Cryptography breaking changes (#42018)

gewarren · web-flow · commit a7982ae35fcb · 2024-08-06T13:19:42.000-07:00
diff --git a/docs/core/compatibility/9.0.md b/docs/core/compatibility/9.0.md
@@ -2,7 +2,7 @@
 title: Breaking changes in .NET 9
 titleSuffix: ""
 description: Navigate to the breaking changes in .NET 9.
-ms.date: 02/01/2024
+ms.date: 08/02/2024
 no-loc: [Blazor, Razor, Kestrel]
 ---
 # Breaking changes in .NET 9
@@ -36,6 +36,13 @@ If you're migrating an app to .NET 9, the breaking changes listed here might aff
 | [RuntimeHelpers.GetSubArray returns different type](core-libraries/9.0/getsubarray-return.md) | Behavioral change   | Preview 1          |
 | [Support for empty environment variables](core-libraries/9.0/empty-env-variable.md) | Behavioral change   | Preview 6          |
 
+## Cryptography
+
+| Title | Type of change | Introduced version |
+|-------|----------------|--------------------|
+| [SafeEvpPKeyHandle.DuplicateHandle up-refs the handle](cryptography/9.0/evp-pkey-handle.md) | Behavioral change | Preview 7 |
+| [Some X509Certificate2 and X509Certificate constructors are obsolete](cryptography/9.0/x509-certificates.md) | Source incompatible | Preview 7 |
+
 ## Networking
 
 | Title                                                                             | Type of change      | Introduced version |
@@ -64,9 +71,9 @@ If you're migrating an app to .NET 9, the breaking changes listed here might aff
 
 ## WPF
 
-| Title                                                                                   | Type of change      | Introduced version |
-|-----------------------------------------------------------------------------------------|---------------------|--------------------|
-| [`GetXmlNamespaceMaps` type change](wpf/9.0/xml-namespace-maps.md) | Behavioral change/Source incompatible | Preview 3 |
+| Title                                                              | Type of change                        | Introduced version |
+|--------------------------------------------------------------------|---------------------------------------|--------------------|
+| [`GetXmlNamespaceMaps` type change](wpf/9.0/xml-namespace-maps.md) | Behavioral change/Source incompatible | Preview 3          |
 
 ## See also
 
diff --git a/docs/core/compatibility/core-libraries/9.0/obsolete-apis-with-custom-diagnostics.md b/docs/core/compatibility/core-libraries/9.0/obsolete-apis-with-custom-diagnostics.md
@@ -2,7 +2,7 @@
 title: "Breaking change: .NET 9 obsoletions with custom IDs"
 titleSuffix: ""
 description: Learn about the .NET 9 breaking change in core .NET libraries where some APIs have been marked as obsolete with a custom diagnostic ID.
-ms.date: 05/09/2024
+ms.date: 08/01/2024
 ---
 # API obsoletions with non-default diagnostic IDs (.NET 9)
 
@@ -19,6 +19,7 @@ The following table lists the custom diagnostic IDs and their corresponding warn
 | [SYSLIB0009](../../../../fundamentals/syslib-diagnostics/syslib0009.md) | <xref:System.Net.AuthenticationManager> is not supported. Methods will no-op or throw <xref:System.PlatformNotSupportedException>. | Warning |
 | [SYSLIB0054](../../../../fundamentals/syslib-diagnostics/syslib0054.md) | <xref:System.Threading.Thread.VolatileRead%2A?displayProperty=nameWithType> and <xref:System.Threading.Thread.VolatileWrite%2A?displayProperty=nameWithType> are obsolete. Use <xref:System.Threading.Volatile.Read%2A?displayProperty=nameWithType> or <xref:System.Threading.Volatile.Write%2A?displayProperty=nameWithType> instead. | Warning |
 | [SYSLIB0055](../../../../fundamentals/syslib-diagnostics/syslib0055.md) | `AdvSimd.ShiftRightLogicalRoundedNarrowingSaturate*` methods with signed parameters are obsolete. Use the unsigned overloads instead. | Warning |
+| [SYSLIB0057](../../../../fundamentals/syslib-diagnostics/syslib0057.md) | `X509Certificate2` and `X509Certificate` constructors for binary and file content are obsolete. | Warning |
 
 ## Version introduced
 
@@ -57,6 +58,42 @@ These obsoletions can affect [source compatibility](../../categories.md#source-c
 - <xref:System.Runtime.Intrinsics.Arm.AdvSimd.ShiftRightLogicalRoundedNarrowingSaturateUpper(System.Runtime.Intrinsics.Vector64{System.Int16},System.Runtime.Intrinsics.Vector128{System.Int32},System.Byte)?displayProperty=fullName>
 - <xref:System.Runtime.Intrinsics.Arm.AdvSimd.ShiftRightLogicalRoundedNarrowingSaturateUpper(System.Runtime.Intrinsics.Vector64{System.Int32},System.Runtime.Intrinsics.Vector128{System.Int64},System.Byte)?displayProperty=fullName>
 
+### SYSLIB0057
+
+- <xref:System.Security.Cryptography.X509Certificates.X509Certificate2.%23ctor(System.Byte[])>
+- <xref:System.Security.Cryptography.X509Certificates.X509Certificate2.%23ctor(System.ReadOnlySpan{System.Byte})>
+- <xref:System.Security.Cryptography.X509Certificates.X509Certificate2.%23ctor(System.String)>
+- <xref:System.Security.Cryptography.X509Certificates.X509Certificate2.%23ctor(System.Byte[],System.Security.SecureString)>
+- <xref:System.Security.Cryptography.X509Certificates.X509Certificate2.%23ctor(System.Byte[],System.String)>
+- <xref:System.Security.Cryptography.X509Certificates.X509Certificate2.%23ctor(System.String,System.Security.SecureString)>
+- <xref:System.Security.Cryptography.X509Certificates.X509Certificate2.%23ctor(System.String,System.String)>
+- <xref:System.Security.Cryptography.X509Certificates.X509Certificate2.%23ctor(System.Byte[],System.Security.SecureString,System.Security.Cryptography.X509Certificates.X509KeyStorageFlags)>
+- <xref:System.Security.Cryptography.X509Certificates.X509Certificate2.%23ctor(System.Byte[],System.String,System.Security.Cryptography.X509Certificates.X509KeyStorageFlags)>
+- <xref:System.Security.Cryptography.X509Certificates.X509Certificate2.%23ctor(System.ReadOnlySpan{System.Byte},System.ReadOnlySpan{System.Char},System.Security.Cryptography.X509Certificates.X509KeyStorageFlags)>
+- <xref:System.Security.Cryptography.X509Certificates.X509Certificate2.%23ctor(System.String,System.ReadOnlySpan{System.Char},System.Security.Cryptography.X509Certificates.X509KeyStorageFlags)>
+- <xref:System.Security.Cryptography.X509Certificates.X509Certificate2.%23ctor(System.String,System.Security.SecureString,System.Security.Cryptography.X509Certificates.X509KeyStorageFlags)>
+- <xref:System.Security.Cryptography.X509Certificates.X509Certificate2.%23ctor(System.String,System.String,System.Security.Cryptography.X509Certificates.X509KeyStorageFlags)>
+- <xref:System.Security.Cryptography.X509Certificates.X509Certificate.%23ctor(System.Byte[])>
+- <xref:System.Security.Cryptography.X509Certificates.X509Certificate.%23ctor(System.String)>
+- <xref:System.Security.Cryptography.X509Certificates.X509Certificate.%23ctor(System.Byte[],System.Security.SecureString)>
+- <xref:System.Security.Cryptography.X509Certificates.X509Certificate.%23ctor(System.Byte[],System.String)>
+- <xref:System.Security.Cryptography.X509Certificates.X509Certificate.%23ctor(System.String,System.String,System.Security.Cryptography.X509Certificates.X509KeyStorageFlags)>
+- <xref:System.Security.Cryptography.X509Certificates.X509Certificate.%23ctor(System.String,System.Security.SecureString)>
+- <xref:System.Security.Cryptography.X509Certificates.X509Certificate.%23ctor(System.String,System.String)>
+- <xref:System.Security.Cryptography.X509Certificates.X509Certificate.%23ctor(System.Byte[],System.Security.SecureString,System.Security.Cryptography.X509Certificates.X509KeyStorageFlags)>
+- <xref:System.Security.Cryptography.X509Certificates.X509Certificate.%23ctor(System.Byte[],System.String,System.Security.Cryptography.X509Certificates.X509KeyStorageFlags)>
+- <xref:System.Security.Cryptography.X509Certificates.X509Certificate.%23ctor(System.String,System.Security.SecureString,System.Security.Cryptography.X509Certificates.X509KeyStorageFlags)>
+- <xref:System.Security.Cryptography.X509Certificates.X509Certificate.%23ctor(System.String,System.String,System.Security.Cryptography.X509Certificates.X509KeyStorageFlags)>
+- <xref:System.Security.Cryptography.X509Certificates.X509Certificate2Collection.Import(System.Byte[])>
+- <xref:System.Security.Cryptography.X509Certificates.X509Certificate2Collection.Import(System.ReadOnlySpan{System.Byte})>
+- <xref:System.Security.Cryptography.X509Certificates.X509Certificate2Collection.Import(System.ReadOnlySpan{System.Byte})>
+- <xref:System.Security.Cryptography.X509Certificates.X509Certificate2Collection.Import(System.Byte[],System.String,System.Security.Cryptography.X509Certificates.X509KeyStorageFlags)>
+- <xref:System.Security.Cryptography.X509Certificates.X509Certificate2Collection.Import(System.ReadOnlySpan{System.Byte},System.ReadOnlySpan{System.Char},System.Security.Cryptography.X509Certificates.X509KeyStorageFlags)>
+- <xref:System.Security.Cryptography.X509Certificates.X509Certificate2Collection.Import(System.ReadOnlySpan{System.Byte},System.String,System.Security.Cryptography.X509Certificates.X509KeyStorageFlags)>
+- <xref:System.Security.Cryptography.X509Certificates.X509Certificate2Collection.Import(System.String,System.ReadOnlySpan{System.Char},System.Security.Cryptography.X509Certificates.X509KeyStorageFlags)>
+- <xref:System.Security.Cryptography.X509Certificates.X509Certificate2Collection.Import(System.String,System.String,System.Security.Cryptography.X509Certificates.X509KeyStorageFlags)>
+- <xref:System.Security.Cryptography.X509Certificates.X509Certificate.CreateFromSignedFile(System.String)>
+
 ## See also
 
 - [API obsoletions with non-default diagnostic IDs (.NET 8)](../8.0/obsolete-apis-with-custom-diagnostics.md)
diff --git a/docs/core/compatibility/cryptography/9.0/evp-pkey-handle.md b/docs/core/compatibility/cryptography/9.0/evp-pkey-handle.md
@@ -0,0 +1,40 @@
+---
+title: "Breaking change: SafeEvpPKeyHandle.DuplicateHandle up-refs the handle"
+description: Learn about the .NET 9 breaking change in cryptography where SafeEvpPKeyHandle.DuplicateHandle now increments the reference count of the EVP_PKEY handle instead of creating a new instance.
+ms.date: 08/05/2024
+---
+# SafeEvpPKeyHandle.DuplicateHandle up-refs the handle
+
+Along with work to enable OpenSSL providers support, a change was made to the <xref:System.Security.Cryptography.SafeEvpPKeyHandle.DuplicateHandle?displayProperty=nameWithType> method that impacts the <xref:System.Security.Cryptography.ECDsaOpenSsl> and <xref:System.Security.Cryptography.RSAOpenSsl> constructors that take a <xref:System.Security.Cryptography.SafeEvpPKeyHandle>. External modifications of the passed handle now also affect the handle stored in instances of those classes.
+
+## Previous behavior
+
+<xref:System.Security.Cryptography.SafeEvpPKeyHandle.DuplicateHandle> created a new `EVP_PKEY` instance. Modifications to the duplicated key (that is, through direct calls to OpenSSL APIs) did not impact the original key. `SafeEvpPKeyHandle.DuplicateHandle` was called by the constructors of <xref:System.Security.Cryptography.ECDsaOpenSsl> and <xref:System.Security.Cryptography.RSAOpenSsl> that take a <xref:System.Security.Cryptography.SafeEvpPKeyHandle>.
+
+## New behavior
+
+<xref:System.Security.Cryptography.SafeEvpPKeyHandle.DuplicateHandle> increments the reference count of the existing `EVP_PKEY` and returns a handle to the same key. That means external calls to OpenSSL APIs that modify `EVP_PKEY` now also affect instances of the duplicated <xref:System.Security.Cryptography.SafeEvpPKeyHandle>. Those APIs include <xref:System.Security.Cryptography.ECDsaOpenSsl> and <xref:System.Security.Cryptography.RSAOpenSsl> instances created from such handles.
+
+## Version introduced
+
+.NET 9 Preview 7
+
+## Type of breaking change
+
+This change is a [behavioral change](../../categories.md#behavioral-change).
+
+## Reason for change
+
+This change was made to enable OpenSSL providers support. As a side effect, there are also some performance improvements.
+
+## Recommended action
+
+Avoid modifications of `EVP_PKEY` passed in to .NET APIs. If you can't avoid modifications to `EVP_PKEY`, create a copy of `EVP_PKEY` yourself (that is, copy parameters into the new `EVP_PKEY` instance).
+
+## Affected APIs
+
+- <xref:System.Security.Cryptography.SafeEvpPKeyHandle.DuplicateHandle?displayProperty=fullName>
+- <xref:System.Security.Cryptography.ECDsaOpenSsl.%23ctor(System.Security.Cryptography.SafeEvpPKeyHandle)>
+- <xref:System.Security.Cryptography.RSAOpenSsl.%23ctor(System.Security.Cryptography.SafeEvpPKeyHandle)>
+
+Every API that accepts an <Xref:System.Security.Cryptography.RSA> or <Xref:System.Security.Cryptography.ECDsa> instance that originates from <xref:System.Security.Cryptography.SafeEvpPKeyHandle> is also affected.
diff --git a/docs/core/compatibility/cryptography/9.0/x509-certificates.md b/docs/core/compatibility/cryptography/9.0/x509-certificates.md
@@ -0,0 +1,38 @@
+---
+title: "Some X509Certificate2 and X509Certificate constructors are obsolete"
+description: Learn about the .NET 9 breaking change in cryptography where X509Certificate2 and X509Certificate constructors for binary and file content are obsolete.
+ms.date: 08/01/2024
+---
+# Some X509Certificate2 and X509Certificate constructors are obsolete
+
+The constructors on <xref:System.Security.Cryptography.X509Certificates.X509Certificate> and <xref:System.Security.Cryptography.X509Certificates.X509Certificate2> that accept content as a `byte[]`, `ReadOnlySpan<byte>`, or a `string` file path are obsolete, starting in .NET 9. The <xref:System.Security.Cryptography.X509Certificates.X509Certificate2Collection.Import%2A> methods on X509Certificate2Collection are also obsolete. Calling them in code generates warning `SYSLIB0057` at compile time.
+
+## Previous behavior
+
+Developers could use the affected APIs without an obsolete warning.
+
+## New behavior
+
+Affected APIs will receive an obsolete compilation warning with ID [SYSLIB0057](../../../../fundamentals/syslib-diagnostics/syslib0057.md).
+
+## Version introduced
+
+.NET 9 Preview 7
+
+## Type of breaking change
+
+This change can affect [source compatibility](../../categories.md#source-compatibility).
+
+## Reason for change
+
+The affected APIs supported loading certificates in multiple formats. For example, `new X509Certificate2(data)` loaded a certificate from a `byte[]` called `data`. `data` could be one of any supported format, including X.509, PKCS7, or PKCS12/PFX.
+
+While this method was easy to use, it created issues where user-supplied data was passed with a different format than intended. This might allow loading PKCS12 where only X.509 content was intended to be loaded. Or it might create interoperability issues from handling the data in different ways.
+
+## Recommended action
+
+For workarounds, see [Workaround](../../../../fundamentals/syslib-diagnostics/syslib0057.md#workaround).
+
+## Affected APIs
+
+For affected APIs, see [SYSLIB0057](../../core-libraries/9.0/obsolete-apis-with-custom-diagnostics.md#syslib0057).
diff --git a/docs/core/compatibility/toc.yml b/docs/core/compatibility/toc.yml
@@ -34,6 +34,12 @@ items:
         href: core-libraries/9.0/getsubarray-return.md
       - name: Support for empty environment variables
         href: core-libraries/9.0/empty-env-variable.md
+    - name: Cryptography
+      items:
+      - name: SafeEvpPKeyHandle.DuplicateHandle up-refs the handle
+        href: cryptography/9.0/evp-pkey-handle.md
+      - name: Some X509Certificate2 and X509Certificate constructors are obsolete
+        href: cryptography/9.0/x509-certificates.md
     - name: Networking
       items:
       - name: HttpListenerRequest.UserAgent is nullable
@@ -1400,6 +1406,12 @@ items:
       href: corefx.md
   - name: Cryptography
     items:
+    - name: .NET 9
+      items:
+      - name: SafeEvpPKeyHandle.DuplicateHandle up-refs the handle
+        href: cryptography/9.0/evp-pkey-handle.md
+      - name: Some X509Certificate2 and X509Certificate constructors are obsolete
+        href: cryptography/9.0/x509-certificates.md
     - name: .NET 8
       items:
       - name: AesGcm authentication tag size on macOS
diff --git a/docs/fundamentals/syslib-diagnostics/obsoletions-overview.md b/docs/fundamentals/syslib-diagnostics/obsoletions-overview.md
@@ -2,7 +2,7 @@
 title: Obsolete features in .NET 5+
 titleSuffix: ""
 description: Learn about APIs that are marked as obsolete in .NET 5 and later versions that produce SYSLIB compiler warnings.
-ms.date: 05/09/2024
+ms.date: 08/01/2024
 ---
 
 # Obsolete features in .NET 5+
@@ -76,6 +76,7 @@ The following table provides an index to the `SYSLIB0XXX` obsoletions in .NET 5+
 | [SYSLIB0053](syslib0053.md) | Warning | <xref:System.Security.Cryptography.AesGcm> should indicate the required tag size for encryption and decryption. Use a constructor that accepts the tag size. |
 | [SYSLIB0054](syslib0054.md) | Warning | <xref:System.Threading.Thread.VolatileRead%2A?displayProperty=nameWithType> and <xref:System.Threading.Thread.VolatileWrite%2A?displayProperty=nameWithType> are obsolete. Use <xref:System.Threading.Volatile.Read%2A?displayProperty=nameWithType> or <xref:System.Threading.Volatile.Write%2A?displayProperty=nameWithType> instead. |
 | [SYSLIB0055](syslib0055.md) | Warning | `AdvSimd.ShiftRightLogicalRoundedNarrowingSaturate*` methods with signed parameters are obsolete. Use the unsigned overloads instead. |
+| [SYSLIB0057](syslib0057.md) | Warning | `X509Certificate2` and `X509Certificate` constructors for binary and file content are obsolete. |
 
 ## Suppress warnings
 
diff --git a/docs/fundamentals/syslib-diagnostics/syslib0057.md b/docs/fundamentals/syslib-diagnostics/syslib0057.md
@@ -0,0 +1,59 @@
+---
+title: SYSLIB0057 warning - X509Certificate2 and X509Certificate constructors for binary and file content are obsolete
+description: Learn about the obsoletion of some X509Certificate2 and X509Certificate constructors that generates compile-time warning SYSLIB0057.
+ms.date: 08/01/2024
+f1_keywords:
+  - SYSLIB0057
+---
+# SYSLIB0057: X509Certificate2 and X509Certificate constructors for binary and file content are obsolete
+
+The constructors on <xref:System.Security.Cryptography.X509Certificates.X509Certificate> and <xref:System.Security.Cryptography.X509Certificates.X509Certificate2> that accept content as a `byte[]`, `ReadOnlySpan<byte>`, or a `string` file path are obsolete, starting in .NET 9. The <xref:System.Security.Cryptography.X509Certificates.X509Certificate2Collection.Import%2A> methods on X509Certificate2Collection are also obsolete. Calling them in code generates warning `SYSLIB0057` at compile time.
+
+## Reason for obsoletion
+
+The affected APIs supported loading certificates in multiple formats. For example, `new X509Certificate2(data)` loaded a certificate from a `byte[]` called `data`. `data` could be one of any supported format, including X.509, PKCS7, or PKCS12/PFX.
+
+While this method was easy to use, it created issues where user-supplied data was passed with a different format than intended. This might allow loading PKCS12 where only X.509 content was intended to be loaded. Or it might create interoperability issues from handling the data in different ways.
+
+## Workaround
+
+Use a different API to load certificate content, depending on the intended content type.
+
+A new class called `X509CertificateLoader` <!--<xref:System.Security.Cryptography.X509Certificates.X509CertificateLoader>--> can be used to load X.509 or PKCS12 content:
+
+- If you're loading X.509 content, use `X509CertificateLoader.LoadCertificate` or `X509CertificateLoader.LoadCertificateFromFile`.
+- If you're loading PKCS12 content, use `X509CertificateLoader.LoadPkcs12`, `X509CertificateLoader.LoadPkcs12FromFile`, `X509CertificateLoader.LoadPkcs12Collection`, or `X509CertificateLoader.LoadPkcs12CollectionFromFile`.
+- If you're loading PKCS7 content, use <xref:System.Security.Cryptography.Pkcs.SignedCms > from the System.Security.Cryptography.Pkcs package to inspect certificates in PKCS7 content.
+- If you're uncertain about the content type you're loading, use <xref:System.Security.Cryptography.X509Certificates.X509Certificate2.GetCertContentType%2A> to determine the content type and call the appropriate API.
+
+The [Microsoft.Bcl.Cryptography package](https://www.nuget.org/packages/Microsoft.Bcl.Cryptography/) supplies `X509CertificateLoader` for .NET Framework and .NET Standard.
+
+## Suppress a warning
+
+If you must use the obsolete APIs, you can suppress the warning in code or in your project file.
+
+To suppress only a single violation, add preprocessor directives to your source file to disable and then re-enable the warning.
+
+```csharp
+// Disable the warning.
+#pragma warning disable SYSLIB0057
+
+// Code that uses obsolete API.
+// ...
+
+// Re-enable the warning.
+#pragma warning restore SYSLIB0057
+```
+
+To suppress all the `SYSLIB0057` warnings in your project, add a `<NoWarn>` property to your project file.
+
+```xml
+<Project Sdk="Microsoft.NET.Sdk">
+  <PropertyGroup>
+   ...
+   <NoWarn>$(NoWarn);SYSLIB0057</NoWarn>
+  </PropertyGroup>
+</Project>
+```
+
+For more information, see [Suppress warnings](obsoletions-overview.md#suppress-warnings).
diff --git a/docs/navigate/tools-diagnostics/toc.yml b/docs/navigate/tools-diagnostics/toc.yml
