Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

System.Security.Cryptography.Pkcs is broken on .NET Framework #111749

Open
avivanoff opened this issue Jan 23, 2025 · 16 comments
Open

System.Security.Cryptography.Pkcs is broken on .NET Framework #111749

avivanoff opened this issue Jan 23, 2025 · 16 comments
Assignees
Milestone

Comments

@avivanoff
Copy link

Description

When used in projects targeting .NET Framework System.Security.Cryptography.Pkcs v9.0.1 results in System.MissingMethodException.

Reproduction Steps

Compile and run the sample project.

Expected behavior

Execution succeeds.

Actual behavior

System.MissingMethodException is thrown.

Regression?

No response

Known Workarounds

No response

Configuration

.NET Frmamework 4.8.1.

Other information

No response

@dotnet-policy-service dotnet-policy-service bot added the untriaged New issue has not been triaged by the area owner label Jan 23, 2025
Copy link
Contributor

Tagging subscribers to this area: @dotnet/area-system-security, @bartonjs, @vcsjones
See info in area-owners.md if you want to be subscribed.

@bartonjs
Copy link
Member

Looks like the ref.cs might be wrong. It shouldn't expose that constructor on .NET Framework. (CmsSigner..ctor(SubjectIdentifierType, X509Certificate2, AsymmetricAlgorithm)

If you're targeting only .NET Framework there's really no reason to reference the package, since SignedCms is provided by the framework itself.

@avivanoff
Copy link
Author

avivanoff commented Jan 23, 2025

@bartonjs, there is no CmsSigner..ctor(SubjectIdentifierType, X509Certificate2, AsymmetricAlgorithm) overload in .NET Framework 4.8.

@vcsjones
Copy link
Member

@bartonjs, there is no CmsSigner..ctor(SubjectIdentifierType, X509Certificate2, AsymmetricAlgorithm) overload in .NET Framework 4.8.

Right. And it isn't the intention of the package to bring it to .NET Framework, either.

When using this package, it does a forward of CmsSigner to the one in .NET Framework. What is not correct is that the compiler is seeing the API shape for .NET (Core). What is being compiled against and what is actually used are two different assemblies, and it is the former one that is incorrect, not the latter.

@avivanoff
Copy link
Author

avivanoff commented Jan 23, 2025

@vcsjones, I do not think your statement is correct. The compiler is seeing the API shape for .NET Standard 2.0 (which is implemented by .NET Framework). What is incorrect here is the shape of .NET Standard 2.0 assembly.

@avivanoff
Copy link
Author

And should the documentation be updated? It clearly states:

Applies to:

.NET Framework       4.7 (package-provided), 4.7.1 (package-provided), 4.7.2 (package-provided), 4.8 (package-provided)

@avivanoff
Copy link
Author

This is actually really bad, and we are hitting this scenario in pre-production testing. No compiler errors, crashes at runtime.

@vcsjones
Copy link
Member

@ViktorHofer there is no ref/ directory in the System.Security.Cryptography.Pkcs nuget package. Any idea why that might be?

The problem is that there are a number of members that are public in the src, but we don't expose them in the ref source. Since there is no reference assembly in the package, the src assembly is used, and that member is visible when it shouldn't be.

It used to have a ref directory in the 5.0.0 version of the package. Something changed between .NET 5 and .NET 6.

@ViktorHofer
Copy link
Member

ViktorHofer commented Jan 23, 2025

Correct, all packages intentionally stopped shipping reference assemblies starting with .NET 6, cc @ericstj. The public contract of nuget packages are the implementation assemblies. We had multiple conversations about this in the past and I also filed #66090 years ago to talk about this:

Since .NET 6, reference assemblies aren't part of our out-of-band packages anymore. That means that our customers when consuming our packages, bind/compile against the package's implementation assembly and not its reference assembly. Therefore the API surface area that we carefully maintain via the reference source files isn't the actual API surface area that our customers target.

All these members that are recorded as different between the contract and the implementation are exposed publicly:

<Suppression>
<DiagnosticId>CP0002</DiagnosticId>
<Target>M:System.Security.Cryptography.Pkcs.CmsSigner.#ctor(System.Security.Cryptography.Pkcs.SubjectIdentifierType,System.Security.Cryptography.X509Certificates.X509Certificate2,System.Security.Cryptography.AsymmetricAlgorithm)</Target>
<Left>lib/netstandard2.0/System.Security.Cryptography.Pkcs.dll</Left>
<Right>lib/net462/System.Security.Cryptography.Pkcs.dll</Right>
</Suppression>
<Suppression>
<DiagnosticId>CP0002</DiagnosticId>
<Target>M:System.Security.Cryptography.Pkcs.CmsSigner.#ctor(System.Security.Cryptography.Pkcs.SubjectIdentifierType,System.Security.Cryptography.X509Certificates.X509Certificate2,System.Security.Cryptography.RSA,System.Security.Cryptography.RSASignaturePadding)</Target>
<Left>lib/netstandard2.0/System.Security.Cryptography.Pkcs.dll</Left>
<Right>lib/net462/System.Security.Cryptography.Pkcs.dll</Right>
</Suppression>
<Suppression>
<DiagnosticId>CP0002</DiagnosticId>
<Target>M:System.Security.Cryptography.Pkcs.CmsSigner.get_PrivateKey</Target>
<Left>lib/netstandard2.0/System.Security.Cryptography.Pkcs.dll</Left>
<Right>lib/net462/System.Security.Cryptography.Pkcs.dll</Right>
</Suppression>
<Suppression>
<DiagnosticId>CP0002</DiagnosticId>
<Target>M:System.Security.Cryptography.Pkcs.CmsSigner.get_SignaturePadding</Target>
<Left>lib/netstandard2.0/System.Security.Cryptography.Pkcs.dll</Left>
<Right>lib/net462/System.Security.Cryptography.Pkcs.dll</Right>
</Suppression>
<Suppression>
<DiagnosticId>CP0002</DiagnosticId>
<Target>M:System.Security.Cryptography.Pkcs.CmsSigner.set_PrivateKey(System.Security.Cryptography.AsymmetricAlgorithm)</Target>
<Left>lib/netstandard2.0/System.Security.Cryptography.Pkcs.dll</Left>
<Right>lib/net462/System.Security.Cryptography.Pkcs.dll</Right>
</Suppression>
<Suppression>
<DiagnosticId>CP0002</DiagnosticId>
<Target>M:System.Security.Cryptography.Pkcs.CmsSigner.set_SignaturePadding(System.Security.Cryptography.RSASignaturePadding)</Target>
<Left>lib/netstandard2.0/System.Security.Cryptography.Pkcs.dll</Left>
<Right>lib/net462/System.Security.Cryptography.Pkcs.dll</Right>
</Suppression>
<Suppression>
<DiagnosticId>CP0002</DiagnosticId>
<Target>M:System.Security.Cryptography.Pkcs.ContentInfo.GetContentType(System.ReadOnlySpan{System.Byte})</Target>
<Left>lib/netstandard2.0/System.Security.Cryptography.Pkcs.dll</Left>
<Right>lib/net462/System.Security.Cryptography.Pkcs.dll</Right>
</Suppression>
<Suppression>
<DiagnosticId>CP0002</DiagnosticId>
<Target>M:System.Security.Cryptography.Pkcs.EnvelopedCms.Decode(System.ReadOnlySpan{System.Byte})</Target>
<Left>lib/netstandard2.0/System.Security.Cryptography.Pkcs.dll</Left>
<Right>lib/net462/System.Security.Cryptography.Pkcs.dll</Right>
</Suppression>
<Suppression>
<DiagnosticId>CP0002</DiagnosticId>
<Target>M:System.Security.Cryptography.Pkcs.EnvelopedCms.Decrypt(System.Security.Cryptography.Pkcs.RecipientInfo,System.Security.Cryptography.AsymmetricAlgorithm)</Target>
<Left>lib/netstandard2.0/System.Security.Cryptography.Pkcs.dll</Left>
<Right>lib/net462/System.Security.Cryptography.Pkcs.dll</Right>
</Suppression>
<Suppression>
<DiagnosticId>CP0002</DiagnosticId>
<Target>M:System.Security.Cryptography.Pkcs.SignedCms.AddCertificate(System.Security.Cryptography.X509Certificates.X509Certificate2)</Target>
<Left>lib/netstandard2.0/System.Security.Cryptography.Pkcs.dll</Left>
<Right>lib/net462/System.Security.Cryptography.Pkcs.dll</Right>
</Suppression>
<Suppression>
<DiagnosticId>CP0002</DiagnosticId>
<Target>M:System.Security.Cryptography.Pkcs.SignedCms.Decode(System.ReadOnlySpan{System.Byte})</Target>
<Left>lib/netstandard2.0/System.Security.Cryptography.Pkcs.dll</Left>
<Right>lib/net462/System.Security.Cryptography.Pkcs.dll</Right>
</Suppression>
<Suppression>
<DiagnosticId>CP0002</DiagnosticId>
<Target>M:System.Security.Cryptography.Pkcs.SignedCms.RemoveCertificate(System.Security.Cryptography.X509Certificates.X509Certificate2)</Target>
<Left>lib/netstandard2.0/System.Security.Cryptography.Pkcs.dll</Left>
<Right>lib/net462/System.Security.Cryptography.Pkcs.dll</Right>
</Suppression>
<Suppression>
<DiagnosticId>CP0002</DiagnosticId>
<Target>M:System.Security.Cryptography.Pkcs.SignerInfo.AddUnsignedAttribute(System.Security.Cryptography.AsnEncodedData)</Target>
<Left>lib/netstandard2.0/System.Security.Cryptography.Pkcs.dll</Left>
<Right>lib/net462/System.Security.Cryptography.Pkcs.dll</Right>
</Suppression>
<Suppression>
<DiagnosticId>CP0002</DiagnosticId>
<Target>M:System.Security.Cryptography.Pkcs.SignerInfo.get_SignatureAlgorithm</Target>
<Left>lib/netstandard2.0/System.Security.Cryptography.Pkcs.dll</Left>
<Right>lib/net462/System.Security.Cryptography.Pkcs.dll</Right>
</Suppression>
<Suppression>
<DiagnosticId>CP0002</DiagnosticId>
<Target>M:System.Security.Cryptography.Pkcs.SignerInfo.GetSignature</Target>
<Left>lib/netstandard2.0/System.Security.Cryptography.Pkcs.dll</Left>
<Right>lib/net462/System.Security.Cryptography.Pkcs.dll</Right>
</Suppression>
<Suppression>
<DiagnosticId>CP0002</DiagnosticId>
<Target>M:System.Security.Cryptography.Pkcs.SignerInfo.RemoveUnsignedAttribute(System.Security.Cryptography.AsnEncodedData)</Target>
<Left>lib/netstandard2.0/System.Security.Cryptography.Pkcs.dll</Left>
<Right>lib/net462/System.Security.Cryptography.Pkcs.dll</Right>
</Suppression>
<Suppression>
<DiagnosticId>CP0002</DiagnosticId>
<Target>M:System.Security.Cryptography.Pkcs.SubjectIdentifier.MatchesCertificate(System.Security.Cryptography.X509Certificates.X509Certificate2)</Target>
<Left>lib/netstandard2.0/System.Security.Cryptography.Pkcs.dll</Left>
<Right>lib/net462/System.Security.Cryptography.Pkcs.dll</Right>
</Suppression>
<Suppression>
<DiagnosticId>CP0002</DiagnosticId>
<Target>M:System.Security.Cryptography.Pkcs.CmsSigner.#ctor(System.Security.Cryptography.Pkcs.SubjectIdentifierType,System.Security.Cryptography.X509Certificates.X509Certificate2,System.Security.Cryptography.AsymmetricAlgorithm)</Target>
<Left>ref/netstandard2.0/System.Security.Cryptography.Pkcs.dll</Left>
<Right>lib/netstandard2.0/System.Security.Cryptography.Pkcs.dll</Right>
</Suppression>
<Suppression>
<DiagnosticId>CP0002</DiagnosticId>
<Target>M:System.Security.Cryptography.Pkcs.CmsSigner.#ctor(System.Security.Cryptography.Pkcs.SubjectIdentifierType,System.Security.Cryptography.X509Certificates.X509Certificate2,System.Security.Cryptography.RSA,System.Security.Cryptography.RSASignaturePadding)</Target>
<Left>ref/netstandard2.0/System.Security.Cryptography.Pkcs.dll</Left>
<Right>lib/netstandard2.0/System.Security.Cryptography.Pkcs.dll</Right>
</Suppression>
<Suppression>
<DiagnosticId>CP0002</DiagnosticId>
<Target>M:System.Security.Cryptography.Pkcs.CmsSigner.get_PrivateKey</Target>
<Left>ref/netstandard2.0/System.Security.Cryptography.Pkcs.dll</Left>
<Right>lib/netstandard2.0/System.Security.Cryptography.Pkcs.dll</Right>
</Suppression>
<Suppression>
<DiagnosticId>CP0002</DiagnosticId>
<Target>M:System.Security.Cryptography.Pkcs.CmsSigner.get_SignaturePadding</Target>
<Left>ref/netstandard2.0/System.Security.Cryptography.Pkcs.dll</Left>
<Right>lib/netstandard2.0/System.Security.Cryptography.Pkcs.dll</Right>
</Suppression>
<Suppression>
<DiagnosticId>CP0002</DiagnosticId>
<Target>M:System.Security.Cryptography.Pkcs.CmsSigner.set_PrivateKey(System.Security.Cryptography.AsymmetricAlgorithm)</Target>
<Left>ref/netstandard2.0/System.Security.Cryptography.Pkcs.dll</Left>
<Right>lib/netstandard2.0/System.Security.Cryptography.Pkcs.dll</Right>
</Suppression>
<Suppression>
<DiagnosticId>CP0002</DiagnosticId>
<Target>M:System.Security.Cryptography.Pkcs.CmsSigner.set_SignaturePadding(System.Security.Cryptography.RSASignaturePadding)</Target>
<Left>ref/netstandard2.0/System.Security.Cryptography.Pkcs.dll</Left>
<Right>lib/netstandard2.0/System.Security.Cryptography.Pkcs.dll</Right>
</Suppression>
<Suppression>
<DiagnosticId>CP0002</DiagnosticId>
<Target>M:System.Security.Cryptography.Pkcs.ContentInfo.GetContentType(System.ReadOnlySpan{System.Byte})</Target>
<Left>ref/netstandard2.0/System.Security.Cryptography.Pkcs.dll</Left>
<Right>lib/netstandard2.0/System.Security.Cryptography.Pkcs.dll</Right>
</Suppression>
<Suppression>
<DiagnosticId>CP0002</DiagnosticId>
<Target>M:System.Security.Cryptography.Pkcs.EnvelopedCms.Decode(System.ReadOnlySpan{System.Byte})</Target>
<Left>ref/netstandard2.0/System.Security.Cryptography.Pkcs.dll</Left>
<Right>lib/netstandard2.0/System.Security.Cryptography.Pkcs.dll</Right>
</Suppression>
<Suppression>
<DiagnosticId>CP0002</DiagnosticId>
<Target>M:System.Security.Cryptography.Pkcs.EnvelopedCms.Decrypt(System.Security.Cryptography.Pkcs.RecipientInfo,System.Security.Cryptography.AsymmetricAlgorithm)</Target>
<Left>ref/netstandard2.0/System.Security.Cryptography.Pkcs.dll</Left>
<Right>lib/netstandard2.0/System.Security.Cryptography.Pkcs.dll</Right>
</Suppression>
<Suppression>
<DiagnosticId>CP0002</DiagnosticId>
<Target>M:System.Security.Cryptography.Pkcs.SignedCms.AddCertificate(System.Security.Cryptography.X509Certificates.X509Certificate2)</Target>
<Left>ref/netstandard2.0/System.Security.Cryptography.Pkcs.dll</Left>
<Right>lib/netstandard2.0/System.Security.Cryptography.Pkcs.dll</Right>
</Suppression>
<Suppression>
<DiagnosticId>CP0002</DiagnosticId>
<Target>M:System.Security.Cryptography.Pkcs.SignedCms.Decode(System.ReadOnlySpan{System.Byte})</Target>
<Left>ref/netstandard2.0/System.Security.Cryptography.Pkcs.dll</Left>
<Right>lib/netstandard2.0/System.Security.Cryptography.Pkcs.dll</Right>
</Suppression>
<Suppression>
<DiagnosticId>CP0002</DiagnosticId>
<Target>M:System.Security.Cryptography.Pkcs.SignedCms.RemoveCertificate(System.Security.Cryptography.X509Certificates.X509Certificate2)</Target>
<Left>ref/netstandard2.0/System.Security.Cryptography.Pkcs.dll</Left>
<Right>lib/netstandard2.0/System.Security.Cryptography.Pkcs.dll</Right>
</Suppression>
<Suppression>
<DiagnosticId>CP0002</DiagnosticId>
<Target>M:System.Security.Cryptography.Pkcs.SignerInfo.AddUnsignedAttribute(System.Security.Cryptography.AsnEncodedData)</Target>
<Left>ref/netstandard2.0/System.Security.Cryptography.Pkcs.dll</Left>
<Right>lib/netstandard2.0/System.Security.Cryptography.Pkcs.dll</Right>
</Suppression>
<Suppression>
<DiagnosticId>CP0002</DiagnosticId>
<Target>M:System.Security.Cryptography.Pkcs.SignerInfo.get_SignatureAlgorithm</Target>
<Left>ref/netstandard2.0/System.Security.Cryptography.Pkcs.dll</Left>
<Right>lib/netstandard2.0/System.Security.Cryptography.Pkcs.dll</Right>
</Suppression>
<Suppression>
<DiagnosticId>CP0002</DiagnosticId>
<Target>M:System.Security.Cryptography.Pkcs.SignerInfo.GetSignature</Target>
<Left>ref/netstandard2.0/System.Security.Cryptography.Pkcs.dll</Left>
<Right>lib/netstandard2.0/System.Security.Cryptography.Pkcs.dll</Right>
</Suppression>
<Suppression>
<DiagnosticId>CP0002</DiagnosticId>
<Target>M:System.Security.Cryptography.Pkcs.SignerInfo.RemoveUnsignedAttribute(System.Security.Cryptography.AsnEncodedData)</Target>
<Left>ref/netstandard2.0/System.Security.Cryptography.Pkcs.dll</Left>
<Right>lib/netstandard2.0/System.Security.Cryptography.Pkcs.dll</Right>
</Suppression>
<Suppression>
<DiagnosticId>CP0002</DiagnosticId>
<Target>M:System.Security.Cryptography.Pkcs.SubjectIdentifier.MatchesCertificate(System.Security.Cryptography.X509Certificates.X509Certificate2)</Target>
<Left>ref/netstandard2.0/System.Security.Cryptography.Pkcs.dll</Left>
<Right>lib/netstandard2.0/System.Security.Cryptography.Pkcs.dll</Right>
</Suppression>

@avivanoff
Copy link
Author

avivanoff commented Jan 23, 2025

So ..NET Standard 2.0 of this assembly is broken, or you intentionally broke .NET Framework builds, or am I missing something?

@bartonjs
Copy link
Member

I guess I assumed that whoever was excluding the ref assemblies was going to make sure the packages made sense. But, apparently we each assumed the other party was responsible and no one did it.

@vcsjones
Copy link
Member

Okay - I think the most sensible thing to do here then is fix the src for netstandard builds so there visibility is internal.

@avivanoff
Copy link
Author

Shouldn’t they be conditionally excluded instead?

@vcsjones
Copy link
Member

Shouldn’t they be conditionally excluded instead?

In some cases these APIs are used by the package itself, so the implementation needs to stay.

@ericstj
Copy link
Member

ericstj commented Jan 23, 2025

This problem and more are already highlighted in the suppression file Viktor shared. I suggest you audit those as it looks like you might have accumulated more cases where the netfx implementation does not agree with the netstandard one (all the lib/lib comparisons). It'll be a "breaking change" but it's one we need to take as we can't fix netfx.

@avivanoff
Copy link
Author

we can't fix netfx.

You can always ship 4.9.

@vcsjones vcsjones self-assigned this Jan 24, 2025
@vcsjones vcsjones added this to the 10.0.0 milestone Jan 24, 2025
@vcsjones vcsjones removed the untriaged New issue has not been triaged by the area owner label Jan 24, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

5 participants