Skip to content

Bring up Windows HKDF with CNG #120310

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 7 commits into from
Oct 2, 2025
Merged

Bring up Windows HKDF with CNG #120310

merged 7 commits into from
Oct 2, 2025
+244 −2

Conversation

vcsjones
Copy link
Member

@vcsjones vcsjones commented Oct 1, 2025

This implements HKDF on top of Windows CNG for DeriveKey and Expand.

Windows support is a little limited. Particularly:

  1. Extract is not clearly defined on how to accomplish this, so Extract remains implemented by managed code.
  2. CNG will not permit HKDF with MD5. When MD5 is specified, we fall back to managed.
  3. Requires Windows 10 1803 or later.

@Copilot Copilot AI review requested due to automatic review settings October 1, 2025 21:31
Copilot
Copilot AI reviewed Oct 1, 2025
View reviewed changes
Copy link
Contributor

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR implements HKDF (HMAC-based Key Derivation Function) support on Windows using the CNG (Cryptography Next Generation) API, providing a native Windows implementation for better performance. The implementation includes fallbacks to managed code for unsupported scenarios and algorithms.

  • Adds native Windows CNG implementation for HKDF DeriveKey and Expand operations
  • Maintains managed code fallback for Extract operation and MD5 hash algorithm
  • Requires Windows 10 version 1803 or later for CNG support

Reviewed Changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 2 comments.

Show a summary per file
File Description
System/Security/Cryptography/HKDF.Windows.cs New Windows-specific HKDF implementation using CNG APIs with fallback logic
System.Security.Cryptography.csproj Updated project file to include Windows HKDF implementation instead of managed-only version
Interop.Blobs.cs Added KDF_HKDF_INFO buffer descriptor constant for HKDF info parameter
Interop.BCryptAlgPseudoHandle.cs Added BCRYPT_HKDF_ALG_HANDLE pseudo-handle for HKDF algorithm
Cng.cs Added HKDF algorithm name constant and reordered RSA constant

@dotnet-policy-service Dotnet Policy Service
Copy link
Contributor

Tagging subscribers to this area: @dotnet/area-system-security, @bartonjs, @vcsjones
See info in area-owners.md if you want to be subscribed.

@build-analysis build-analysis bot mentioned this pull request Oct 2, 2025
Open
@vcsjones vcsjones enabled auto-merge (squash) October 2, 2025 13:32
@vcsjones vcsjones merged commit 2d26f85 into dotnet:main Oct 2, 2025
88 checks passed
@vcsjones vcsjones deleted the windows-hkdf-cng branch October 2, 2025 14:18
@vcsjones vcsjones added the cryptographic-docs-impact Issues impacting cryptographic docs. Cleared and reused after documentation is updated each release. label Oct 2, 2025
@vcsjones vcsjones added this to the 11.0.0 milestone Oct 2, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

Copilot code review Copilot Copilot left review comments

@bartonjs bartonjs bartonjs approved these changes

Assignees

@vcsjones vcsjones

Labels
area-System.Security cryptographic-docs-impact Issues impacting cryptographic docs. Cleared and reused after documentation is updated each release.
Projects
None yet
Milestone
11.0.0
Development

Successfully merging this pull request may close these issues.
2 participants
@vcsjones @bartonjs