.logging;
 
   exports com.amazon.corretto.crypto.provider;
+  exports com.amazon.corretto.crypto.utils;
 
   provides java.security.Provider with
       com.amazon.corretto.crypto.provider.ServiceProviderFactory;

src/module-info.java

@@ -90,7 +90,7 @@ public static void setupParameters() throws Exception {
       if (algorithm.startsWith("ML-DSA")) {
         // JCE doesn't support ML-DSA until JDK24, and BouncyCastle currently
         // serializes ML-DSA private keys via seeds. TODO: switch to
-        // BouncyCastle once we support deserializing private keys from seed.
+        // BouncyCastle once BC supports CHOICE-encoded private keys
         kpg = KeyPairGenerator.getInstance(algorithm, NATIVE_PROVIDER);
       } else {
         kpg = KeyPairGenerator.getInstance(algorithm);
@@ -238,7 +238,7 @@ public void testX509Encoding(final KeyPair keyPair, final String testName) throw
     if (algorithm.startsWith("ML-DSA")) {
       // JCE doesn't support ML-DSA until JDK24, and BouncyCastle currently
       // serializes ML-DSA private keys via seeds. TODO: switch to
-      // BouncyCastle once we support deserializing private keys from seed.
+      // BouncyCastle once BC supports CHOICE-encoded private keys
       jceFactory = KeyFactory.getInstance(algorithm, NATIVE_PROVIDER);
     } else {
       jceFactory = KeyFactory.getInstance(algorithm);
@@ -315,7 +315,7 @@ public void testPKCS8Encoding(final KeyPair keyPair, final String testName) thro
     if (algorithm.startsWith("ML-DSA")) {
       // JCE doesn't support ML-DSA until JDK24, and BouncyCastle currently
       // serializes ML-DSA private keys via seeds. TODO: switch to
-      // BouncyCastle once we support deserializing private keys from seed.
+      // BouncyCastle once BC supports CHOICE-encoded private keys
       jceFactory = KeyFactory.getInstance(algorithm, NATIVE_PROVIDER);
     } else {
       jceFactory = KeyFactory.getInstance(algorithm);

tst/com/amazon/corretto/crypto/provider/test/EvpKeyFactoryTest.java

@@ -11,6 +11,7 @@
 import static org.junit.jupiter.api.Assertions.assertTrue;
 
 import com.amazon.corretto.crypto.provider.AmazonCorrettoCryptoProvider;
+import com.amazon.corretto.crypto.utils.MlDsaUtils;
 import java.security.InvalidKeyException;
 import java.security.KeyFactory;
 import java.security.KeyPair;
@@ -24,6 +25,7 @@
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.List;
+import org.junit.jupiter.api.Disabled;
 import org.junit.jupiter.api.Test;
 import org.junit.jupiter.api.condition.DisabledIf;
 import org.junit.jupiter.api.extension.ExtendWith;
@@ -88,7 +90,9 @@ private static List<TestParams> getParams() throws Exception {
         // support non-Bouncy-Castle keys.
         KeyFactory bcKf = KeyFactory.getInstance("ML-DSA", TestUtil.BC_PROVIDER);
         PublicKey bcPub = bcKf.generatePublic(new X509EncodedKeySpec(nativePub.getEncoded()));
-        PrivateKey bcPriv = bcKf.generatePrivate(new PKCS8EncodedKeySpec(nativePriv.getEncoded()));
+        // TODO uncomment below once BC supports CHOICE-encoded private keys
+        // PrivateKey bcPriv = bcKf.generatePrivate(new
+        // PKCS8EncodedKeySpec(nativePriv.getEncoded()));
 
         Provider nativeProv = NATIVE_PROVIDER;
         Provider bcProv = TestUtil.BC_PROVIDER;
@@ -98,8 +102,8 @@ private static List<TestParams> getParams() throws Exception {
 
         params.add(new TestParams(nativeProv, nativeProv, nativePriv, nativePub, message));
         params.add(new TestParams(nativeProv, bcProv, nativePriv, bcPub, message));
-        params.add(new TestParams(bcProv, nativeProv, bcPriv, nativePub, message));
-        params.add(new TestParams(bcProv, bcProv, bcPriv, bcPub, message));
+        // params.add(new TestParams(bcProv, nativeProv, bcPriv, nativePub, message));
+        // params.add(new TestParams(bcProv, bcProv, bcPriv, bcPub, message));
       }
     }
     return params;
@@ -200,47 +204,49 @@ public void testInvalidKeyInitialization() {
         });
   }
 
+  @Disabled("until BC updates to newer CHOICE priv key encoding format")
   @Test
   public void documentBouncyCastleDifferences() throws Exception {
-    // ACCP and BouncyCastle both encode the public key in full form, but BC FIPS encodes the
-    // private key as its 32 byte
-    // seed while ACCP encodes the fully expanded key. Key sizes don't precisely match the spec's
-    // sizes due to X509/PKCS9 ASN.1 encoding overhead.
-    // https://openquantumsafe.org/liboqs/algorithms/sig/ml-dsa.html
+    // ACCP and BouncyCastle both encode ML-DSA public keys in "expanded "form and ML-DSA private
+    // keys in "seed" form.
+    KeyFactory bcKf = KeyFactory.getInstance("ML-DSA", TestUtil.BC_PROVIDER);
     KeyPair nativePair =
         KeyPairGenerator.getInstance("ML-DSA-44", NATIVE_PROVIDER).generateKeyPair();
-    KeyPair bcPair =
-        KeyPairGenerator.getInstance("ML-DSA-44", TestUtil.BC_PROVIDER).generateKeyPair();
-    assertEquals(
-        nativePair.getPublic().getEncoded().length, bcPair.getPublic().getEncoded().length);
-    assertEquals(2584, nativePair.getPrivate().getEncoded().length);
-    assertEquals(52, bcPair.getPrivate().getEncoded().length);
+    PublicKey nativePub = nativePair.getPublic();
+    PrivateKey nativePriv = nativePair.getPrivate();
+    PublicKey bcPub = bcKf.generatePublic(new X509EncodedKeySpec(nativePub.getEncoded()));
+    PrivateKey bcPriv = bcKf.generatePrivate(new PKCS8EncodedKeySpec(nativePriv.getEncoded()));
+    TestUtil.assertArraysHexEquals(bcPub.getEncoded(), nativePub.getEncoded());
+    assertEquals(bcPriv.getEncoded().length + 2, nativePriv.getEncoded().length);
+    TestUtil.assertArraysHexEquals(bcPriv.getEncoded(), nativePriv.getEncoded());
 
     nativePair = KeyPairGenerator.getInstance("ML-DSA-65", NATIVE_PROVIDER).generateKeyPair();
-    bcPair = KeyPairGenerator.getInstance("ML-DSA-65", TestUtil.BC_PROVIDER).generateKeyPair();
-    assertEquals(
-        nativePair.getPublic().getEncoded().length, bcPair.getPublic().getEncoded().length);
-    assertEquals(4056, nativePair.getPrivate().getEncoded().length);
-    assertEquals(52, bcPair.getPrivate().getEncoded().length);
+    nativePub = nativePair.getPublic();
+    nativePriv = nativePair.getPrivate();
+    bcPub = bcKf.generatePublic(new X509EncodedKeySpec(nativePub.getEncoded()));
+    bcPriv = bcKf.generatePrivate(new PKCS8EncodedKeySpec(nativePriv.getEncoded()));
+    TestUtil.assertArraysHexEquals(bcPub.getEncoded(), nativePub.getEncoded());
+    assertEquals(bcPriv.getEncoded().length + 2, nativePriv.getEncoded().length);
+    TestUtil.assertArraysHexEquals(bcPriv.getEncoded(), nativePriv.getEncoded());
 
     nativePair = KeyPairGenerator.getInstance("ML-DSA-87", NATIVE_PROVIDER).generateKeyPair();
-    bcPair = KeyPairGenerator.getInstance("ML-DSA-87", TestUtil.BC_PROVIDER).generateKeyPair();
-    assertEquals(
-        nativePair.getPublic().getEncoded().length, bcPair.getPublic().getEncoded().length);
-    assertEquals(4920, nativePair.getPrivate().getEncoded().length);
-    assertEquals(52, bcPair.getPrivate().getEncoded().length);
+    nativePub = nativePair.getPublic();
+    nativePriv = nativePair.getPrivate();
+    bcPub = bcKf.generatePublic(new X509EncodedKeySpec(nativePub.getEncoded()));
+    bcPriv = bcKf.generatePrivate(new PKCS8EncodedKeySpec(nativePriv.getEncoded()));
+    TestUtil.assertArraysHexEquals(bcPub.getEncoded(), nativePub.getEncoded());
+    TestUtil.assertArraysHexEquals(bcPriv.getEncoded(), nativePriv.getEncoded());
 
     // BouncyCastle Signatures don't accept keys from other providers
     Signature bcSignature = Signature.getInstance("ML-DSA", TestUtil.BC_PROVIDER);
-    final KeyPair finalNativePair = nativePair;
-    assertThrows(
-        InvalidKeyException.class, () -> bcSignature.initSign(finalNativePair.getPrivate()));
+    final PrivateKey finalNativePriv = nativePriv;
+    assertThrows(InvalidKeyException.class, () -> bcSignature.initSign(finalNativePriv));
 
     // However, ACCP can use BouncyCastle KeyPairs with seed-encoded  PrivateKeys
     Signature nativeSignature = Signature.getInstance("ML-DSA", NATIVE_PROVIDER);
-    nativeSignature.initSign(bcPair.getPrivate());
+    nativeSignature.initSign(bcPriv);
     byte[] sigBytes = nativeSignature.sign();
-    nativeSignature.initVerify(bcPair.getPublic());
+    nativeSignature.initVerify(bcPub);
     assertTrue(nativeSignature.verify(sigBytes));
   }
 
@@ -258,7 +264,7 @@ public void testExtMu(TestParams params) throws Exception {
     PublicKey pub = params.pub;
 
     byte[] message = Arrays.copyOf(params.message, params.message.length);
-    byte[] mu = TestUtil.computeMLDSAMu(pub, message);
+    byte[] mu = MlDsaUtils.computeMu(pub, message);
     assertEquals(64, mu.length);
     byte[] fakeMu = new byte[64];
     Arrays.fill(fakeMu, (byte) 0);
@@ -304,22 +310,4 @@ public void testExtMu(TestParams params) throws Exception {
     extMuVerifier.update(mu);
     assertFalse(extMuVerifier.verify(signatureBytes));
   }
-
-  @ParameterizedTest
-  @ValueSource(strings = {"ML-DSA-44", "ML-DSA-65", "ML-DSA-87"})
-  public void testComputeMLDSAExtMu(String algorithm) throws Exception {
-    KeyPair keyPair = KeyPairGenerator.getInstance(algorithm, NATIVE_PROVIDER).generateKeyPair();
-    PublicKey nativePub = keyPair.getPublic();
-    KeyFactory bcKf = KeyFactory.getInstance("ML-DSA", TestUtil.BC_PROVIDER);
-    PublicKey bcPub = bcKf.generatePublic(new X509EncodedKeySpec(nativePub.getEncoded()));
-
-    byte[] message = new byte[256];
-    Arrays.fill(message, (byte) 0x41);
-    byte[] mu = TestUtil.computeMLDSAMu(nativePub, message);
-    assertEquals(64, mu.length);
-    // We don't have any other implementations of mu calculation to test against, so just assert
-    // that mu is equivalent
-    // generated from both ACCP and BouncyCastle keys.
-    assertArrayEquals(mu, TestUtil.computeMLDSAMu(bcPub, message));
-  }
 }

tst/com/amazon/corretto/crypto/provider/test/MLDSATest.java

@@ -0,0 +1,105 @@
+// Copyright Amazon.com Inc. or its affiliates. All Rights Reserved.
+// SPDX-License-Identifier: Apache-2.0
+package com.amazon.corretto.crypto.provider.test;
+
+import static org.junit.jupiter.api.Assertions.assertArrayEquals;
+import static org.junit.jupiter.api.Assertions.assertEquals;
+import static org.junit.jupiter.api.Assertions.assertTrue;
+
+import com.amazon.corretto.crypto.provider.AmazonCorrettoCryptoProvider;
+import com.amazon.corretto.crypto.utils.MlDsaUtils;
+import java.security.KeyFactory;
+import java.security.KeyPair;
+import java.security.KeyPairGenerator;
+import java.security.PrivateKey;
+import java.security.Provider;
+import java.security.PublicKey;
+import java.security.Signature;
+import java.security.spec.PKCS8EncodedKeySpec;
+import java.security.spec.X509EncodedKeySpec;
+import java.util.Arrays;
+import org.junit.jupiter.api.Test;
+import org.junit.jupiter.api.condition.DisabledIf;
+import org.junit.jupiter.api.extension.ExtendWith;
+import org.junit.jupiter.api.parallel.Execution;
+import org.junit.jupiter.api.parallel.ExecutionMode;
+import org.junit.jupiter.api.parallel.ResourceAccessMode;
+import org.junit.jupiter.api.parallel.ResourceLock;
+import org.junit.jupiter.params.ParameterizedTest;
+import org.junit.jupiter.params.provider.ValueSource;
+
+@Execution(ExecutionMode.CONCURRENT)
+@ExtendWith(TestResultLogger.class)
+@ResourceLock(value = TestUtil.RESOURCE_GLOBAL, mode = ResourceAccessMode.READ)
+public class MlDsaUtilsTest {
+  private static final Provider NATIVE_PROVIDER = AmazonCorrettoCryptoProvider.INSTANCE;
+
+  // TODO: remove this disablement when ACCP consumes an AWS-LC-FIPS release with ML-DSA
+  private static boolean mlDsaDisabled() {
+    return AmazonCorrettoCryptoProvider.INSTANCE.isFips()
+        && !AmazonCorrettoCryptoProvider.INSTANCE.isExperimentalFips();
+  }
+
+  @ParameterizedTest
+  @ValueSource(strings = {"ML-DSA-44", "ML-DSA-65", "ML-DSA-87"})
+  @DisabledIf("mlDsaDisabled")
+  public void testComputeMu(String algorithm) throws Exception {
+    KeyPair keyPair = KeyPairGenerator.getInstance(algorithm, NATIVE_PROVIDER).generateKeyPair();
+    PublicKey nativePub = keyPair.getPublic();
+    KeyFactory bcKf = KeyFactory.getInstance("ML-DSA", TestUtil.BC_PROVIDER);
+    PublicKey bcPub = bcKf.generatePublic(new X509EncodedKeySpec(nativePub.getEncoded()));
+
+    byte[] message = new byte[256];
+    Arrays.fill(message, (byte) 0x41);
+    byte[] mu = MlDsaUtils.computeMu(nativePub, message);
+    assertEquals(64, mu.length);
+    // We don't have any other implementations of mu calculation to test against, so just assert
+    // that mu is equivalent generated from both ACCP and BouncyCastle keys.
+    assertArrayEquals(mu, MlDsaUtils.computeMu(bcPub, message));
+  }
+
+  @Test
+  @DisabledIf("mlDsaDisabled")
+  public void testExpandPrivateKey() throws Exception {
+    KeyFactory kf = KeyFactory.getInstance("ML-DSA", TestUtil.NATIVE_PROVIDER);
+
+    // Parsing expanded keys discards the seed, so after expansion we're no longer dealing with
+    // the seed. There are 24 bytes of PKCS8 overhead for each key. Raw private key sizes below.
+    // https://openquantumsafe.org/liboqs/algorithms/sig/ml-dsa.html
+    KeyPair nativePair =
+        KeyPairGenerator.getInstance("ML-DSA-44", NATIVE_PROVIDER).generateKeyPair();
+    assertEquals(54, nativePair.getPrivate().getEncoded().length);
+    byte[] expanded = MlDsaUtils.expandPrivateKey(nativePair.getPrivate());
+    assertEquals(2588, expanded.length);
+    PrivateKey expandedPriv = kf.generatePrivate(new PKCS8EncodedKeySpec(expanded));
+    assertEquals(2588, expandedPriv.getEncoded().length);
+
+    nativePair = KeyPairGenerator.getInstance("ML-DSA-65", NATIVE_PROVIDER).generateKeyPair();
+    assertEquals(54, nativePair.getPrivate().getEncoded().length);
+    expanded = MlDsaUtils.expandPrivateKey(nativePair.getPrivate());
+    assertEquals(4060, expanded.length);
+    expandedPriv = kf.generatePrivate(new PKCS8EncodedKeySpec(expanded));
+    assertEquals(4060, expandedPriv.getEncoded().length);
+
+    nativePair = KeyPairGenerator.getInstance("ML-DSA-87", NATIVE_PROVIDER).generateKeyPair();
+    assertEquals(54, nativePair.getPrivate().getEncoded().length);
+    expanded = MlDsaUtils.expandPrivateKey(nativePair.getPrivate());
+    assertEquals(4924, expanded.length);
+    expandedPriv = kf.generatePrivate(new PKCS8EncodedKeySpec(expanded));
+    assertEquals(4924, expandedPriv.getEncoded().length);
+
+    // Lastly, do a sign/verify round trip with the expanded key
+    nativePair = KeyPairGenerator.getInstance("ML-DSA-44", NATIVE_PROVIDER).generateKeyPair();
+    expanded = MlDsaUtils.expandPrivateKey(nativePair.getPrivate());
+    expandedPriv = kf.generatePrivate(new PKCS8EncodedKeySpec(expanded));
+    final byte[] message = new byte[256];
+    Arrays.fill(message, (byte) 0x41);
+    Signature signature = Signature.getInstance("ML-DSA", NATIVE_PROVIDER);
+    signature.initSign(expandedPriv);
+    signature.update(message);
+    byte[] signatureBytes = signature.sign();
+    signature.initVerify(nativePair.getPublic());
+    signature.update(message);
+    assertTrue(signature.verify(signatureBytes));
+  }
+}

tst/com/amazon/corretto/crypto/provider/test/MlDsaUtilsTest.java

@@ -17,7 +17,6 @@
 import java.nio.ByteBuffer;
 import java.security.NoSuchAlgorithmException;
 import java.security.Provider;
-import java.security.PublicKey;
 import java.security.SecureRandom;
 import java.security.Security;
 import java.util.ArrayList;
@@ -842,22 +841,4 @@ static boolean edKeyFactoryRegistered() {
     return "true"
         .equals(System.getProperty("com.amazon.corretto.crypto.provider.registerEdKeyFactory"));
   }
-
-  private static native byte[] computeMLDSAMuInternal(byte[] pubKeyEncoded, byte[] message);
-
-  /**
-   * Computes mu as defined on line 6 of Algorithm 7 and line 7 of Algorithm 8 in NIST FIPS 204.
-   *
-   * <p>See <a href="https://csrc.nist.gov/pubs/fips/204/final">FIPS 204</a>
-   *
-   * @param publicKey ML-DSA public key
-   * @param message byte array of the message over which to compute mu
-   * @return a byte[] of length 64 containing mu
-   */
-  static byte[] computeMLDSAMu(PublicKey publicKey, byte[] message) {
-    if (publicKey == null || !publicKey.getAlgorithm().startsWith("ML-DSA") || message == null) {
-      throw new IllegalArgumentException();
-    }
-    return computeMLDSAMuInternal(publicKey.getEncoded(), message);
-  }
 }