OpenSSL OQS unable to open mlddsa44 key from pkcs12 that is created with IAIK-PQ (Post-Quantum) library

[stauro79]

Describe the bug
we are using a IAIK java library to create mldsa44 key and certificate and store into a PKCS#12 in java.
Trying to open the pkcs12 in openssl oqs failed.
Recompiled the oqs provider with -DNOPUBKEY_IN_PRIVKEY=ON and it didn't work aswell.

Attached is pkcs#12 created in java code.

pqckeycert2.zip

To Reproduce
Steps to reproduce the behavior:
Opening the pkcs12 with oqs provider fails with below error.
`$openssl pkcs12 -in ./pqckeycert2.p12 -passin pass:123456
Bag Attributes
friendlyName: acme.com
localKeyID: 2D 32 35 39 32 32 34 35 35 37
Error outputting keys and certificates
00A4EEA3CA7F0000:error:1E08010C:DECODER routines:OSSL_DECODER_from_bio:unsupported:crypto/encode_decode/decoder_lib.c:102:No supported data to decode. Input type: DER, Input structure: PrivateKeyInfo
00A4EEA3CA7F0000:error:0300009C:digital envelope routines:pkey_set_type:unsupported algorithm:crypto/evp/p_lib.c:1566:
00A4EEA3CA7F0000:error:03000076:digital envelope routines:evp_pkcs82pkey_legacy:unsupported private key algorithm:crypto/evp/evp_pkey.c:42:TYPE=mldsa44

Recompiled OQS Provider with -DNOPUBKEY_IN_PRIVKEY=ON, fails with the same error.$openssl pkcs12 -in ~/pqckeycert2.p12 -passin pass:123456
Bag Attributes
friendlyName: acme.com
localKeyID: 2D 32 35 39 32 32 34 35 35 37
Error outputting keys and certificates
00D41F85407F0000:error:1E08010C:DECODER routines:OSSL_DECODER_from_bio:unsupported:crypto/encode_decode/decoder_lib.c:102:No supported data to decode. Input type: DER, Input structure: PrivateKeyInfo
00D41F85407F0000:error:0300009C:digital envelope routines:pkey_set_type:unsupported algorithm:crypto/evp/p_lib.c:1565:
00D41F85407F0000:error:03000076:digital envelope routines:evp_pkcs82pkey_legacy:unsupported private key algorithm:crypto/evp/evp_pkey.c:42:TYPE=mldsa44
`

Expected behavior
openssl oqs should open p12 created in third-party IAIK library.

Environment (please complete the following information):
Redhat 8

Please run the following commands to obtain the version information:
master branch of openssel and oqsprovider

[baentsch]

That's not surprising as ML-DSA44 (final) is not yet integrated into OQS: If you want to check quickly, you may want to try with the corresponding "feature" branches bhe-fips204-final (liboqs) and bhe-fips204-final-tracker (oqsprovider). Otherwise, please wait for the next releases.

[danvangeest]

That PKCS#12 key uses OID 1.3.6.1.4.1.2.267.12.4.4, which is not the ML-DSA OID, it's the old OID used for the IPD version for testing purposes.

The IAIK library needs to be updated to the correct OID (and if it hasn't been already, the encoding from https://datatracker.ietf.org/doc/draft-ietf-lamps-dilithium-certificates/ - still under development).

[stauro79]

The failure happens in oqsprov/oqsprov_keys.c, while calling d2i_ASN1_OCTET_STRING() function which return NULL.

The privatekey that came from the PKCS#12 has size 2560, which is passed to d2i_ASN1_OCTET_STRING(). d2i_ASN1_OCTET_STRING expects ASN.1 octet encoded string and fails because input is not a ASN.1 octet string but a raw private key bytes.

1212 OQSX_KEY *oqsx_key_from_pkcs8(const PKCS8_PRIV_KEY_INFO *p8inf,
1213 OSSL_LIB_CTX *libctx, const char *propq) {
1214 OQSX_KEY *oqsx = NULL;
1215 const unsigned char *p;
1216 int plen;
1217 ASN1_OCTET_STRING *oct = NULL;
1218 const X509_ALGOR *palg;
1219 STACK_OF(ASN1_TYPE) *sk = NULL;
1220 ASN1_TYPE *aType = NULL;
1221 unsigned char *concat_key;
1222 const unsigned char *buf;
1223 int count, aux, i, buflen, key_diff = 0;
1224
1225 if (!PKCS8_pkey_get0(NULL, &p, &plen, &palg, p8inf))
1226 return 0;
1227
1228 if (get_keytype(OBJ_obj2nid(palg->algorithm)) != KEY_TYPE_CMP_SIG) {
1229 oct = d2i_ASN1_OCTET_STRING(NULL, &p, plen);