[PM-34825] Add support for ML-DSA keypairs

[quexten]

🎟️ Tracking

https://bitwarden.atlassian.net/browse/PM-34825
bitwarden/server#7435

📔 Objective

Adds post-quantum ML-DSA key pair support for v2 user identity key pairs.

Please note that ML-DSA-44 is FIPS-level-2 security level. It is FIPS compatible under:
https://nvlpubs.nist.gov/nistpubs/fips/nist.fips.204.pdf

The encoding via cose is defined here:
https://datatracker.ietf.org/doc/draft-ietf-cose-dilithium/

The CTX parameter is left empty, since we already do context binding within the signed messages. We support only the randomized signature mode, because it is recommended.

This document also permits a fully deterministic variant of the signing procedure in case the signer has
no access to a fresh source of randomness at signing time. However, the lack of randomness in the
deterministic variant makes the risk of side-channel attacks (particularly fault attacks) more difficult to
mitigate. Therefore, this variant should not be used on platforms where side-channel attacks are a concern
and where they cannot be otherwise mitigated.

ML-DSA are made the default key type for v2 users, so that they don't require a migration of signature keys to get post-quantum ready.

🚨 Breaking Changes

[github-actions]

Checkmarx One – Scan Summary & Details – 6ad71bd6-cd32-4be1-b38b-14b0f4f754da

Great job! No new security vulnerabilities introduced in this pull request

[quexten]

Note: This defaults to ML-DSA for all v2 users!

[github-actions]

🔍 SDK Breaking Change Detection Results

SDK Version: km/poc-mldsa-keypair (92399d0)
Completed: 2026-04-15 10:05:45 UTC
Total Time: 277s

Client	Status	Details
typescript	✅ No breaking changes detected	TypeScript compilation passed with new SDK version - View Details

---

Breaking change detection completed. View SDK workflow

[codecov]

Codecov Report

❌ Patch coverage is 72.51462% with 47 lines in your changes missing coverage. Please review.
✅ Project coverage is 83.45%. Comparing base (45ebecf) to head (92399d0).
⚠️ Report is 3 commits behind head on main.

Files with missing lines	Patch %	Lines
crates/bitwarden-crypto/src/signing/cose.rs	48.64%	19 Missing ⚠️
crates/bitwarden-crypto/src/signing/signing_key.rs	79.34%	19 Missing ⚠️
...ates/bitwarden-crypto/src/signing/verifying_key.rs	65.21%	8 Missing ⚠️
crates/bitwarden-crypto/src/signing/mod.rs	50.00%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #920      +/-   ##
==========================================
- Coverage   83.50%   83.45%   -0.05%     
==========================================
  Files         379      379              
  Lines       45720    45871     +151     
==========================================
+ Hits        38178    38283     +105     
- Misses       7542     7588      +46     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[quexten]

Note for reviewers; The cose spec says PUB is always required, even in private keys, so the private key (signing key) here contains both pub and private values.

[MGibson1]

Is this per https://datatracker.ietf.org/doc/draft-ietf-cose-dilithium/ ?

It's quite odd to me that they chose to make pub required when previous RFCs ecdsa don't. It feels different enough for a comment to me.

[quexten]

It's quite odd to me that they chose to make pub required when previous RFCs ecdsa don't.

It was not REQUIRED but RECOMMENDED to add them for eliptic curves. For RSA, it was also REQUIRED https://datatracker.ietf.org/doc/html/rfc8230/#section-4

o For public keys, the fields 'n' and 'e' MUST be present. All
other fields defined in the following table below MUST be absent.
o For private keys with two primes, the fields 'other', 'r_i',
'd_i', and 't_i' MUST be absent; all other fields MUST be present.

[djsmith85]

Requesting additional reviews from @dani-garcia as platform-support for Auth and @Hinton due to CXF changes

[quexten]

Thanks. I'll note that the cxf changes are just tests, that the compiler complained about. (I did not dig into what changed). The same applies to the auth changes.

[harr1424]

Exporter changes look good

[MGibson1]

This looks good to me, I am annoyed by the pub key decision so I wouldn't mind a comment there, but nothing else from me.

[MGibson1]

Is this per https://datatracker.ietf.org/doc/draft-ietf-cose-dilithium/ ?

It's quite odd to me that they chose to make pub required when previous RFCs ecdsa don't. It feels different enough for a comment to me.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud