Merge main into live

docs/core/compatibility/9.0.md

@@ -2,7 +2,7 @@
 title: Breaking changes in .NET 9
 titleSuffix: ""
 description: Navigate to the breaking changes in .NET 9.
-ms.date: 02/01/2024
+ms.date: 08/02/2024
 no-loc: [Blazor, Razor, Kestrel]
 ---
 # Breaking changes in .NET 9
@@ -20,6 +20,7 @@ If you're migrating an app to .NET 9, the breaking changes listed here might aff
 | Title                                                                                    | Type of change      | Introduced version |
 |------------------------------------------------------------------------------------------|---------------------|--------------------|
 | [DefaultKeyResolution.ShouldGenerateNewKey has altered meaning](aspnet-core/9.0/key-resolution.md) | Behavioral change | Preview 3  |
+| [HostBuilder enables ValidateOnBuild/ValidateScopes in development environment](aspnet-core/9.0/hostbuilder-validation.md) | Behavioral change | Preview 7  |
 
 ## Core .NET libraries
 
@@ -35,6 +36,13 @@ If you're migrating an app to .NET 9, the breaking changes listed here might aff
 | [RuntimeHelpers.GetSubArray returns different type](core-libraries/9.0/getsubarray-return.md) | Behavioral change   | Preview 1          |
 | [Support for empty environment variables](core-libraries/9.0/empty-env-variable.md) | Behavioral change   | Preview 6          |
 
+## Cryptography
+
+| Title | Type of change | Introduced version |
+|-------|----------------|--------------------|
+| [SafeEvpPKeyHandle.DuplicateHandle up-refs the handle](cryptography/9.0/evp-pkey-handle.md) | Behavioral change | Preview 7 |
+| [Some X509Certificate2 and X509Certificate constructors are obsolete](cryptography/9.0/x509-certificates.md) | Source incompatible | Preview 7 |
+
 ## Networking
 
 | Title                                                                             | Type of change      | Introduced version |
@@ -63,9 +71,9 @@ If you're migrating an app to .NET 9, the breaking changes listed here might aff
 
 ## WPF
 
-| Title                                                                                   | Type of change      | Introduced version |
-|-----------------------------------------------------------------------------------------|---------------------|--------------------|
-| [`GetXmlNamespaceMaps` type change](wpf/9.0/xml-namespace-maps.md) | Behavioral change/Source incompatible | Preview 3 |
+| Title                                                              | Type of change                        | Introduced version |
+|--------------------------------------------------------------------|---------------------------------------|--------------------|
+| [`GetXmlNamespaceMaps` type change](wpf/9.0/xml-namespace-maps.md) | Behavioral change/Source incompatible | Preview 3          |
 
 ## See also
 

docs/core/compatibility/aspnet-core/9.0/hostbuilder-validation.md

@@ -0,0 +1,37 @@
+---
+title: "Breaking change: HostBuilder enables ValidateOnBuild/ValidateScopes in development environment"
+description: Learn about the breaking change in .NET 9 where HostBuilder now enables ValidateOnBuild and ValidateScopes in the development environment.
+ms.date: 08/05/2024
+---
+# HostBuilder enables ValidateOnBuild/ValidateScopes in development environment
+
+Previously, no validation was enabled by default. Now, in the [development environment](/aspnet/core/fundamentals/environments), <xref:Microsoft.Extensions.DependencyInjection.ServiceProviderOptions.ValidateOnBuild> and <xref:Microsoft.Extensions.DependencyInjection.ServiceProviderOptions.ValidateScopes> are enabled.
+
+## Version introduced
+
+.NET 9 Preview 7
+
+## Previous behavior
+
+<xref:Microsoft.Extensions.DependencyInjection.ServiceProviderOptions.ValidateOnBuild> and <xref:Microsoft.Extensions.DependencyInjection.ServiceProviderOptions.ValidateScopes> defaulted to `false` and were only enabled when they were explicitly set by calling <xref:Microsoft.AspNetCore.Hosting.WebHostBuilderExtensions.UseDefaultServiceProvider%2A>.
+
+## New behavior
+
+In the [development environment](/aspnet/core/fundamentals/environments) when options haven't been set with <xref:Microsoft.AspNetCore.Hosting.WebHostBuilderExtensions.UseDefaultServiceProvider%2A>, <xref:Microsoft.Extensions.DependencyInjection.ServiceProviderOptions.ValidateOnBuild> and <xref:Microsoft.Extensions.DependencyInjection.ServiceProviderOptions.ValidateScopes> are set to `true`.
+
+## Type of breaking change
+
+This change is a [behavioral change](../../categories.md#behavioral-change).
+
+## Reason for change
+
+Validation helps to catch problems early in application startup rather than later (or not at all) when the application interacts with its service provider.
+
+## Recommended action
+
+No action necessary if your application validates successfully. If you do see a validation error when testing in development, first try to fix it. If you can't fix it, you can disable validation by calling <xref:Microsoft.AspNetCore.Hosting.WebHostBuilderExtensions.UseDefaultServiceProvider%2A>.
+
+## Affected APIs
+
+- <xref:Microsoft.Extensions.Hosting.HostBuilder>
+- <xref:Microsoft.Extensions.Hosting.HostBuilder.Build>

docs/core/compatibility/core-libraries/9.0/obsolete-apis-with-custom-diagnostics.md

@@ -2,7 +2,7 @@
 title: "Breaking change: .NET 9 obsoletions with custom IDs"
 titleSuffix: ""
 description: Learn about the .NET 9 breaking change in core .NET libraries where some APIs have been marked as obsolete with a custom diagnostic ID.
-ms.date: 05/09/2024
+ms.date: 08/01/2024
 ---
 # API obsoletions with non-default diagnostic IDs (.NET 9)
 
@@ -19,6 +19,7 @@ The following table lists the custom diagnostic IDs and their corresponding warn
 | [SYSLIB0009](../../../../fundamentals/syslib-diagnostics/syslib0009.md) | <xref:System.Net.AuthenticationManager> is not supported. Methods will no-op or throw <xref:System.PlatformNotSupportedException>. | Warning |
 | [SYSLIB0054](../../../../fundamentals/syslib-diagnostics/syslib0054.md) | <xref:System.Threading.Thread.VolatileRead%2A?displayProperty=nameWithType> and <xref:System.Threading.Thread.VolatileWrite%2A?displayProperty=nameWithType> are obsolete. Use <xref:System.Threading.Volatile.Read%2A?displayProperty=nameWithType> or <xref:System.Threading.Volatile.Write%2A?displayProperty=nameWithType> instead. | Warning |
 | [SYSLIB0055](../../../../fundamentals/syslib-diagnostics/syslib0055.md) | `AdvSimd.ShiftRightLogicalRoundedNarrowingSaturate*` methods with signed parameters are obsolete. Use the unsigned overloads instead. | Warning |
+| [SYSLIB0057](../../../../fundamentals/syslib-diagnostics/syslib0057.md) | `X509Certificate2` and `X509Certificate` constructors for binary and file content are obsolete. | Warning |
 
 ## Version introduced
 
@@ -57,6 +58,42 @@ These obsoletions can affect [source compatibility](../../categories.md#source-c
 - <xref:System.Runtime.Intrinsics.Arm.AdvSimd.ShiftRightLogicalRoundedNarrowingSaturateUpper(System.Runtime.Intrinsics.Vector64{System.Int16},System.Runtime.Intrinsics.Vector128{System.Int32},System.Byte)?displayProperty=fullName>
 - <xref:System.Runtime.Intrinsics.Arm.AdvSimd.ShiftRightLogicalRoundedNarrowingSaturateUpper(System.Runtime.Intrinsics.Vector64{System.Int32},System.Runtime.Intrinsics.Vector128{System.Int64},System.Byte)?displayProperty=fullName>
 
+### SYSLIB0057
+
+- <xref:System.Security.Cryptography.X509Certificates.X509Certificate2.%23ctor(System.Byte[])>
+- <xref:System.Security.Cryptography.X509Certificates.X509Certificate2.%23ctor(System.ReadOnlySpan{System.Byte})>
+- <xref:System.Security.Cryptography.X509Certificates.X509Certificate2.%23ctor(System.String)>
+- <xref:System.Security.Cryptography.X509Certificates.X509Certificate2.%23ctor(System.Byte[],System.Security.SecureString)>
+- <xref:System.Security.Cryptography.X509Certificates.X509Certificate2.%23ctor(System.Byte[],System.String)>
+- <xref:System.Security.Cryptography.X509Certificates.X509Certificate2.%23ctor(System.String,System.Security.SecureString)>
+- <xref:System.Security.Cryptography.X509Certificates.X509Certificate2.%23ctor(System.String,System.String)>
+- <xref:System.Security.Cryptography.X509Certificates.X509Certificate2.%23ctor(System.Byte[],System.Security.SecureString,System.Security.Cryptography.X509Certificates.X509KeyStorageFlags)>
+- <xref:System.Security.Cryptography.X509Certificates.X509Certificate2.%23ctor(System.Byte[],System.String,System.Security.Cryptography.X509Certificates.X509KeyStorageFlags)>
+- <xref:System.Security.Cryptography.X509Certificates.X509Certificate2.%23ctor(System.ReadOnlySpan{System.Byte},System.ReadOnlySpan{System.Char},System.Security.Cryptography.X509Certificates.X509KeyStorageFlags)>
+- <xref:System.Security.Cryptography.X509Certificates.X509Certificate2.%23ctor(System.String,System.ReadOnlySpan{System.Char},System.Security.Cryptography.X509Certificates.X509KeyStorageFlags)>
+- <xref:System.Security.Cryptography.X509Certificates.X509Certificate2.%23ctor(System.String,System.Security.SecureString,System.Security.Cryptography.X509Certificates.X509KeyStorageFlags)>
+- <xref:System.Security.Cryptography.X509Certificates.X509Certificate2.%23ctor(System.String,System.String,System.Security.Cryptography.X509Certificates.X509KeyStorageFlags)>
+- <xref:System.Security.Cryptography.X509Certificates.X509Certificate.%23ctor(System.Byte[])>
+- <xref:System.Security.Cryptography.X509Certificates.X509Certificate.%23ctor(System.String)>
+- <xref:System.Security.Cryptography.X509Certificates.X509Certificate.%23ctor(System.Byte[],System.Security.SecureString)>
+- <xref:System.Security.Cryptography.X509Certificates.X509Certificate.%23ctor(System.Byte[],System.String)>
+- <xref:System.Security.Cryptography.X509Certificates.X509Certificate.%23ctor(System.String,System.String,System.Security.Cryptography.X509Certificates.X509KeyStorageFlags)>
+- <xref:System.Security.Cryptography.X509Certificates.X509Certificate.%23ctor(System.String,System.Security.SecureString)>
+- <xref:System.Security.Cryptography.X509Certificates.X509Certificate.%23ctor(System.String,System.String)>
+- <xref:System.Security.Cryptography.X509Certificates.X509Certificate.%23ctor(System.Byte[],System.Security.SecureString,System.Security.Cryptography.X509Certificates.X509KeyStorageFlags)>
+- <xref:System.Security.Cryptography.X509Certificates.X509Certificate.%23ctor(System.Byte[],System.String,System.Security.Cryptography.X509Certificates.X509KeyStorageFlags)>
+- <xref:System.Security.Cryptography.X509Certificates.X509Certificate.%23ctor(System.String,System.Security.SecureString,System.Security.Cryptography.X509Certificates.X509KeyStorageFlags)>
+- <xref:System.Security.Cryptography.X509Certificates.X509Certificate.%23ctor(System.String,System.String,System.Security.Cryptography.X509Certificates.X509KeyStorageFlags)>
+- <xref:System.Security.Cryptography.X509Certificates.X509Certificate2Collection.Import(System.Byte[])>
+- <xref:System.Security.Cryptography.X509Certificates.X509Certificate2Collection.Import(System.ReadOnlySpan{System.Byte})>
+- <xref:System.Security.Cryptography.X509Certificates.X509Certificate2Collection.Import(System.ReadOnlySpan{System.Byte})>
+- <xref:System.Security.Cryptography.X509Certificates.X509Certificate2Collection.Import(System.Byte[],System.String,System.Security.Cryptography.X509Certificates.X509KeyStorageFlags)>
+- <xref:System.Security.Cryptography.X509Certificates.X509Certificate2Collection.Import(System.ReadOnlySpan{System.Byte},System.ReadOnlySpan{System.Char},System.Security.Cryptography.X509Certificates.X509KeyStorageFlags)>
+- <xref:System.Security.Cryptography.X509Certificates.X509Certificate2Collection.Import(System.ReadOnlySpan{System.Byte},System.String,System.Security.Cryptography.X509Certificates.X509KeyStorageFlags)>
+- <xref:System.Security.Cryptography.X509Certificates.X509Certificate2Collection.Import(System.String,System.ReadOnlySpan{System.Char},System.Security.Cryptography.X509Certificates.X509KeyStorageFlags)>
+- <xref:System.Security.Cryptography.X509Certificates.X509Certificate2Collection.Import(System.String,System.String,System.Security.Cryptography.X509Certificates.X509KeyStorageFlags)>
+- <xref:System.Security.Cryptography.X509Certificates.X509Certificate.CreateFromSignedFile(System.String)>
+
 ## See also
 
 - [API obsoletions with non-default diagnostic IDs (.NET 8)](../8.0/obsolete-apis-with-custom-diagnostics.md)

docs/core/compatibility/cryptography/9.0/evp-pkey-handle.md

@@ -0,0 +1,40 @@
+---
+title: "Breaking change: SafeEvpPKeyHandle.DuplicateHandle up-refs the handle"
+description: Learn about the .NET 9 breaking change in cryptography where SafeEvpPKeyHandle.DuplicateHandle now increments the reference count of the EVP_PKEY handle instead of creating a new instance.
+ms.date: 08/05/2024
+---
+# SafeEvpPKeyHandle.DuplicateHandle up-refs the handle
+
+Along with work to enable OpenSSL providers support, a change was made to the <xref:System.Security.Cryptography.SafeEvpPKeyHandle.DuplicateHandle?displayProperty=nameWithType> method that impacts the <xref:System.Security.Cryptography.ECDsaOpenSsl> and <xref:System.Security.Cryptography.RSAOpenSsl> constructors that take a <xref:System.Security.Cryptography.SafeEvpPKeyHandle>. External modifications of the passed handle now also affect the handle stored in instances of those classes.
+
+## Previous behavior
+
+<xref:System.Security.Cryptography.SafeEvpPKeyHandle.DuplicateHandle> created a new `EVP_PKEY` instance. Modifications to the duplicated key (that is, through direct calls to OpenSSL APIs) did not impact the original key. `SafeEvpPKeyHandle.DuplicateHandle` was called by the constructors of <xref:System.Security.Cryptography.ECDsaOpenSsl> and <xref:System.Security.Cryptography.RSAOpenSsl> that take a <xref:System.Security.Cryptography.SafeEvpPKeyHandle>.
+
+## New behavior
+
+<xref:System.Security.Cryptography.SafeEvpPKeyHandle.DuplicateHandle> increments the reference count of the existing `EVP_PKEY` and returns a handle to the same key. That means external calls to OpenSSL APIs that modify `EVP_PKEY` now also affect instances of the duplicated <xref:System.Security.Cryptography.SafeEvpPKeyHandle>. Those APIs include <xref:System.Security.Cryptography.ECDsaOpenSsl> and <xref:System.Security.Cryptography.RSAOpenSsl> instances created from such handles.
+
+## Version introduced
+
+.NET 9 Preview 7
+
+## Type of breaking change
+
+This change is a [behavioral change](../../categories.md#behavioral-change).
+
+## Reason for change
+
+This change was made to enable OpenSSL providers support. As a side effect, there are also some performance improvements.
+
+## Recommended action
+
+Avoid modifications of `EVP_PKEY` passed in to .NET APIs. If you can't avoid modifications to `EVP_PKEY`, create a copy of `EVP_PKEY` yourself (that is, copy parameters into the new `EVP_PKEY` instance).
+
+## Affected APIs
+
+- <xref:System.Security.Cryptography.SafeEvpPKeyHandle.DuplicateHandle?displayProperty=fullName>
+- <xref:System.Security.Cryptography.ECDsaOpenSsl.%23ctor(System.Security.Cryptography.SafeEvpPKeyHandle)>
+- <xref:System.Security.Cryptography.RSAOpenSsl.%23ctor(System.Security.Cryptography.SafeEvpPKeyHandle)>
+
+Every API that accepts an <Xref:System.Security.Cryptography.RSA> or <Xref:System.Security.Cryptography.ECDsa> instance that originates from <xref:System.Security.Cryptography.SafeEvpPKeyHandle> is also affected.

docs/core/compatibility/cryptography/9.0/x509-certificates.md

@@ -0,0 +1,38 @@
+---
+title: "Some X509Certificate2 and X509Certificate constructors are obsolete"
+description: Learn about the .NET 9 breaking change in cryptography where X509Certificate2 and X509Certificate constructors for binary and file content are obsolete.
+ms.date: 08/01/2024
+---
+# Some X509Certificate2 and X509Certificate constructors are obsolete
+
+The constructors on <xref:System.Security.Cryptography.X509Certificates.X509Certificate> and <xref:System.Security.Cryptography.X509Certificates.X509Certificate2> that accept content as a `byte[]`, `ReadOnlySpan<byte>`, or a `string` file path are obsolete, starting in .NET 9. The <xref:System.Security.Cryptography.X509Certificates.X509Certificate2Collection.Import%2A> methods on X509Certificate2Collection are also obsolete. Calling them in code generates warning `SYSLIB0057` at compile time.
+
+## Previous behavior
+
+Developers could use the affected APIs without an obsolete warning.
+
+## New behavior
+
+Affected APIs will receive an obsolete compilation warning with ID [SYSLIB0057](../../../../fundamentals/syslib-diagnostics/syslib0057.md).
+
+## Version introduced
+
+.NET 9 Preview 7
+
+## Type of breaking change
+
+This change can affect [source compatibility](../../categories.md#source-compatibility).
+
+## Reason for change
+
+The affected APIs supported loading certificates in multiple formats. For example, `new X509Certificate2(data)` loaded a certificate from a `byte[]` called `data`. `data` could be one of any supported format, including X.509, PKCS7, or PKCS12/PFX.
+
+While this method was easy to use, it created issues where user-supplied data was passed with a different format than intended. This might allow loading PKCS12 where only X.509 content was intended to be loaded. Or it might create interoperability issues from handling the data in different ways.
+
+## Recommended action
+
+For workarounds, see [Workaround](../../../../fundamentals/syslib-diagnostics/syslib0057.md#workaround).
+
+## Affected APIs
+
+For affected APIs, see [SYSLIB0057](../../core-libraries/9.0/obsolete-apis-with-custom-diagnostics.md#syslib0057).

docs/core/compatibility/toc.yml

@@ -12,6 +12,8 @@ items:
       items:
       - name: DefaultKeyResolution.ShouldGenerateNewKey has altered meaning
         href: aspnet-core/9.0/key-resolution.md
+      - name: HostBuilder enables ValidateOnBuild/ValidateScopes in development environment
+        href: aspnet-core/9.0/hostbuilder-validation.md
     - name: Core .NET libraries
       items:
       - name: Adding a ZipArchiveEntry sets header general-purpose bit flags
@@ -32,6 +34,12 @@ items:
         href: core-libraries/9.0/getsubarray-return.md
       - name: Support for empty environment variables
         href: core-libraries/9.0/empty-env-variable.md
+    - name: Cryptography
+      items:
+      - name: SafeEvpPKeyHandle.DuplicateHandle up-refs the handle
+        href: cryptography/9.0/evp-pkey-handle.md
+      - name: Some X509Certificate2 and X509Certificate constructors are obsolete
+        href: cryptography/9.0/x509-certificates.md
     - name: Networking
       items:
       - name: HttpListenerRequest.UserAgent is nullable
@@ -958,6 +966,8 @@ items:
       items:
       - name: DefaultKeyResolution.ShouldGenerateNewKey has altered meaning
         href: aspnet-core/9.0/key-resolution.md
+      - name: HostBuilder enables ValidateOnBuild/ValidateScopes in development environment
+        href: aspnet-core/9.0/hostbuilder-validation.md
     - name: .NET 8
       items:
       - name: ConcurrencyLimiterMiddleware is obsolete
@@ -1396,6 +1406,12 @@ items:
       href: corefx.md
   - name: Cryptography
     items:
+    - name: .NET 9
+      items:
+      - name: SafeEvpPKeyHandle.DuplicateHandle up-refs the handle
+        href: cryptography/9.0/evp-pkey-handle.md
+      - name: Some X509Certificate2 and X509Certificate constructors are obsolete
+        href: cryptography/9.0/x509-certificates.md
     - name: .NET 8
       items:
       - name: AesGcm authentication tag size on macOS

docs/fundamentals/runtime-libraries/system-data-datacolumn-expression.md

@@ -132,7 +132,6 @@ When you create comparison expressions, the following operators are allowed:
 - \>
 - \<=
 - \>=
-- \>
 - =
 - `IN`
 - `LIKE`