Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Cryptography breaking changes #42018

Merged
merged 6 commits into from
Aug 6, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 11 additions & 4 deletions docs/core/compatibility/9.0.md
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
title: Breaking changes in .NET 9
titleSuffix: ""
description: Navigate to the breaking changes in .NET 9.
ms.date: 02/01/2024
ms.date: 08/02/2024
no-loc: [Blazor, Razor, Kestrel]
---
# Breaking changes in .NET 9
Expand Down Expand Up @@ -35,6 +35,13 @@ If you're migrating an app to .NET 9, the breaking changes listed here might aff
| [RuntimeHelpers.GetSubArray returns different type](core-libraries/9.0/getsubarray-return.md) | Behavioral change | Preview 1 |
| [Support for empty environment variables](core-libraries/9.0/empty-env-variable.md) | Behavioral change | Preview 6 |

## Cryptography

| Title | Type of change | Introduced version |
|-------|----------------|--------------------|
| [SafeEvpPKeyHandle.DuplicateHandle up-refs the handle](cryptography/9.0/evp-pkey-handle.md) | Behavioral change | Preview 7 |
| [Some X509Certificate2 and X509Certificate constructors are obsolete](cryptography/9.0/x509-certificates.md) | Source incompatible | Preview 7 |

## Networking

| Title | Type of change | Introduced version |
Expand Down Expand Up @@ -63,9 +70,9 @@ If you're migrating an app to .NET 9, the breaking changes listed here might aff

## WPF

| Title | Type of change | Introduced version |
|-----------------------------------------------------------------------------------------|---------------------|--------------------|
| [`GetXmlNamespaceMaps` type change](wpf/9.0/xml-namespace-maps.md) | Behavioral change/Source incompatible | Preview 3 |
| Title | Type of change | Introduced version |
|--------------------------------------------------------------------|---------------------------------------|--------------------|
| [`GetXmlNamespaceMaps` type change](wpf/9.0/xml-namespace-maps.md) | Behavioral change/Source incompatible | Preview 3 |

## See also

Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
title: "Breaking change: .NET 9 obsoletions with custom IDs"
titleSuffix: ""
description: Learn about the .NET 9 breaking change in core .NET libraries where some APIs have been marked as obsolete with a custom diagnostic ID.
ms.date: 05/09/2024
ms.date: 08/01/2024
---
# API obsoletions with non-default diagnostic IDs (.NET 9)

Expand All @@ -19,6 +19,7 @@ The following table lists the custom diagnostic IDs and their corresponding warn
| [SYSLIB0009](../../../../fundamentals/syslib-diagnostics/syslib0009.md) | <xref:System.Net.AuthenticationManager> is not supported. Methods will no-op or throw <xref:System.PlatformNotSupportedException>. | Warning |
| [SYSLIB0054](../../../../fundamentals/syslib-diagnostics/syslib0054.md) | <xref:System.Threading.Thread.VolatileRead%2A?displayProperty=nameWithType> and <xref:System.Threading.Thread.VolatileWrite%2A?displayProperty=nameWithType> are obsolete. Use <xref:System.Threading.Volatile.Read%2A?displayProperty=nameWithType> or <xref:System.Threading.Volatile.Write%2A?displayProperty=nameWithType> instead. | Warning |
| [SYSLIB0055](../../../../fundamentals/syslib-diagnostics/syslib0055.md) | `AdvSimd.ShiftRightLogicalRoundedNarrowingSaturate*` methods with signed parameters are obsolete. Use the unsigned overloads instead. | Warning |
| [SYSLIB0057](../../../../fundamentals/syslib-diagnostics/syslib0057.md) | `X509Certificate2` and `X509Certificate` constructors for binary and file content are obsolete. | Warning |

## Version introduced

Expand Down Expand Up @@ -57,6 +58,42 @@ These obsoletions can affect [source compatibility](../../categories.md#source-c
- <xref:System.Runtime.Intrinsics.Arm.AdvSimd.ShiftRightLogicalRoundedNarrowingSaturateUpper(System.Runtime.Intrinsics.Vector64{System.Int16},System.Runtime.Intrinsics.Vector128{System.Int32},System.Byte)?displayProperty=fullName>
- <xref:System.Runtime.Intrinsics.Arm.AdvSimd.ShiftRightLogicalRoundedNarrowingSaturateUpper(System.Runtime.Intrinsics.Vector64{System.Int32},System.Runtime.Intrinsics.Vector128{System.Int64},System.Byte)?displayProperty=fullName>

### SYSLIB0057

- <xref:System.Security.Cryptography.X509Certificates.X509Certificate2.%23ctor(System.Byte[])>
- <xref:System.Security.Cryptography.X509Certificates.X509Certificate2.%23ctor(System.ReadOnlySpan{System.Byte})>
- <xref:System.Security.Cryptography.X509Certificates.X509Certificate2.%23ctor(System.String)>
- <xref:System.Security.Cryptography.X509Certificates.X509Certificate2.%23ctor(System.Byte[],System.Security.SecureString)>
- <xref:System.Security.Cryptography.X509Certificates.X509Certificate2.%23ctor(System.Byte[],System.String)>
- <xref:System.Security.Cryptography.X509Certificates.X509Certificate2.%23ctor(System.String,System.Security.SecureString)>
- <xref:System.Security.Cryptography.X509Certificates.X509Certificate2.%23ctor(System.String,System.String)>
- <xref:System.Security.Cryptography.X509Certificates.X509Certificate2.%23ctor(System.Byte[],System.Security.SecureString,System.Security.Cryptography.X509Certificates.X509KeyStorageFlags)>
- <xref:System.Security.Cryptography.X509Certificates.X509Certificate2.%23ctor(System.Byte[],System.String,System.Security.Cryptography.X509Certificates.X509KeyStorageFlags)>
- <xref:System.Security.Cryptography.X509Certificates.X509Certificate2.%23ctor(System.ReadOnlySpan{System.Byte},System.ReadOnlySpan{System.Char},System.Security.Cryptography.X509Certificates.X509KeyStorageFlags)>
- <xref:System.Security.Cryptography.X509Certificates.X509Certificate2.%23ctor(System.String,System.ReadOnlySpan{System.Char},System.Security.Cryptography.X509Certificates.X509KeyStorageFlags)>
- <xref:System.Security.Cryptography.X509Certificates.X509Certificate2.%23ctor(System.String,System.Security.SecureString,System.Security.Cryptography.X509Certificates.X509KeyStorageFlags)>
- <xref:System.Security.Cryptography.X509Certificates.X509Certificate2.%23ctor(System.String,System.String,System.Security.Cryptography.X509Certificates.X509KeyStorageFlags)>
- <xref:System.Security.Cryptography.X509Certificates.X509Certificate.%23ctor(System.Byte[])>
- <xref:System.Security.Cryptography.X509Certificates.X509Certificate.%23ctor(System.String)>
- <xref:System.Security.Cryptography.X509Certificates.X509Certificate.%23ctor(System.Byte[],System.Security.SecureString)>
- <xref:System.Security.Cryptography.X509Certificates.X509Certificate.%23ctor(System.Byte[],System.String)>
- <xref:System.Security.Cryptography.X509Certificates.X509Certificate.%23ctor(System.String,System.String,System.Security.Cryptography.X509Certificates.X509KeyStorageFlags)>
- <xref:System.Security.Cryptography.X509Certificates.X509Certificate.%23ctor(System.String,System.Security.SecureString)>
- <xref:System.Security.Cryptography.X509Certificates.X509Certificate.%23ctor(System.String,System.String)>
- <xref:System.Security.Cryptography.X509Certificates.X509Certificate.%23ctor(System.Byte[],System.Security.SecureString,System.Security.Cryptography.X509Certificates.X509KeyStorageFlags)>
- <xref:System.Security.Cryptography.X509Certificates.X509Certificate.%23ctor(System.Byte[],System.String,System.Security.Cryptography.X509Certificates.X509KeyStorageFlags)>
- <xref:System.Security.Cryptography.X509Certificates.X509Certificate.%23ctor(System.String,System.Security.SecureString,System.Security.Cryptography.X509Certificates.X509KeyStorageFlags)>
- <xref:System.Security.Cryptography.X509Certificates.X509Certificate.%23ctor(System.String,System.String,System.Security.Cryptography.X509Certificates.X509KeyStorageFlags)>
- <xref:System.Security.Cryptography.X509Certificates.X509Certificate2Collection.Import(System.Byte[])>
- <xref:System.Security.Cryptography.X509Certificates.X509Certificate2Collection.Import(System.ReadOnlySpan{System.Byte})>
- <xref:System.Security.Cryptography.X509Certificates.X509Certificate2Collection.Import(System.ReadOnlySpan{System.Byte})>
- <xref:System.Security.Cryptography.X509Certificates.X509Certificate2Collection.Import(System.Byte[],System.String,System.Security.Cryptography.X509Certificates.X509KeyStorageFlags)>
- <xref:System.Security.Cryptography.X509Certificates.X509Certificate2Collection.Import(System.ReadOnlySpan{System.Byte},System.ReadOnlySpan{System.Char},System.Security.Cryptography.X509Certificates.X509KeyStorageFlags)>
- <xref:System.Security.Cryptography.X509Certificates.X509Certificate2Collection.Import(System.ReadOnlySpan{System.Byte},System.String,System.Security.Cryptography.X509Certificates.X509KeyStorageFlags)>
- <xref:System.Security.Cryptography.X509Certificates.X509Certificate2Collection.Import(System.String,System.ReadOnlySpan{System.Char},System.Security.Cryptography.X509Certificates.X509KeyStorageFlags)>
- <xref:System.Security.Cryptography.X509Certificates.X509Certificate2Collection.Import(System.String,System.String,System.Security.Cryptography.X509Certificates.X509KeyStorageFlags)>
- <xref:System.Security.Cryptography.X509Certificates.X509Certificate.CreateFromSignedFile(System.String)>

## See also

- [API obsoletions with non-default diagnostic IDs (.NET 8)](../8.0/obsolete-apis-with-custom-diagnostics.md)
Expand Down
40 changes: 40 additions & 0 deletions docs/core/compatibility/cryptography/9.0/evp-pkey-handle.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,40 @@
---
title: "Breaking change: SafeEvpPKeyHandle.DuplicateHandle up-refs the handle"
description: Learn about the .NET 9 breaking change in cryptography where SafeEvpPKeyHandle.DuplicateHandle now increments the reference count of the EVP_PKEY handle instead of creating a new instance.
ms.date: 08/05/2024
---
# SafeEvpPKeyHandle.DuplicateHandle up-refs the handle

Along with work to enable OpenSSL providers support, a change was made to the <xref:System.Security.Cryptography.SafeEvpPKeyHandle.DuplicateHandle?displayProperty=nameWithType> method that impacts the <xref:System.Security.Cryptography.ECDsaOpenSsl> and <xref:System.Security.Cryptography.RSAOpenSsl> constructors that take a <xref:System.Security.Cryptography.SafeEvpPKeyHandle>. External modifications of the passed handle now also affect the handle stored in instances of those classes.

## Previous behavior

<xref:System.Security.Cryptography.SafeEvpPKeyHandle.DuplicateHandle> created a new `EVP_PKEY` instance. Modifications to the duplicated key (that is, through direct calls to OpenSSL APIs) did not impact the original key. `SafeEvpPKeyHandle.DuplicateHandle` was called by the constructors of <xref:System.Security.Cryptography.ECDsaOpenSsl> and <xref:System.Security.Cryptography.RSAOpenSsl> that take a <xref:System.Security.Cryptography.SafeEvpPKeyHandle>.

## New behavior

<xref:System.Security.Cryptography.SafeEvpPKeyHandle.DuplicateHandle> increments the reference count of the existing `EVP_PKEY` and returns a handle to the same key. That means external calls to OpenSSL APIs that modify `EVP_PKEY` now also affect instances of the duplicated <xref:System.Security.Cryptography.SafeEvpPKeyHandle>. Those APIs include <xref:System.Security.Cryptography.ECDsaOpenSsl> and <xref:System.Security.Cryptography.RSAOpenSsl> instances created from such handles.

## Version introduced

.NET 9 Preview 7

## Type of breaking change

This change is a [behavioral change](../../categories.md#behavioral-change).

## Reason for change

This change was made to enable OpenSSL providers support. As a side effect, there are also some performance improvements.

## Recommended action

Avoid modifications of `EVP_PKEY` passed in to .NET APIs. If you can't avoid modifications to `EVP_PKEY`, create a copy of `EVP_PKEY` yourself (that is, copy parameters into the new `EVP_PKEY` instance).

## Affected APIs

- <xref:System.Security.Cryptography.SafeEvpPKeyHandle.DuplicateHandle?displayProperty=fullName>
- <xref:System.Security.Cryptography.ECDsaOpenSsl.%23ctor(System.Security.Cryptography.SafeEvpPKeyHandle)>
- <xref:System.Security.Cryptography.RSAOpenSsl.%23ctor(System.Security.Cryptography.SafeEvpPKeyHandle)>

Every API that accepts an <Xref:System.Security.Cryptography.RSA> or <Xref:System.Security.Cryptography.ECDsa> instance that originates from <xref:System.Security.Cryptography.SafeEvpPKeyHandle> is also affected.
38 changes: 38 additions & 0 deletions docs/core/compatibility/cryptography/9.0/x509-certificates.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
---
title: "Some X509Certificate2 and X509Certificate constructors are obsolete"
description: Learn about the .NET 9 breaking change in cryptography where X509Certificate2 and X509Certificate constructors for binary and file content are obsolete.
ms.date: 08/01/2024
---
# Some X509Certificate2 and X509Certificate constructors are obsolete

The constructors on <xref:System.Security.Cryptography.X509Certificates.X509Certificate> and <xref:System.Security.Cryptography.X509Certificates.X509Certificate2> that accept content as a `byte[]`, `ReadOnlySpan<byte>`, or a `string` file path are obsolete, starting in .NET 9. The <xref:System.Security.Cryptography.X509Certificates.X509Certificate2Collection.Import%2A> methods on X509Certificate2Collection are also obsolete. Calling them in code generates warning `SYSLIB0057` at compile time.

## Previous behavior

Developers could use the affected APIs without an obsolete warning.

## New behavior

Affected APIs will receive an obsolete compilation warning with ID [SYSLIB0057](../../../../fundamentals/syslib-diagnostics/syslib0057.md).

## Version introduced

.NET 9 Preview 7

## Type of breaking change

This change can affect [source compatibility](../../categories.md#source-compatibility).

## Reason for change

The affected APIs supported loading certificates in multiple formats. For example, `new X509Certificate2(data)` loaded a certificate from a `byte[]` called `data`. `data` could be one of any supported format, including X.509, PKCS7, or PKCS12/PFX.

While this method was easy to use, it created issues where user-supplied data was passed with a different format than intended. This might allow loading PKCS12 where only X.509 content was intended to be loaded. Or it might create interoperability issues from handling the data in different ways.

## Recommended action

For workarounds, see [Workaround](../../../../fundamentals/syslib-diagnostics/syslib0057.md#workaround).

## Affected APIs

For affected APIs, see [SYSLIB0057](../../core-libraries/9.0/obsolete-apis-with-custom-diagnostics.md#syslib0057).
12 changes: 12 additions & 0 deletions docs/core/compatibility/toc.yml
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,12 @@ items:
href: core-libraries/9.0/getsubarray-return.md
- name: Support for empty environment variables
href: core-libraries/9.0/empty-env-variable.md
- name: Cryptography
items:
- name: SafeEvpPKeyHandle.DuplicateHandle up-refs the handle
href: cryptography/9.0/evp-pkey-handle.md
- name: Some X509Certificate2 and X509Certificate constructors are obsolete
href: cryptography/9.0/x509-certificates.md
- name: Networking
items:
- name: HttpListenerRequest.UserAgent is nullable
Expand Down Expand Up @@ -1396,6 +1402,12 @@ items:
href: corefx.md
- name: Cryptography
items:
- name: .NET 9
items:
- name: SafeEvpPKeyHandle.DuplicateHandle up-refs the handle
href: cryptography/9.0/evp-pkey-handle.md
- name: Some X509Certificate2 and X509Certificate constructors are obsolete
href: cryptography/9.0/x509-certificates.md
- name: .NET 8
items:
- name: AesGcm authentication tag size on macOS
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
title: Obsolete features in .NET 5+
titleSuffix: ""
description: Learn about APIs that are marked as obsolete in .NET 5 and later versions that produce SYSLIB compiler warnings.
ms.date: 05/09/2024
ms.date: 08/01/2024
---

# Obsolete features in .NET 5+
Expand Down Expand Up @@ -76,6 +76,7 @@ The following table provides an index to the `SYSLIB0XXX` obsoletions in .NET 5+
| [SYSLIB0053](syslib0053.md) | Warning | <xref:System.Security.Cryptography.AesGcm> should indicate the required tag size for encryption and decryption. Use a constructor that accepts the tag size. |
| [SYSLIB0054](syslib0054.md) | Warning | <xref:System.Threading.Thread.VolatileRead%2A?displayProperty=nameWithType> and <xref:System.Threading.Thread.VolatileWrite%2A?displayProperty=nameWithType> are obsolete. Use <xref:System.Threading.Volatile.Read%2A?displayProperty=nameWithType> or <xref:System.Threading.Volatile.Write%2A?displayProperty=nameWithType> instead. |
| [SYSLIB0055](syslib0055.md) | Warning | `AdvSimd.ShiftRightLogicalRoundedNarrowingSaturate*` methods with signed parameters are obsolete. Use the unsigned overloads instead. |
| [SYSLIB0057](syslib0057.md) | Warning | `X509Certificate2` and `X509Certificate` constructors for binary and file content are obsolete. |

## Suppress warnings

Expand Down
59 changes: 59 additions & 0 deletions docs/fundamentals/syslib-diagnostics/syslib0057.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,59 @@
---
title: SYSLIB0057 warning - X509Certificate2 and X509Certificate constructors for binary and file content are obsolete
description: Learn about the obsoletion of some X509Certificate2 and X509Certificate constructors that generates compile-time warning SYSLIB0057.
ms.date: 08/01/2024
f1_keywords:
- SYSLIB0057
---
# SYSLIB0057: X509Certificate2 and X509Certificate constructors for binary and file content are obsolete

The constructors on <xref:System.Security.Cryptography.X509Certificates.X509Certificate> and <xref:System.Security.Cryptography.X509Certificates.X509Certificate2> that accept content as a `byte[]`, `ReadOnlySpan<byte>`, or a `string` file path are obsolete, starting in .NET 9. The <xref:System.Security.Cryptography.X509Certificates.X509Certificate2Collection.Import%2A> methods on X509Certificate2Collection are also obsolete. Calling them in code generates warning `SYSLIB0057` at compile time.

## Reason for obsoletion

The affected APIs supported loading certificates in multiple formats. For example, `new X509Certificate2(data)` loaded a certificate from a `byte[]` called `data`. `data` could be one of any supported format, including X.509, PKCS7, or PKCS12/PFX.

While this method was easy to use, it created issues where user-supplied data was passed with a different format than intended. This might allow loading PKCS12 where only X.509 content was intended to be loaded. Or it might create interoperability issues from handling the data in different ways.

## Workaround

Use a different API to load certificate content, depending on the intended content type.

A new class called `X509CertificateLoader` <!--<xref:System.Security.Cryptography.X509Certificates.X509CertificateLoader>--> can be used to load X.509 or PKCS12 content:

- If you're loading X.509 content, use `X509CertificateLoader.LoadCertificate` or `X509CertificateLoader.LoadCertificateFromFile`.
- If you're loading PKCS12 content, use `X509CertificateLoader.LoadPkcs12`, `X509CertificateLoader.LoadPkcs12FromFile`, `X509CertificateLoader.LoadPkcs12Collection`, or `X509CertificateLoader.LoadPkcs12CollectionFromFile`.
- If you're loading PKCS7 content, use <xref:System.Security.Cryptography.Pkcs.SignedCms > from the System.Security.Cryptography.Pkcs package to inspect certificates in PKCS7 content.
- If you're uncertain about the content type you're loading, use <xref:System.Security.Cryptography.X509Certificates.X509Certificate2.GetCertContentType%2A> to determine the content type and call the appropriate API.

The [Microsoft.Bcl.Cryptography package](https://www.nuget.org/packages/Microsoft.Bcl.Cryptography/) supplies `X509CertificateLoader` for .NET Framework and .NET Standard.

## Suppress a warning

If you must use the obsolete APIs, you can suppress the warning in code or in your project file.

To suppress only a single violation, add preprocessor directives to your source file to disable and then re-enable the warning.

```csharp
// Disable the warning.
#pragma warning disable SYSLIB0057

// Code that uses obsolete API.
// ...

// Re-enable the warning.
#pragma warning restore SYSLIB0057
```

To suppress all the `SYSLIB0057` warnings in your project, add a `<NoWarn>` property to your project file.

```xml
<Project Sdk="Microsoft.NET.Sdk">
<PropertyGroup>
...
<NoWarn>$(NoWarn);SYSLIB0057</NoWarn>
</PropertyGroup>
</Project>
```

For more information, see [Suppress warnings](obsoletions-overview.md#suppress-warnings).
Loading
Loading