From 287b4e16f8ca6bd9f621dc77ef3fe2b8ff79ac27 Mon Sep 17 00:00:00 2001 From: juergw Date: Wed, 17 Dec 2025 11:38:55 +0000 Subject: [PATCH 1/6] Improve error message for ML-DSA private key parsing. --- .../java/org/conscrypt/OpenSslMlDsaKeyFactory.java | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) diff --git a/common/src/main/java/org/conscrypt/OpenSslMlDsaKeyFactory.java b/common/src/main/java/org/conscrypt/OpenSslMlDsaKeyFactory.java index 158ee8cce..9f54c37e5 100644 --- a/common/src/main/java/org/conscrypt/OpenSslMlDsaKeyFactory.java +++ b/common/src/main/java/org/conscrypt/OpenSslMlDsaKeyFactory.java @@ -204,7 +204,15 @@ protected PrivateKey engineGeneratePrivate(KeySpec keySpec) throws InvalidKeySpe NativeConstants.EVP_PKEY_ML_DSA_87})); return makePrivateKey(key); } catch (OpenSSLX509CertificateFactory.ParsingException e) { - throw new InvalidKeySpecException("Invalid PKCS8 encoding", e); + if (encoded.length > 1000) { + // Key is large, so it seems that it is not in the "seed format". + throw new InvalidKeySpecException( + "Unable to parse key. Please use ML-DSA seed format as specified and recommended" + + " in RFC 9881.", e); + } + // More generic error message. + throw new InvalidKeySpecException( + "Unable to parse ey. Currently only ML-DSA-65 and ML-DSA-87 are supported.", e); } } From f1e2e10c2009df0575545bfca39bf7d24119878e Mon Sep 17 00:00:00 2001 From: juergw Date: Wed, 17 Dec 2025 11:43:54 +0000 Subject: [PATCH 2/6] Change error texts. --- .../src/main/java/org/conscrypt/OpenSslMlDsaKeyFactory.java | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/common/src/main/java/org/conscrypt/OpenSslMlDsaKeyFactory.java b/common/src/main/java/org/conscrypt/OpenSslMlDsaKeyFactory.java index 9f54c37e5..1ae51de25 100644 --- a/common/src/main/java/org/conscrypt/OpenSslMlDsaKeyFactory.java +++ b/common/src/main/java/org/conscrypt/OpenSslMlDsaKeyFactory.java @@ -148,7 +148,8 @@ protected PublicKey engineGeneratePublic(KeySpec keySpec) throws InvalidKeySpecE NativeConstants.EVP_PKEY_ML_DSA_87})); return makePublicKey(key); } catch (OpenSSLX509CertificateFactory.ParsingException e) { - throw new InvalidKeySpecException("Invalid X.509 encoding", e); + throw new InvalidKeySpecException( + "Unable to parse key. Only ML-DSA-65 and ML-DSA-87 are currently supported.", e); } } @@ -210,9 +211,8 @@ protected PrivateKey engineGeneratePrivate(KeySpec keySpec) throws InvalidKeySpe "Unable to parse key. Please use ML-DSA seed format as specified and recommended" + " in RFC 9881.", e); } - // More generic error message. throw new InvalidKeySpecException( - "Unable to parse ey. Currently only ML-DSA-65 and ML-DSA-87 are supported.", e); + "Unable to parse key. Only ML-DSA-65 and ML-DSA-87 are currently supported.", e); } } From 5fe8423ebe073b2a255b0b472ffbda4312015000 Mon Sep 17 00:00:00 2001 From: juergw Date: Wed, 17 Dec 2025 11:52:07 +0000 Subject: [PATCH 3/6] Fix format. --- .../java/org/conscrypt/OpenSslMlDsaKeyFactory.java | 13 ++++++++----- 1 file changed, 8 insertions(+), 5 deletions(-) diff --git a/common/src/main/java/org/conscrypt/OpenSslMlDsaKeyFactory.java b/common/src/main/java/org/conscrypt/OpenSslMlDsaKeyFactory.java index 1ae51de25..e4f322c7c 100644 --- a/common/src/main/java/org/conscrypt/OpenSslMlDsaKeyFactory.java +++ b/common/src/main/java/org/conscrypt/OpenSslMlDsaKeyFactory.java @@ -149,7 +149,8 @@ protected PublicKey engineGeneratePublic(KeySpec keySpec) throws InvalidKeySpecE return makePublicKey(key); } catch (OpenSSLX509CertificateFactory.ParsingException e) { throw new InvalidKeySpecException( - "Unable to parse key. Only ML-DSA-65 and ML-DSA-87 are currently supported.", e); + "Unable to parse key. Only ML-DSA-65 and ML-DSA-87 are currently supported.", + e); } } @@ -207,12 +208,14 @@ protected PrivateKey engineGeneratePrivate(KeySpec keySpec) throws InvalidKeySpe } catch (OpenSSLX509CertificateFactory.ParsingException e) { if (encoded.length > 1000) { // Key is large, so it seems that it is not in the "seed format". - throw new InvalidKeySpecException( - "Unable to parse key. Please use ML-DSA seed format as specified and recommended" - + " in RFC 9881.", e); + throw new InvalidKeySpecException("Unable to parse key. Please use ML-DSA seed " + + "format as specified and recommended" + + " in RFC 9881.", + e); } throw new InvalidKeySpecException( - "Unable to parse key. Only ML-DSA-65 and ML-DSA-87 are currently supported.", e); + "Unable to parse key. Only ML-DSA-65 and ML-DSA-87 are currently supported.", + e); } } From 6c955d16ca5d52566092f5667ff74e09684dad08 Mon Sep 17 00:00:00 2001 From: juergw Date: Wed, 17 Dec 2025 12:01:50 +0000 Subject: [PATCH 4/6] Fix format. --- common/src/main/java/org/conscrypt/OpenSslMlDsaKeyFactory.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/common/src/main/java/org/conscrypt/OpenSslMlDsaKeyFactory.java b/common/src/main/java/org/conscrypt/OpenSslMlDsaKeyFactory.java index e4f322c7c..72968241d 100644 --- a/common/src/main/java/org/conscrypt/OpenSslMlDsaKeyFactory.java +++ b/common/src/main/java/org/conscrypt/OpenSslMlDsaKeyFactory.java @@ -209,7 +209,7 @@ protected PrivateKey engineGeneratePrivate(KeySpec keySpec) throws InvalidKeySpe if (encoded.length > 1000) { // Key is large, so it seems that it is not in the "seed format". throw new InvalidKeySpecException("Unable to parse key. Please use ML-DSA seed " - + "format as specified and recommended" + + "format as specified and recommended" + " in RFC 9881.", e); } From e99aab1985c7a178413c9ff8d1c090dc97e65866 Mon Sep 17 00:00:00 2001 From: juergw Date: Thu, 18 Dec 2025 10:27:46 +0000 Subject: [PATCH 5/6] Simplify error message. --- .../java/org/conscrypt/OpenSslMlDsaKeyFactory.java | 11 +++-------- 1 file changed, 3 insertions(+), 8 deletions(-) diff --git a/common/src/main/java/org/conscrypt/OpenSslMlDsaKeyFactory.java b/common/src/main/java/org/conscrypt/OpenSslMlDsaKeyFactory.java index 72968241d..784c84b06 100644 --- a/common/src/main/java/org/conscrypt/OpenSslMlDsaKeyFactory.java +++ b/common/src/main/java/org/conscrypt/OpenSslMlDsaKeyFactory.java @@ -206,15 +206,10 @@ protected PrivateKey engineGeneratePrivate(KeySpec keySpec) throws InvalidKeySpe NativeConstants.EVP_PKEY_ML_DSA_87})); return makePrivateKey(key); } catch (OpenSSLX509CertificateFactory.ParsingException e) { - if (encoded.length > 1000) { - // Key is large, so it seems that it is not in the "seed format". - throw new InvalidKeySpecException("Unable to parse key. Please use ML-DSA seed " - + "format as specified and recommended" - + " in RFC 9881.", - e); - } throw new InvalidKeySpecException( - "Unable to parse key. Only ML-DSA-65 and ML-DSA-87 are currently supported.", + "Unable to parse key. Only ML-DSA-65 and ML-DSA-87 are currently supported. " + + "Please use ML-DSA 'seed format' as specified and recommended " + + "in RFC 9881.", e); } } From 478f27d3fc661c5d09d4d4478b49d143c76ad6bb Mon Sep 17 00:00:00 2001 From: juergw Date: Thu, 18 Dec 2025 10:30:13 +0000 Subject: [PATCH 6/6] Fix format. --- .../src/main/java/org/conscrypt/OpenSslMlDsaKeyFactory.java | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/common/src/main/java/org/conscrypt/OpenSslMlDsaKeyFactory.java b/common/src/main/java/org/conscrypt/OpenSslMlDsaKeyFactory.java index 784c84b06..521a2e0f2 100644 --- a/common/src/main/java/org/conscrypt/OpenSslMlDsaKeyFactory.java +++ b/common/src/main/java/org/conscrypt/OpenSslMlDsaKeyFactory.java @@ -208,8 +208,8 @@ protected PrivateKey engineGeneratePrivate(KeySpec keySpec) throws InvalidKeySpe } catch (OpenSSLX509CertificateFactory.ParsingException e) { throw new InvalidKeySpecException( "Unable to parse key. Only ML-DSA-65 and ML-DSA-87 are currently supported. " - + "Please use ML-DSA 'seed format' as specified and recommended " - + "in RFC 9881.", + + "Please use ML-DSA 'seed format' as specified and recommended " + + "in RFC 9881.", e); } }