Prefer using non-deprecated EC OSSL APIs where possible#127190
Merged
PranavSenthilnathan merged 26 commits intoJun 11, 2026
Conversation
Contributor
|
Tagging subscribers to this area: @bartonjs, @vcsjones, @dotnet/area-system-security |
Contributor
There was a problem hiding this comment.
Pull request overview
This PR introduces new OpenSSL 3.0+ EVP_PKEY-based EC key generation/import paths (to avoid deprecated EC_KEY APIs where possible), with managed code updated to prefer these paths and fall back to legacy behavior when needed.
Changes:
- Add native CryptoNative exports to generate/import EC keys via EVP_PKEY (named curves and explicit parameters).
- Update managed ECOpenSsl/ECDH code to use the new EVP_PKEY paths first, with legacy EC_KEY fallback.
- Extend the OpenSSL shim to light up additional OpenSSL 3.0 param-building/keygen APIs.
Reviewed changes
Copilot reviewed 8 out of 8 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| src/native/libs/System.Security.Cryptography.Native/pal_ecc_import_export.h | Adds new native API declarations for EVP_PKEY EC key generation/import. |
| src/native/libs/System.Security.Cryptography.Native/pal_ecc_import_export.c | Implements EVP_PKEY-based EC keygen and fromdata import (named + explicit). |
| src/native/libs/System.Security.Cryptography.Native/opensslshim.h | Lights up OpenSSL 3.0 param_build and related functions used by new native code. |
| src/native/libs/System.Security.Cryptography.Native/entrypoints.c | Exposes the new native functions via the CryptoNative entrypoint table. |
| src/libraries/Common/src/System/Security/Cryptography/ECOpenSsl.cs | Prefers EVP_PKEY EC keygen/import for OpenSSL 3.0 with fallback to EC_KEY. |
| src/libraries/Common/src/System/Security/Cryptography/ECDiffieHellmanOpenSslPublicKey.cs | Stores/uses EVP_PKEY handles directly instead of wrapping EC_KEY. |
| src/libraries/Common/src/System/Security/Cryptography/ECDiffieHellmanOpenSsl.Derive.cs | Uses EVP_PKEY curve-name detection and imports via new ECOpenSsl helpers. |
| src/libraries/Common/src/Interop/Unix/System.Security.Cryptography.Native/Interop.EcDsa.ImportExport.cs | Adds P/Invoke wrappers for the new CryptoNative EVP_PKEY EC APIs. |
This was referenced Apr 21, 2026
This was referenced Apr 23, 2026
Open
bartonjs
reviewed
Jun 3, 2026
3 tasks
bartonjs
reviewed
Jun 8, 2026
bartonjs
approved these changes
Jun 8, 2026
Contributor
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 18 out of 18 changed files in this pull request and generated 1 comment.
Comments suppressed due to low confidence (1)
src/native/libs/System.Security.Cryptography.Native/pal_ecc_import_export.c:403
- CryptoNative_EcKeyCreateByKeyParameters calls EC_KEY_new_by_curve_name / EC_KEY_set_* / EC_KEY_check_key / EC_KEY_free. After making EC_KEY_* LIGHTUP under FEATURE_DISTRO_AGNOSTIC_SSL, these function pointers can be NULL (e.g., OpenSSL built without deprecated EC_KEY APIs), which would crash via a NULL call. Add an API_EXISTS guard early and return a clean failure when EC_KEY APIs are unavailable.
int32_t CryptoNative_EcKeyCreateByKeyParameters(EC_KEY** key, const char* oid, const uint8_t* qx, int32_t qxLength, const uint8_t* qy, int32_t qyLength, const uint8_t* d, int32_t dLength)
{
if (!key || !oid)
{
assert(false);
Member
Author
|
@dotnet-policy-service rerun |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adds new native entry points that use the modern OpenSSL 3.0
EVP_PKEYparameter and keygen APIs for EC keygeneration, import, and export, avoiding the deprecated
EC_KEYAPIs where possible.On pre-3.0 OpenSSL, the existing
EC_KEYcode paths are preserved as fallbacks. All new lightup APIs are guarded withAPI_EXISTSunderFEATURE_DISTRO_AGNOSTIC_SSL.Unified EC APIs (EC_GROUP_get/set_curve, EC_POINT_get/set_affine_coordinates) are promoted to REQUIRED (available
since OpenSSL 1.1.1, which is the minimum supported version).