-
Notifications
You must be signed in to change notification settings - Fork 4.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[release/9.0] Make SafeEvpPKeyHandle.OpenKeyFromProvider throw PNSE on OSSL less than 3.0 #106753
Conversation
Tagging subscribers to this area: @dotnet/area-system-security, @bartonjs, @vcsjones |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I support merging this into 9.0 RC2; it's related to new feature work in .NET 9.
@ericstj -- can you review too please for acceptance into 9.0?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Makes sense. We have to fix this now, doing later is more breaking. You may still want to document the breaking change compared to RC1 since the exception type does change.
Marking as NO-MERGE until I figure out #106794 since we don't want test failures on official builds (this is most likely a test issue which happens sometimes on osx builds) |
I've incorporated the fix from #106804 into this PR, note that was test only fix. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
M2 approved
Backport of #106397 to release/9.0 (There is also identical opened against RC1 - only one should be merged depending on how/if this gets approved)
/cc @krwq
Customer Impact
Improves error message and exception type from CryptographicException with cryptic message to PlatformNotSupportedException with actionable error message when feature is not available when running against OpenSSL <= 1.1.1. Feature was introduced in Preview 7.
Additionally it fixes test failures when running manual tests against OpenSSL 1.1.1 when feature is not available.
This isn't particularly blocking for customers but it does improve user experience when running against low versions of OpenSSL. Changing this in just .NET 10 would change exception type and be potentially breaking.
Regression
Testing
Testing against different versions of OpenSSL - change adds a test case but it's not currently exercised in CIs which runs only against OpenSSL >= 3.0
Risk
Low. This only adds a single out bool flag in the native and interop layer which allows for proper feature detection and throwing better exception message. The remainder of the change improves test coverage and fixes test issues when running against OpenSSL 1.1.1 (some tests require specific setup with TPM so are not running against CI, some other are automated).