Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Obsolete HMACSHA1 constructor with useManagedSha1 #53875

Closed
vcsjones opened this issue Jun 8, 2021 · 7 comments · Fixed by #54886
Closed

Obsolete HMACSHA1 constructor with useManagedSha1 #53875

vcsjones opened this issue Jun 8, 2021 · 7 comments · Fixed by #54886
Assignees
@vcsjones
Labels
api-approved API was approved in API review, it can be implemented area-System.Security
Milestone
6.0.0

Comments

@vcsjones
Copy link
Member

vcsjones commented Jun 8, 2021
edited
Loading

Background and Motivation

HMACSHA1 has a constructor that the other HMACSHA2/MD5 classes don't, which is to accept a boolean indicating if SHA1Managed should be used as the underlying hash. As of .NET Core, the HMAC implementations are not managed themselves anymore, but instead defer to the platform. As such the useManagedSha1 parameter is ignored.

Proposed API

namespace System.Security.Cryptography {
    public class HMACSHA1 : HMAC {
+       [Obsolete("HMACSHA1 always uses the algorithm implementation provided by the platform. Use the constructor without the useManagedSha1 parameter.")]
        [EditorBrowsable(EditorBrowsableState.Never)]
        public HMACSHA1(byte[] key, bool useManagedSha1);
    }

    public class HMACSHA384 : HMAC {
+       [Obsolete("Producing legacy HMAC values is no longer supported.")]
        public bool ProduceLegacyHmacValues { get; set; }
    }

    public class HMACSHA512 : HMAC {
+       [Obsolete("Producing legacy HMAC values is no longer supported.")]
        public bool ProduceLegacyHmacValues { get; set; }
    }
}

An analyzer could be made to update call sites to change simple invocations of the constructor like new HMACSHA1(key_expression, false) and new HMACSHA1(key_expression, true) to new HMACSHA1(key_expression).
@vcsjones vcsjones added the api-suggestion Early API idea and discussion, it is NOT ready for implementation label Jun 8, 2021
@dotnet-issue-labeler dotnet-issue-labeler bot added area-System.Security untriaged New issue has not been triaged by the area owner labels Jun 8, 2021
@ghost
Copy link

ghost commented Jun 8, 2021

Tagging subscribers to this area: @bartonjs, @vcsjones, @krwq, @GrabYourPitchforks
See info in area-owners.md if you want to be subscribed.

Issue Details

Background and Motivation

HMACSHA1 has a constructor that the other HMACSHA2/MD5 classes don't, which is to accept a boolean indicating if SHA1Managed should be used as the underlying hash. As of .NET Core, the HMAC implementations are not managed themselves anymore, but instead defer to the platform. As such the useManagedSha1 parameter is ignored.

Proposed API

namespace System.Security.Cryptography {
    public class HMACSHA1 : HMAC {
+       [Obsolete("HMACSHA1 always uses the algorithm implementation provided by the platform. Use the constructor without the useManagedSha1 parameter.")]
        [EditorBrowsable(EditorBrowsableState.Never)]
        public HMACSHA1(byte[] key, bool useManagedSha1);
    }
}

An analyzer could be made to update call sites to change simple invocations of the constructor like new HMACSHA1(key_expression, false) and new HMACSHA1(key_expression, true) to new HMACSHA1(key_expression).

Author: vcsjones
Assignees: -
Labels:

api-suggestion, area-System.Security, untriaged
Milestone: -

@bartonjs bartonjs added api-ready-for-review API is ready for review, it is NOT ready for implementation and removed api-suggestion Early API idea and discussion, it is NOT ready for implementation untriaged New issue has not been triaged by the area owner labels Jun 8, 2021
@bartonjs bartonjs added this to the 6.0.0 milestone Jun 8, 2021
@GrabYourPitchforks
Copy link
Member

Can we also use this opportunity to obsolete HMACSHA512.ProduceLegacyHmacValues? The property setter throws in .NET Core.

@vcsjones
Copy link
Member Author

Can we also use this opportunity to obsolete HMACSHA512.ProduceLegacyHmacValues? The property setter throws in .NET Core.

Makes sense. I updated the proposal. Maybe it makes more sense for the obsolete to just be on the setter, but I opted to do the whole property since any application that is getting the value and perhaps making a decision from the getter might need to be updated.

@bartonjs
Copy link
Member

bartonjs commented Jun 15, 2021
edited by dotnet-api-review bot
Loading

Video

Looks good as proposed.

  • Use a new ID for HMACSHA1..ctor
  • Use a different new ID for all the ProduceLegacyHmacValues properties.
    • Double check that HMACSHA256 doesn't have one, too.
namespace System.Security.Cryptography {
    public class HMACSHA1 : HMAC {
+       [Obsolete("HMACSHA1 always uses the algorithm implementation provided by the platform. Use the constructor without the useManagedSha1 parameter.")]
        [EditorBrowsable(EditorBrowsableState.Never)]
        public HMACSHA1(byte[] key, bool useManagedSha1);
    }

    public class HMACSHA384 : HMAC {
+       [Obsolete("Producing legacy HMAC values is no longer supported.")]
        public bool ProduceLegacyHmacValues { get; set; }
    }

    public class HMACSHA512 : HMAC {
+       [Obsolete("Producing legacy HMAC values is no longer supported.")]
        public bool ProduceLegacyHmacValues { get; set; }
    }
}

@bartonjs bartonjs added api-approved API was approved in API review, it can be implemented and removed api-ready-for-review API is ready for review, it is NOT ready for implementation labels Jun 15, 2021
@vcsjones
Copy link
Member Author

Double check that HMACSHA256 doesn't have one, too.

It does not; only HMACs with a 1024-bit block size had the particular bug in .NET Framework that resulted in these compatibility properties.

@GrabYourPitchforks
Copy link
Member

@vcsjones Did you want this assigned to you?

@vcsjones vcsjones self-assigned this Jun 15, 2021
@vcsjones
Copy link
Member Author

@GrabYourPitchforks I can at least do that much now :-). Will start this one after the X.509 obsoletions.

@vcsjones vcsjones mentioned this issue Jun 29, 2021
Merged
@ghost ghost added the in-pr There is an active PR which will close this issue when it is merged label Jun 29, 2021
@ghost ghost removed the in-pr There is an active PR which will close this issue when it is merged label Jul 7, 2021
@ghost ghost locked as resolved and limited conversation to collaborators Aug 6, 2021
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@vcsjones vcsjones

Labels
api-approved API was approved in API review, it can be implemented area-System.Security
Projects
None yet
Milestone
6.0.0
Development

Successfully merging a pull request may close this issue.

Obsolete useManagedSha1 and ProduceLegacyHmacValues vcsjones/runtime
3 participants
@vcsjones @GrabYourPitchforks @bartonjs