Thread safety for ML-DSA key init, null guards in X509 adapter path

iNinja · Copilot · iNinja · commit 26d94dba6092 · 2026-05-08T12:32:08.000+01:00
- Make _mlDsaPrivateKeyInitialized and _mlDsaPublicKeyInitialized volatile
  to ensure correct publication across threads in double-checked locking
- Add IDX10725 for X509 certs where key extraction fails (unsupported
  platform or unrecognised key type)
- Guard null PrivateKey before passing to InitializeUsingRsa to prevent
  deferred NRE when X509 cert has no private key
- Register IDX10725 in InternalAPI.Unshipped.txt

Co-authored-by: Copilot &lt;223556219+Copilot@users.noreply.github.com&gt;
diff --git a/src/Microsoft.IdentityModel.Tokens/AsymmetricAdapter.cs b/src/Microsoft.IdentityModel.Tokens/AsymmetricAdapter.cs
@@ -302,8 +302,28 @@ private void InitializeUsingX509SecurityKey(
 
                 InitializeUsingMlDsa(mlDsa);
             }
+            else if (x509SecurityKey.PublicKey == null)
+            {
+                // Certificate contains neither a supported classical key (RSA/ECDSA) nor
+                // an extractable ML-DSA key. This occurs when the certificate uses a key
+                // type that the platform cannot extract (e.g., ML-DSA on older OS versions).
+                throw LogHelper.LogExceptionMessage(
+                    new NotSupportedException(
+                        LogHelper.FormatInvariant(
+                            LogMessages.IDX10725,
+                            LogHelper.MarkAsNonPII(algorithm),
+                            LogHelper.MarkAsNonPII(x509SecurityKey.KeyId))));
+            }
             else if (requirePrivateKey)
             {
+                if (x509SecurityKey.PrivateKey == null)
+                    throw LogHelper.LogExceptionMessage(
+                        new InvalidOperationException(
+                            LogHelper.FormatInvariant(
+                                LogMessages.IDX10723,
+                                LogHelper.MarkAsNonPII(algorithm),
+                                LogHelper.MarkAsNonPII(x509SecurityKey.KeyId))));
+
                 InitializeUsingRsa(x509SecurityKey.PrivateKey as RSA, algorithm);
             }
             else
diff --git a/src/Microsoft.IdentityModel.Tokens/InternalAPI.Unshipped.txt b/src/Microsoft.IdentityModel.Tokens/InternalAPI.Unshipped.txt
@@ -122,3 +122,4 @@ const Microsoft.IdentityModel.Tokens.LogMessages.IDX10721 = "IDX10721: Unable to
 const Microsoft.IdentityModel.Tokens.LogMessages.IDX10722 = "IDX10722: The AKP JsonWebKey (alg: '{0}') has inconsistent key material. The 'pub' parameter does not match the public key derived from 'priv'." -> string
 const Microsoft.IdentityModel.Tokens.LogMessages.IDX10723 = "IDX10723: Unable to extract the private key from the X.509 certificate for algorithm '{0}' (Key: '{1}'). Private key extraction may not be supported on this platform." -> string
 const Microsoft.IdentityModel.Tokens.LogMessages.IDX10724 = "IDX10724: Unable to compute a JWK thumbprint, public key extraction from the X.509 certificate is not supported on this platform (Key: '{0}')." -> string
+const Microsoft.IdentityModel.Tokens.LogMessages.IDX10725 = "IDX10725: Unable to create a SignatureProvider for algorithm '{0}' (Key: '{1}'). The X.509 certificate key could not be extracted. This may indicate the platform does not support the certificate's key type." -> string
diff --git a/src/Microsoft.IdentityModel.Tokens/LogMessages.cs b/src/Microsoft.IdentityModel.Tokens/LogMessages.cs
@@ -281,6 +281,7 @@ internal static class LogMessages
         public const string IDX10722 = "IDX10722: The AKP JsonWebKey (alg: '{0}') has inconsistent key material. The 'pub' parameter does not match the public key derived from 'priv'.";
         public const string IDX10723 = "IDX10723: Unable to extract the private key from the X.509 certificate for algorithm '{0}' (Key: '{1}'). Private key extraction may not be supported on this platform.";
         public const string IDX10724 = "IDX10724: Unable to compute a JWK thumbprint, public key extraction from the X.509 certificate is not supported on this platform (Key: '{0}').";
+        public const string IDX10725 = "IDX10725: Unable to create a SignatureProvider for algorithm '{0}' (Key: '{1}'). The X.509 certificate key could not be extracted. This may indicate the platform does not support the certificate's key type.";
 
         // Json specific errors
         //public const string IDX10801 = "IDX10801:"
diff --git a/src/Microsoft.IdentityModel.Tokens/X509SecurityKey.cs b/src/Microsoft.IdentityModel.Tokens/X509SecurityKey.cs
@@ -35,8 +35,8 @@ public class X509SecurityKey : AsymmetricSecurityKey
         MLDsa _mlDsaPrivateKey;
         MLDsa _mlDsaPublicKey;
         bool _isMlDsa;
-        bool _mlDsaPrivateKeyInitialized;
-        bool _mlDsaPublicKeyInitialized;
+        volatile bool _mlDsaPrivateKeyInitialized;
+        volatile bool _mlDsaPublicKeyInitialized;
         bool _mlDsaPrivateKeyUnsupported;
 #if NET9_0_OR_GREATER
         Lock _thisLock = new();
