dotnet
diff --git a/‎src/libraries/Common/src/System/Security/Cryptography/MLKem.cs‎
Lines changed: 95 additions & 0 deletions b/‎src/libraries/Common/src/System/Security/Cryptography/MLKem.cs‎
Lines changed: 95 additions & 0 deletions
diff --git a/‎src/libraries/Common/tests/System/Security/Cryptography/MLKemNotSupportedTests.cs‎
Lines changed: 20 additions & 0 deletions b/‎src/libraries/Common/tests/System/Security/Cryptography/MLKemNotSupportedTests.cs‎
Lines changed: 20 additions & 0 deletions
@@ -883,6 +883,101 @@ public static MLKem ImportPkcs8PrivateKey(byte[] source)
             return ImportPkcs8PrivateKey(new ReadOnlySpan<byte>(source));
         }
 
+        /// <summary>
+        ///   Imports an ML-KEM private key from a PKCS#8 EncryptedPrivateKeyInfo structure.
+        /// </summary>
+        /// <param name="passwordBytes">
+        ///   The bytes to use as a password when decrypting the key material.
+        /// </param>
+        /// <param name="source">
+        ///   The bytes of a PKCS#8 EncryptedPrivateKeyInfo structure in the ASN.1-BER encoding.
+        /// </param>
+        /// <returns>
+        ///   The imported key.
+        /// </returns>
+        /// <exception cref="CryptographicException">
+        ///   <para>
+        ///     The contents of <paramref name="source"/> do not represent an ASN.1-BER-encoded PKCS#8 EncryptedPrivateKeyInfo structure.
+        ///   </para>
+        ///   <para>-or-</para>
+        ///   <para>
+        ///     The specified password is incorrect.
+        ///   </para>
+        ///   <para>-or-</para>
+        ///   <para>
+        ///     The EncryptedPrivateKeyInfo indicates the Key Derivation Function (KDF) to apply is the legacy PKCS#12 KDF,
+        ///     which requires <see cref="char"/>-based passwords.
+        ///   </para>
+        ///   <para>-or-</para>
+        ///   <para>
+        ///     The value does not represent an ML-KEM key.
+        ///   </para>
+        ///   <para>-or-</para>
+        ///   <para>
+        ///     The algorithm-specific import failed.
+        ///   </para>
+        /// </exception>
+        /// <exception cref="PlatformNotSupportedException">
+        ///   The platform does not support ML-KEM. Callers can use the <see cref="IsSupported" /> property
+        ///   to determine if the platform supports ML-KEM.
+        /// </exception>
+        public static MLKem ImportEncryptedPkcs8PrivateKey(ReadOnlySpan<byte> passwordBytes, ReadOnlySpan<byte> source)
+        {
+            ThrowIfTrailingData(source);
+            ThrowIfNotSupported();
+
+            return KeyFormatHelper.DecryptPkcs8(
+                passwordBytes,
+                source,
+                ImportPkcs8PrivateKey,
+                out _);
+        }
+
+        /// <summary>
+        ///   Imports an ML-KEM private key from a PKCS#8 EncryptedPrivateKeyInfo structure.
+        /// </summary>
+        /// <param name="password">
+        ///   The password to use when decrypting the key material.
+        /// </param>
+        /// <param name="source">
+        ///   The bytes of a PKCS#8 EncryptedPrivateKeyInfo structure in the ASN.1-BER encoding.
+        /// </param>
+        /// <returns>
+        ///   The imported key.
+        /// </returns>
+        /// <exception cref="CryptographicException">
+        ///   <para>
+        ///     The contents of <paramref name="source"/> do not represent an ASN.1-BER-encoded PKCS#8 EncryptedPrivateKeyInfo structure.
+        ///   </para>
+        ///   <para>-or-</para>
+        ///   <para>
+        ///     The specified password is incorrect.
+        ///   </para>
+        ///   <para>-or-</para>
+        ///   <para>
+        ///     The value does not represent an ML-KEM key.
+        ///   </para>
+        ///   <para>-or-</para>
+        ///   <para>
+        ///     The algorithm-specific import failed.
+        ///   </para>
+        /// </exception>
+        /// <exception cref="PlatformNotSupportedException">
+        ///   The platform does not support ML-KEM. Callers can use the <see cref="IsSupported" /> property
+        ///   to determine if the platform supports ML-KEM.
+        /// </exception>
+        public static MLKem ImportEncryptedPkcs8PrivateKey(ReadOnlySpan<char> password, ReadOnlySpan<byte> source)
+        {
+            ThrowIfTrailingData(source);
+            ThrowIfNotSupported();
+
+            return KeyFormatHelper.DecryptPkcs8(
+                password,
+                source,
+                ImportPkcs8PrivateKey,
+                out _);
+        }
+
         /// <summary>
         ///  Releases all resources used by the <see cref="MLKem"/> class.
         /// </summary>
 
@@ -64,5 +64,25 @@ public static void ImportDecapsulationKey_NotSupported(MLKemAlgorithm algorithm)
                 algorithm,
                 new Span<byte>(new byte[algorithm.DecapsulationKeySizeInBytes])));
         }
+
+        [Fact]
+        public static void ImportPkcs8PrivateKey_NotSupported()
+        {
+            Assert.Throws<PlatformNotSupportedException>(() => MLKem.ImportPkcs8PrivateKey(
+                MLKemTestData.IetfMlKem512PrivateKeySeed));
+
+            Assert.Throws<PlatformNotSupportedException>(() => MLKem.ImportPkcs8PrivateKey(
+                new ReadOnlySpan<byte>(MLKemTestData.IetfMlKem512PrivateKeySeed)));
+        }
+
+        [Fact]
+        public static void ImportEncryptedPkcs8PrivateKey_NotSupported()
+        {
+            Assert.Throws<PlatformNotSupportedException>(() => MLKem.ImportEncryptedPkcs8PrivateKey(
+                MLKemTestData.EncryptedPrivateKeyPassword, MLKemTestData.IetfMlKem512EncryptedPrivateKeySeed));
+
+            Assert.Throws<PlatformNotSupportedException>(() => MLKem.ImportEncryptedPkcs8PrivateKey(
+                MLKemTestData.EncryptedPrivateKeyPasswordBytes, MLKemTestData.IetfMlKem512EncryptedPrivateKeySeed));
+        }
     }
 }