Skip to content

Implement HKDF with CryptoKit on Apple #119998

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 15 commits into from
Sep 25, 2025
Merged

Implement HKDF with CryptoKit on Apple #119998

merged 15 commits into from
Sep 25, 2025

Conversation

vcsjones
Copy link
Member

CryptoKit has a native HKDF implementation. For platforms where CryptoKit HKDF is available, this implements the HKDF algorithm using CryptoKit. On platforms where CryptoKit HKDF is not available (< iOS 14) the managed fallback is used.

There was also a notable lack any tests for MD5, SHA-384, and SHA-512. The entire HKDF test suite would pass even if I did not implement those algorithms at all. So lets create some tests while we are here.

@Copilot Copilot AI review requested due to automatic review settings September 23, 2025 14:58
@dotnet-policy-service Dotnet Policy Service
Copy link
Contributor

Tagging subscribers to this area: @dotnet/area-system-security, @bartonjs, @vcsjones
See info in area-owners.md if you want to be subscribed.

Copilot
Copilot AI reviewed Sep 23, 2025
View reviewed changes
Copy link
Contributor

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR implements native HKDF (HMAC-based Key Derivation Function) support on Apple platforms using CryptoKit. The implementation provides better performance by leveraging Apple's native cryptographic libraries when available (iOS 14+, tvOS 14+, macOS, Mac Catalyst), while falling back to the existing managed implementation on older platforms.

Key changes:

  • Added native CryptoKit HKDF implementation with platform detection
  • Enhanced test coverage for previously untested hash algorithms (MD5, SHA-384, SHA-512)
  • Refactored shared code by extracting hash algorithm mapping utility

Reviewed Changes

Copilot reviewed 10 out of 10 changed files in this pull request and generated 16 comments.

Show a summary per file
File Description
pal_swiftbindings.swift Implements HKDF extract, expand, and derive operations using CryptoKit
pal_swiftbindings.h Declares native function entry points for HKDF operations
entrypoints.c Registers HKDF native functions for P/Invoke
HKDFTests.cs Adds comprehensive test cases for MD5, SHA-384, and SHA-512 algorithms
HKDF.cs Fixes documentation comment parameter reference
HKDF.Apple.cs Provides Apple-specific HKDF implementation with platform detection and fallback
System.Security.Cryptography.csproj Updates project file to include Apple HKDF implementation
Interop.RSA.cs Removes duplicate hash algorithm mapping function
Interop.PAL_HashAlgorithm.cs Centralizes hash algorithm mapping utility function
Interop.HKDF.cs Provides managed wrapper for native HKDF P/Invoke calls

vcsjones and others added 2 commits September 23, 2025 11:05
@vcsjones
Add explicit return since Copilot wants it
ed73036
@vcsjones @Copilot
Fix typos.
30d5f6c 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@vcsjones
Copy link
Member Author

Hum. CoreCLR passed, Mono failed.

@build-analysis build-analysis bot mentioned this pull request Sep 23, 2025
Open
@vcsjones
Copy link
Member Author

Hum. CoreCLR passed, Mono failed.

Of course I cannot reproduce it...

@vcsjones vcsjones added the NO-MERGE The PR is not ready for merge yet (see discussion for detailed reasons) label Sep 24, 2025
@vcsjones vcsjones marked this pull request as draft September 24, 2025 21:37
@vcsjones
Copy link
Member Author

Draft / NO-MERGE because this has debugging logs for CI since issue cannot be reproduced locally.

This was referenced Sep 25, 2025
Open
Open
@vcsjones vcsjones changed the title Implement HKDF on with CryptoKit on Apple Implement HKDF with CryptoKit on Apple Sep 25, 2025
@bartonjs bartonjs self-requested a review September 25, 2025 17:02
@vcsjones vcsjones marked this pull request as ready for review September 25, 2025 18:24
@vcsjones vcsjones removed the NO-MERGE The PR is not ready for merge yet (see discussion for detailed reasons) label Sep 25, 2025
@vcsjones vcsjones merged commit bb9df87 into dotnet:main Sep 25, 2025
101 of 103 checks passed
@vcsjones vcsjones deleted the hkdf-cryptokit branch September 25, 2025 22:05
@vcsjones vcsjones added this to the 11.0.0 milestone Sep 25, 2025
@vcsjones vcsjones added the cryptographic-docs-impact Issues impacting cryptographic docs. Cleared and reused after documentation is updated each release. label Sep 25, 2025
@vcsjones vcsjones mentioned this pull request Sep 26, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bartonjs bartonjs bartonjs approved these changes

Copilot code review Copilot Copilot left review comments

Assignees

@vcsjones vcsjones

Labels
area-System.Security cryptographic-docs-impact Issues impacting cryptographic docs. Cleared and reused after documentation is updated each release.
Projects
None yet
Milestone
11.0.0
Development

Successfully merging this pull request may close these issues.
2 participants
@vcsjones @bartonjs