Skip to content

Respond to IL2026 warnings in DataProtection originating from EncryptedXml #47695

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
eerhardt opened this issue Apr 13, 2023 · 2 comments · Fixed by #48082
Closed

Respond to IL2026 warnings in DataProtection originating from EncryptedXml #47695

eerhardt opened this issue Apr 13, 2023 · 2 comments · Fixed by #48082
Assignees
@eerhardt
Labels
area-dataprotection Includes: DataProtection
Milestone
8.0-preview5

Comments

@eerhardt
Copy link
Member

With dotnet/runtime#84468, EncryptedXml is now marked as RequiresUnreferencedCode. This is because

The algorithm implementations referenced in the XML payload might be removed. Ensure the required algorithm implementations are preserved in your application.

From discussion in #47410 (comment), we should:

  1. Figure out the list of commonly used crypto algorithms used by DataProtection, and add [DynamicDependency] attributes for them.
  2. We also add some trimming/aot tests to ensure DataProtection works correctly when trimmed.
  3. DataProtection then suppresses the warnings coming from System.Security.Cryptography.Xml
@eerhardt eerhardt added the area-dataprotection Includes: DataProtection label Apr 13, 2023
@eerhardt eerhardt added this to the 8.0-preview5 milestone Apr 13, 2023
eerhardt added a commit that referenced this issue Apr 13, 2023
@eerhardt
Suppress warnings in DataProtection
896bd02 
Tracked with #47695
dotnet-maestro bot added a commit that referenced this issue Apr 13, 2023
@dotnet-maestro
[main] Update dependencies from dotnet/runtime (#47693)
865508e 
[main] Update dependencies from dotnet/runtime


 - Suppress warnings in DataProtection

Tracked with #47695

 - Update docker image used to bulid RPM installers

 - add util-linux for useradd

 - also add shadow-utils

 - add awk

 - Add more dependencies. Remove scl enable

 - Add missing dependencies

 - Cleanup dependencies

 - More cleanup
@blowdart
Copy link
Contributor

Good luck :)

https://learn.microsoft.com/en-us/aspnet/core/security/data-protection/configuration/default-settings?view=aspnetcore-7.0

So the defaults are AES-256-CBC and HMACSHA256 however EncryptedXml is nicely flexible, so any hmac and any symmetric key algorithm is possible.

What you probably want as a starting point is anything that can be configured with the easy access settings,

https://learn.microsoft.com/en-us/aspnet/core/security/data-protection/configuration/overview?view=aspnetcore-7.0#changing-algorithms-with-usecryptographicalgorithms

Which ends up being https://learn.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.dataprotection.authenticatedencryption.configurationmodel.authenticatedencryptorconfiguration?view=aspnetcore-7.0

For encryption it's only AES without a bunch of work,

https://learn.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.dataprotection.authenticatedencryption.encryptionalgorithm?view=aspnetcore-7.0

For validation it's only HMAC256 and HMAC512

https://learn.microsoft.com/en-us/dotnet/api/microsoft.aspnetcore.dataprotection.authenticatedencryption.validationalgorithm?view=aspnetcore-7.0

@eerhardt
Copy link
Member Author

Note: when doing this work, we should remove the RequiresUnreferencedCode attribute that was added to AddAuthentication() in #47663.

aspnetcore/src/Security/Authentication/Core/src/AuthenticationServiceCollectionExtensions.cs

Lines 20 to 21 in 5807400

[RequiresUnreferencedCode("Authentication middleware does not currently support native AOT.", Url = "https://aka.ms/aspnet/nativeaot")]
public static AuthenticationBuilder AddAuthentication(this IServiceCollection services)

@eerhardt eerhardt self-assigned this Apr 28, 2023
eerhardt added a commit to eerhardt/aspnetcore that referenced this issue May 4, 2023
@eerhardt
Ensure DataProtection can be used in trimmed apps.
8c63acb 
Fix dotnet#47695
@eerhardt eerhardt mentioned this issue May 5, 2023
Merged
eerhardt added a commit that referenced this issue May 13, 2023
@eerhardt
Ensure DataProtection can be used in trimmed apps. (#48082)
3ff3207 
* Add a DynamicDependency to ensure Aes decryption works in EncryptedXmlDecryptor
* Suppress the warnings from EncryptedXml
* Add trimming tests to ensure these scenarios work correctly.
* Remove the RequiresUnreferencedCode attribute on AddAuthentication, since this is the only thing in that method that has warnings.

Fix #47695

* Fix parallel build to not copy files to the same destination
@ghost ghost locked as resolved and limited conversation to collaborators Jun 12, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@eerhardt eerhardt

Labels
area-dataprotection Includes: DataProtection
Projects
None yet
Milestone
8.0-preview5
Development

Successfully merging a pull request may close this issue.

Ensure DataProtection can be used in trimmed apps. eerhardt/aspnetcore
2 participants
@blowdart @eerhardt