diff --git a/docs/core/compatibility/9.0.md b/docs/core/compatibility/9.0.md index 600b6335984c2..1d1a0aeba1b9d 100644 --- a/docs/core/compatibility/9.0.md +++ b/docs/core/compatibility/9.0.md @@ -2,7 +2,7 @@ title: Breaking changes in .NET 9 titleSuffix: "" description: Navigate to the breaking changes in .NET 9. -ms.date: 02/01/2024 +ms.date: 08/02/2024 no-loc: [Blazor, Razor, Kestrel] --- # Breaking changes in .NET 9 @@ -36,6 +36,13 @@ If you're migrating an app to .NET 9, the breaking changes listed here might aff | [RuntimeHelpers.GetSubArray returns different type](core-libraries/9.0/getsubarray-return.md) | Behavioral change | Preview 1 | | [Support for empty environment variables](core-libraries/9.0/empty-env-variable.md) | Behavioral change | Preview 6 | +## Cryptography + +| Title | Type of change | Introduced version | +|-------|----------------|--------------------| +| [SafeEvpPKeyHandle.DuplicateHandle up-refs the handle](cryptography/9.0/evp-pkey-handle.md) | Behavioral change | Preview 7 | +| [Some X509Certificate2 and X509Certificate constructors are obsolete](cryptography/9.0/x509-certificates.md) | Source incompatible | Preview 7 | + ## Networking | Title | Type of change | Introduced version | @@ -64,9 +71,9 @@ If you're migrating an app to .NET 9, the breaking changes listed here might aff ## WPF -| Title | Type of change | Introduced version | -|-----------------------------------------------------------------------------------------|---------------------|--------------------| -| [`GetXmlNamespaceMaps` type change](wpf/9.0/xml-namespace-maps.md) | Behavioral change/Source incompatible | Preview 3 | +| Title | Type of change | Introduced version | +|--------------------------------------------------------------------|---------------------------------------|--------------------| +| [`GetXmlNamespaceMaps` type change](wpf/9.0/xml-namespace-maps.md) | Behavioral change/Source incompatible | Preview 3 | ## See also diff --git a/docs/core/compatibility/core-libraries/9.0/obsolete-apis-with-custom-diagnostics.md b/docs/core/compatibility/core-libraries/9.0/obsolete-apis-with-custom-diagnostics.md index ebfccb24228aa..ff1f75f44d28d 100644 --- a/docs/core/compatibility/core-libraries/9.0/obsolete-apis-with-custom-diagnostics.md +++ b/docs/core/compatibility/core-libraries/9.0/obsolete-apis-with-custom-diagnostics.md @@ -2,7 +2,7 @@ title: "Breaking change: .NET 9 obsoletions with custom IDs" titleSuffix: "" description: Learn about the .NET 9 breaking change in core .NET libraries where some APIs have been marked as obsolete with a custom diagnostic ID. -ms.date: 05/09/2024 +ms.date: 08/01/2024 --- # API obsoletions with non-default diagnostic IDs (.NET 9) @@ -19,6 +19,7 @@ The following table lists the custom diagnostic IDs and their corresponding warn | [SYSLIB0009](../../../../fundamentals/syslib-diagnostics/syslib0009.md) | is not supported. Methods will no-op or throw . | Warning | | [SYSLIB0054](../../../../fundamentals/syslib-diagnostics/syslib0054.md) | and are obsolete. Use or instead. | Warning | | [SYSLIB0055](../../../../fundamentals/syslib-diagnostics/syslib0055.md) | `AdvSimd.ShiftRightLogicalRoundedNarrowingSaturate*` methods with signed parameters are obsolete. Use the unsigned overloads instead. | Warning | +| [SYSLIB0057](../../../../fundamentals/syslib-diagnostics/syslib0057.md) | `X509Certificate2` and `X509Certificate` constructors for binary and file content are obsolete. | Warning | ## Version introduced @@ -57,6 +58,42 @@ These obsoletions can affect [source compatibility](../../categories.md#source-c - - +### SYSLIB0057 + +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- +- + ## See also - [API obsoletions with non-default diagnostic IDs (.NET 8)](../8.0/obsolete-apis-with-custom-diagnostics.md) diff --git a/docs/core/compatibility/cryptography/9.0/evp-pkey-handle.md b/docs/core/compatibility/cryptography/9.0/evp-pkey-handle.md new file mode 100644 index 0000000000000..3d93b7d7f1f2d --- /dev/null +++ b/docs/core/compatibility/cryptography/9.0/evp-pkey-handle.md @@ -0,0 +1,40 @@ +--- +title: "Breaking change: SafeEvpPKeyHandle.DuplicateHandle up-refs the handle" +description: Learn about the .NET 9 breaking change in cryptography where SafeEvpPKeyHandle.DuplicateHandle now increments the reference count of the EVP_PKEY handle instead of creating a new instance. +ms.date: 08/05/2024 +--- +# SafeEvpPKeyHandle.DuplicateHandle up-refs the handle + +Along with work to enable OpenSSL providers support, a change was made to the method that impacts the and constructors that take a . External modifications of the passed handle now also affect the handle stored in instances of those classes. + +## Previous behavior + + created a new `EVP_PKEY` instance. Modifications to the duplicated key (that is, through direct calls to OpenSSL APIs) did not impact the original key. `SafeEvpPKeyHandle.DuplicateHandle` was called by the constructors of and that take a . + +## New behavior + + increments the reference count of the existing `EVP_PKEY` and returns a handle to the same key. That means external calls to OpenSSL APIs that modify `EVP_PKEY` now also affect instances of the duplicated . Those APIs include and instances created from such handles. + +## Version introduced + +.NET 9 Preview 7 + +## Type of breaking change + +This change is a [behavioral change](../../categories.md#behavioral-change). + +## Reason for change + +This change was made to enable OpenSSL providers support. As a side effect, there are also some performance improvements. + +## Recommended action + +Avoid modifications of `EVP_PKEY` passed in to .NET APIs. If you can't avoid modifications to `EVP_PKEY`, create a copy of `EVP_PKEY` yourself (that is, copy parameters into the new `EVP_PKEY` instance). + +## Affected APIs + +- +- +- + +Every API that accepts an or instance that originates from is also affected. diff --git a/docs/core/compatibility/cryptography/9.0/x509-certificates.md b/docs/core/compatibility/cryptography/9.0/x509-certificates.md new file mode 100644 index 0000000000000..e8b3c31b2cab7 --- /dev/null +++ b/docs/core/compatibility/cryptography/9.0/x509-certificates.md @@ -0,0 +1,38 @@ +--- +title: "Some X509Certificate2 and X509Certificate constructors are obsolete" +description: Learn about the .NET 9 breaking change in cryptography where X509Certificate2 and X509Certificate constructors for binary and file content are obsolete. +ms.date: 08/01/2024 +--- +# Some X509Certificate2 and X509Certificate constructors are obsolete + +The constructors on and that accept content as a `byte[]`, `ReadOnlySpan`, or a `string` file path are obsolete, starting in .NET 9. The methods on X509Certificate2Collection are also obsolete. Calling them in code generates warning `SYSLIB0057` at compile time. + +## Previous behavior + +Developers could use the affected APIs without an obsolete warning. + +## New behavior + +Affected APIs will receive an obsolete compilation warning with ID [SYSLIB0057](../../../../fundamentals/syslib-diagnostics/syslib0057.md). + +## Version introduced + +.NET 9 Preview 7 + +## Type of breaking change + +This change can affect [source compatibility](../../categories.md#source-compatibility). + +## Reason for change + +The affected APIs supported loading certificates in multiple formats. For example, `new X509Certificate2(data)` loaded a certificate from a `byte[]` called `data`. `data` could be one of any supported format, including X.509, PKCS7, or PKCS12/PFX. + +While this method was easy to use, it created issues where user-supplied data was passed with a different format than intended. This might allow loading PKCS12 where only X.509 content was intended to be loaded. Or it might create interoperability issues from handling the data in different ways. + +## Recommended action + +For workarounds, see [Workaround](../../../../fundamentals/syslib-diagnostics/syslib0057.md#workaround). + +## Affected APIs + +For affected APIs, see [SYSLIB0057](../../core-libraries/9.0/obsolete-apis-with-custom-diagnostics.md#syslib0057). diff --git a/docs/core/compatibility/toc.yml b/docs/core/compatibility/toc.yml index 5b6904b294b19..c3f8e202a9349 100644 --- a/docs/core/compatibility/toc.yml +++ b/docs/core/compatibility/toc.yml @@ -34,6 +34,12 @@ items: href: core-libraries/9.0/getsubarray-return.md - name: Support for empty environment variables href: core-libraries/9.0/empty-env-variable.md + - name: Cryptography + items: + - name: SafeEvpPKeyHandle.DuplicateHandle up-refs the handle + href: cryptography/9.0/evp-pkey-handle.md + - name: Some X509Certificate2 and X509Certificate constructors are obsolete + href: cryptography/9.0/x509-certificates.md - name: Networking items: - name: HttpListenerRequest.UserAgent is nullable @@ -1400,6 +1406,12 @@ items: href: corefx.md - name: Cryptography items: + - name: .NET 9 + items: + - name: SafeEvpPKeyHandle.DuplicateHandle up-refs the handle + href: cryptography/9.0/evp-pkey-handle.md + - name: Some X509Certificate2 and X509Certificate constructors are obsolete + href: cryptography/9.0/x509-certificates.md - name: .NET 8 items: - name: AesGcm authentication tag size on macOS diff --git a/docs/fundamentals/syslib-diagnostics/obsoletions-overview.md b/docs/fundamentals/syslib-diagnostics/obsoletions-overview.md index 6201e2dbb3f1a..6cef08e71d63a 100644 --- a/docs/fundamentals/syslib-diagnostics/obsoletions-overview.md +++ b/docs/fundamentals/syslib-diagnostics/obsoletions-overview.md @@ -2,7 +2,7 @@ title: Obsolete features in .NET 5+ titleSuffix: "" description: Learn about APIs that are marked as obsolete in .NET 5 and later versions that produce SYSLIB compiler warnings. -ms.date: 05/09/2024 +ms.date: 08/01/2024 --- # Obsolete features in .NET 5+ @@ -76,6 +76,7 @@ The following table provides an index to the `SYSLIB0XXX` obsoletions in .NET 5+ | [SYSLIB0053](syslib0053.md) | Warning | should indicate the required tag size for encryption and decryption. Use a constructor that accepts the tag size. | | [SYSLIB0054](syslib0054.md) | Warning | and are obsolete. Use or instead. | | [SYSLIB0055](syslib0055.md) | Warning | `AdvSimd.ShiftRightLogicalRoundedNarrowingSaturate*` methods with signed parameters are obsolete. Use the unsigned overloads instead. | +| [SYSLIB0057](syslib0057.md) | Warning | `X509Certificate2` and `X509Certificate` constructors for binary and file content are obsolete. | ## Suppress warnings diff --git a/docs/fundamentals/syslib-diagnostics/syslib0057.md b/docs/fundamentals/syslib-diagnostics/syslib0057.md new file mode 100644 index 0000000000000..7d49aa5c0969a --- /dev/null +++ b/docs/fundamentals/syslib-diagnostics/syslib0057.md @@ -0,0 +1,59 @@ +--- +title: SYSLIB0057 warning - X509Certificate2 and X509Certificate constructors for binary and file content are obsolete +description: Learn about the obsoletion of some X509Certificate2 and X509Certificate constructors that generates compile-time warning SYSLIB0057. +ms.date: 08/01/2024 +f1_keywords: + - SYSLIB0057 +--- +# SYSLIB0057: X509Certificate2 and X509Certificate constructors for binary and file content are obsolete + +The constructors on and that accept content as a `byte[]`, `ReadOnlySpan`, or a `string` file path are obsolete, starting in .NET 9. The methods on X509Certificate2Collection are also obsolete. Calling them in code generates warning `SYSLIB0057` at compile time. + +## Reason for obsoletion + +The affected APIs supported loading certificates in multiple formats. For example, `new X509Certificate2(data)` loaded a certificate from a `byte[]` called `data`. `data` could be one of any supported format, including X.509, PKCS7, or PKCS12/PFX. + +While this method was easy to use, it created issues where user-supplied data was passed with a different format than intended. This might allow loading PKCS12 where only X.509 content was intended to be loaded. Or it might create interoperability issues from handling the data in different ways. + +## Workaround + +Use a different API to load certificate content, depending on the intended content type. + +A new class called `X509CertificateLoader` can be used to load X.509 or PKCS12 content: + +- If you're loading X.509 content, use `X509CertificateLoader.LoadCertificate` or `X509CertificateLoader.LoadCertificateFromFile`. +- If you're loading PKCS12 content, use `X509CertificateLoader.LoadPkcs12`, `X509CertificateLoader.LoadPkcs12FromFile`, `X509CertificateLoader.LoadPkcs12Collection`, or `X509CertificateLoader.LoadPkcs12CollectionFromFile`. +- If you're loading PKCS7 content, use from the System.Security.Cryptography.Pkcs package to inspect certificates in PKCS7 content. +- If you're uncertain about the content type you're loading, use to determine the content type and call the appropriate API. + +The [Microsoft.Bcl.Cryptography package](https://www.nuget.org/packages/Microsoft.Bcl.Cryptography/) supplies `X509CertificateLoader` for .NET Framework and .NET Standard. + +## Suppress a warning + +If you must use the obsolete APIs, you can suppress the warning in code or in your project file. + +To suppress only a single violation, add preprocessor directives to your source file to disable and then re-enable the warning. + +```csharp +// Disable the warning. +#pragma warning disable SYSLIB0057 + +// Code that uses obsolete API. +// ... + +// Re-enable the warning. +#pragma warning restore SYSLIB0057 +``` + +To suppress all the `SYSLIB0057` warnings in your project, add a `` property to your project file. + +```xml + + + ... + $(NoWarn);SYSLIB0057 + + +``` + +For more information, see [Suppress warnings](obsoletions-overview.md#suppress-warnings). diff --git a/docs/navigate/tools-diagnostics/toc.yml b/docs/navigate/tools-diagnostics/toc.yml index 2b688ecb761e0..df485675da45c 100644 --- a/docs/navigate/tools-diagnostics/toc.yml +++ b/docs/navigate/tools-diagnostics/toc.yml @@ -1774,6 +1774,8 @@ items: href: ../../fundamentals/syslib-diagnostics/syslib0054.md - name: SYSLIB0055 href: ../../fundamentals/syslib-diagnostics/syslib0055.md + - name: SYSLIB0057 + href: ../../fundamentals/syslib-diagnostics/syslib0057.md - name: Source-generated code items: - name: Overview