System.Security work planned for .NET 7 #64488
Description
This issue captures the planned work for .NET 7. This list is expected to change throughout the release cycle according to ongoing planning and discussions, with possible additions and subtractions to the scope.
Summary
We will add Browser/WASM support for common cryptography algorithms, continue the effort of removing BinaryFormatter from .NET, add COSE support, and address common pitfalls across the Security APIs. We will finish the effort for openssl 3.0 integration. We will explore OCSP stapling support.
This is an ambitious set of work. We will review this list to prioritize the items and determine which need to be moved beyond .NET 7.
Planned for .NET 7
- Developers targeting browser-wasm can use Web Crypto APIs #40074
- COSE (Encryption is scheduled for Future, but all else is planned for .NET 7)
- OCSP stapling support can be used to optimize TLS connections #33377
- X509 certificates can be easily found by target hostname #59870
- Make it safer and easier to build an X500DistinguishedName #44738
- Provide a way to load a CertificateRequest from a byte[] #29547
- API Proposal: X509AuthorityKeyIdentifierExtension #50488
Quality
- Merge all of the inbox S.S.C.* libraries into one #55690
- System.Security.Cryptography libraries should conform to interop guidelines #51564
- Test failure: System.Security.Cryptography.X509Certificates.Tests.RevocationTests.DynamicRevocationTests.NothingRevoked #734
- Annotate unsupported APIs in System.Security.* #50528
- Revisit the OpenSSL interop exception model #55973
- Possible memory leak in ECDiffieHellmanOpenSsl #57528
- Memory usage when using Mailkit in containers #57213
- [macOS-arm64] CoreCLR System.Security.Cryptography.OpenSsl.Tests fail on M1 Helix queues #49083
- Excessive memory usage while working with X509Certificate (Linux, NET 5 and NET Core 3.1). #55672
Backlog (roughly in priority order)
Features
- Master tracking issue for removing BinaryFormatter usage from dotnet libs #39287
- openssl 3.0 support #46526
- Add an easier way of opening named keys via OpenSSL #55356
- Add Marvin32 to System.IO.Hashing #68616
Quality
- new X509Certificate2(byte[]) should return the signing cert for PKCS#7 on Unix #15073
- Performance improvements for SymmetricAlgorithm one-shots #55601
- Test failure:System.Security.Cryptography.X509Certificates.Tests.ChainTests.BuildInvalidSignatureTwice #57187
- Expired self-issued certificate has different chain building status on Linux #48794
- [Android] Out of memory crashes in System.Security.Cryptography and System.IO.Pipelines.Tests tests #62547
- System.Security.Principal.Windows outerloop tests fail if run as non-admin #58207
- System.Security.Cryptography.X509Certificates.Tests crashing on Mariner OS #57810
- [API Proposal]: Obsolete Rfc2898DeriveBytes constructors with unsafe defaults #57046
- Crypto and Networking tests failing on Linux Mariner when running on Mono. #57506
- X509Chain is not consistent with NotValidForUsage between Windows and Linux #31246
- X509Chain.Build() fails to return valid certificate chain on Linux (openssl) if CA store contains expired certificate for CA, even if store contains valid cross-signed certificate for the same CA #43884
- System.Security.Cryptography.Pkcs.ContentInfo loads all data into memory #47410
- certificates added to user CertificateAuthority store are ignored by X509Chain.Build on macOS #48207