ML-DSA private key encoding format has changed

[strongX509]

Starting with draft-ietf-lamps-dilithium-certificates-09 dated May 7 2025, the ML-DSA private key format changed to

ML-DSA-44-PrivateKey ::= CHOICE {
  seed [0] OCTET STRING (SIZE (32)),
  expandedKey OCTET STRING (SIZE (2560)),
  both SEQUENCE {
      seed OCTET STRING (SIZE (32)),
      expandedKey OCTET STRING (SIZE (2560))
      }
  }

ML-DSA-65-PrivateKey ::= CHOICE {
  seed [0] OCTET STRING (SIZE (32)),
  expandedKey OCTET STRING (SIZE (4032)),
  both SEQUENCE {
      seed OCTET STRING (SIZE (32)),
      expandedKey OCTET STRING (SIZE (4032))
      }
  }

ML-DSA-87-PrivateKey ::= CHOICE {
  seed [0] OCTET STRING (SIZE (32)),
  expandedKey OCTET STRING (SIZE (4896)),
  both SEQUENCE {
      seed OCTET STRING (SIZE (32)),
      expandedKey OCTET STRING (SIZE (4896))
      }
  }

Thus since Botan currently supports the keyseed format only, an ASN.1 CONTEXT 0 tag has to be inserted after the ASN.1 OCTET STRING tag of the PKCS#8 private key encoding. When will this change of the encoding be supported by Botan library?

[reneme]

Thanks for the ping on this! Our next release is just around the corner. We'll see whether we can still make it for that.