[API Proposal]: Obsolete all Rfc2898DeriveBytes constructors #97221
Assignees
Labels
api-approved
API was approved in API review, it can be implemented
area-System.Security
in-pr
There is an active PR which will close this issue when it is merged
Milestone
Comments
vcsjones
added
api-suggestion
|
Tagging subscribers to this area: @dotnet/area-system-security, @bartonjs, @vcsjones Issue DetailsBackground and motivation
The instance based implementation provides the ability to "stream" bytes back from the KDF. Successive calls to This streaming behavior was never an intended use case of RFC 2898 (or its successor RFC 8018). Further, none of the underlying platforms implement PBKDF2 in a way that supports streaming. So the streaming implementation will always need to be managed on top of HMAC. Since streaming is the only real reason to instantiate the class instead of using the one-shots, I propose obsoleting the constructors with the recommendation that the one-shot be used. A slight complication from this is that the class is not sealed. A quick code search however indicates that few folks are regularly deriving from this class. Since this class already has obsolete constructors, I propose re-obsoleting the current ones under a different SYSLIB since the new obsoletion is "stronger". This will also cause people that suppressed the obsoletion to re-evaluate the suppression. API Proposalpublic partial class Rfc2898DeriveBytes : DeriveBytes
{
- [Obsolete(Obsoletions.Rfc2898OutdatedCtorMessage, DiagnosticId = Obsoletions.Rfc2898OutdatedCtorDiagId, UrlFormat = Obsoletions.SharedUrlFormat)]
+ [Obsolete("Creating instances of Rfc2898DeriveBytes is obsolete. Use the static Pbkdf2 method instead.", DiagnosticId = "SYSLIBXXXX", UrlFormat = Obsoletions.SharedUrlFormat)]
public Rfc2898DeriveBytes(byte[] password, byte[] salt, int iterations);
+ [Obsolete("Creating instances of Rfc2898DeriveBytes is obsolete. Use the static Pbkdf2 method instead.", DiagnosticId = "SYSLIBXXXX", UrlFormat = Obsoletions.SharedUrlFormat)]
public Rfc2898DeriveBytes(byte[] password, byte[] salt, int iterations, HashAlgorithmName hashAlgorithm);
- [Obsolete(Obsoletions.Rfc2898OutdatedCtorMessage, DiagnosticId = Obsoletions.Rfc2898OutdatedCtorDiagId, UrlFormat = Obsoletions.SharedUrlFormat)]
+ [Obsolete("Creating instances of Rfc2898DeriveBytes is obsolete. Use the static Pbkdf2 method instead.", DiagnosticId = "SYSLIBXXXX", UrlFormat = Obsoletions.SharedUrlFormat)]
public Rfc2898DeriveBytes(string password, byte[] salt);
- [Obsolete(Obsoletions.Rfc2898OutdatedCtorMessage, DiagnosticId = Obsoletions.Rfc2898OutdatedCtorDiagId, UrlFormat = Obsoletions.SharedUrlFormat)]
+ [Obsolete("Creating instances of Rfc2898DeriveBytes is obsolete. Use the static Pbkdf2 method instead.", DiagnosticId = "SYSLIBXXXX", UrlFormat = Obsoletions.SharedUrlFormat)]
public Rfc2898DeriveBytes(string password, byte[] salt, int iterations);
+ [Obsolete("Creating instances of Rfc2898DeriveBytes is obsolete. Use the static Pbkdf2 method instead.", DiagnosticId = "SYSLIBXXXX", UrlFormat = Obsoletions.SharedUrlFormat)]
public Rfc2898DeriveBytes(string password, byte[] salt, int iterations, HashAlgorithmName hashAlgorithm);
- [Obsolete(Obsoletions.Rfc2898OutdatedCtorMessage, DiagnosticId = Obsoletions.Rfc2898OutdatedCtorDiagId, UrlFormat = Obsoletions.SharedUrlFormat)]
+ [Obsolete("Creating instances of Rfc2898DeriveBytes is obsolete. Use the static Pbkdf2 method instead.", DiagnosticId = "SYSLIBXXXX", UrlFormat = Obsoletions.SharedUrlFormat)]
public Rfc2898DeriveBytes(string password, int saltSize);
- [Obsolete(Obsoletions.Rfc2898OutdatedCtorMessage, DiagnosticId = Obsoletions.Rfc2898OutdatedCtorDiagId, UrlFormat = Obsoletions.SharedUrlFormat)]
+ [Obsolete("Creating instances of Rfc2898DeriveBytes is obsolete. Use the static Pbkdf2 method instead.", DiagnosticId = "SYSLIBXXXX", UrlFormat = Obsoletions.SharedUrlFormat)]
public Rfc2898DeriveBytes(string password, int saltSize, int iterations);
+ [Obsolete("Creating instances of Rfc2898DeriveBytes is obsolete. Use the static Pbkdf2 method instead.", DiagnosticId = "SYSLIBXXXX", UrlFormat = Obsoletions.SharedUrlFormat)]
public Rfc2898DeriveBytes(string password, int saltSize, int iterations, HashAlgorithmName hashAlgorithm);API UsageAlternative DesignsNo response RisksNo response
|
ghost
added
the
jeffhandley
removed
the
untriaged
bartonjs
added
api-ready-for-review
namespace System.Security.Cryptography;
public partial class Rfc2898DeriveBytes : DeriveBytes
{
- [Obsolete(Obsoletions.Rfc2898OutdatedCtorMessage, DiagnosticId = Obsoletions.Rfc2898OutdatedCtorDiagId, UrlFormat = Obsoletions.SharedUrlFormat)]
+ [Obsolete("Creating instances of Rfc2898DeriveBytes is obsolete. Use the static Pbkdf2 method instead.", DiagnosticId = "SYSLIBXXXX", UrlFormat = Obsoletions.SharedUrlFormat)]
public Rfc2898DeriveBytes(byte[] password, byte[] salt, int iterations);
+ [Obsolete("Creating instances of Rfc2898DeriveBytes is obsolete. Use the static Pbkdf2 method instead.", DiagnosticId = "SYSLIBXXXX", UrlFormat = Obsoletions.SharedUrlFormat)]
public Rfc2898DeriveBytes(byte[] password, byte[] salt, int iterations, HashAlgorithmName hashAlgorithm);
- [Obsolete(Obsoletions.Rfc2898OutdatedCtorMessage, DiagnosticId = Obsoletions.Rfc2898OutdatedCtorDiagId, UrlFormat = Obsoletions.SharedUrlFormat)]
+ [Obsolete("Creating instances of Rfc2898DeriveBytes is obsolete. Use the static Pbkdf2 method instead.", DiagnosticId = "SYSLIBXXXX", UrlFormat = Obsoletions.SharedUrlFormat)]
public Rfc2898DeriveBytes(string password, byte[] salt);
- [Obsolete(Obsoletions.Rfc2898OutdatedCtorMessage, DiagnosticId = Obsoletions.Rfc2898OutdatedCtorDiagId, UrlFormat = Obsoletions.SharedUrlFormat)]
+ [Obsolete("Creating instances of Rfc2898DeriveBytes is obsolete. Use the static Pbkdf2 method instead.", DiagnosticId = "SYSLIBXXXX", UrlFormat = Obsoletions.SharedUrlFormat)]
public Rfc2898DeriveBytes(string password, byte[] salt, int iterations);
+ [Obsolete("Creating instances of Rfc2898DeriveBytes is obsolete. Use the static Pbkdf2 method instead.", DiagnosticId = "SYSLIBXXXX", UrlFormat = Obsoletions.SharedUrlFormat)]
public Rfc2898DeriveBytes(string password, byte[] salt, int iterations, HashAlgorithmName hashAlgorithm);
- [Obsolete(Obsoletions.Rfc2898OutdatedCtorMessage, DiagnosticId = Obsoletions.Rfc2898OutdatedCtorDiagId, UrlFormat = Obsoletions.SharedUrlFormat)]
+ [Obsolete("Creating instances of Rfc2898DeriveBytes is obsolete. Use the static Pbkdf2 method instead.", DiagnosticId = "SYSLIBXXXX", UrlFormat = Obsoletions.SharedUrlFormat)]
public Rfc2898DeriveBytes(string password, int saltSize);
- [Obsolete(Obsoletions.Rfc2898OutdatedCtorMessage, DiagnosticId = Obsoletions.Rfc2898OutdatedCtorDiagId, UrlFormat = Obsoletions.SharedUrlFormat)]
+ [Obsolete("Creating instances of Rfc2898DeriveBytes is obsolete. Use the static Pbkdf2 method instead.", DiagnosticId = "SYSLIBXXXX", UrlFormat = Obsoletions.SharedUrlFormat)]
public Rfc2898DeriveBytes(string password, int saltSize, int iterations);
+ [Obsolete("Creating instances of Rfc2898DeriveBytes is obsolete. Use the static Pbkdf2 method instead.", DiagnosticId = "SYSLIBXXXX", UrlFormat = Obsoletions.SharedUrlFormat)]
public Rfc2898DeriveBytes(string password, int saltSize, int iterations, HashAlgorithmName hashAlgorithm);
} |
terrajobst
added
api-approved
dotnet-policy-service
bot
added
the
in-pr
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Background and motivation
Rfc2898DeriveBytesimplements RFC 2898 (PBKDF2) and offers two ways to use it: create an instance or use static one-shots.The instance based implementation provides the ability to "stream" bytes back from the KDF. Successive calls to
GetBytesdo not reset the in-progress operation.This streaming behavior was never an intended use case of RFC 2898 (or its successor RFC 8018). Further, none of the underlying platforms implement PBKDF2 in a way that supports streaming. So the streaming implementation will always need to be managed on top of HMAC.
Since streaming is the only real reason to instantiate the class instead of using the one-shots, I propose obsoleting the constructors with the recommendation that the one-shot be used.
A slight complication from this is that the class is not sealed. A quick code search however indicates that few folks are regularly deriving from this class.
Since this class already has obsolete constructors, I propose re-obsoleting the current ones under a different SYSLIB since the new obsoletion is "stronger". This will also cause people that suppressed the obsoletion to re-evaluate the suppression.
API Proposal
public partial class Rfc2898DeriveBytes : DeriveBytes { - [Obsolete(Obsoletions.Rfc2898OutdatedCtorMessage, DiagnosticId = Obsoletions.Rfc2898OutdatedCtorDiagId, UrlFormat = Obsoletions.SharedUrlFormat)] + [Obsolete("Creating instances of Rfc2898DeriveBytes is obsolete. Use the static Pbkdf2 method instead.", DiagnosticId = "SYSLIBXXXX", UrlFormat = Obsoletions.SharedUrlFormat)] public Rfc2898DeriveBytes(byte[] password, byte[] salt, int iterations); + [Obsolete("Creating instances of Rfc2898DeriveBytes is obsolete. Use the static Pbkdf2 method instead.", DiagnosticId = "SYSLIBXXXX", UrlFormat = Obsoletions.SharedUrlFormat)] public Rfc2898DeriveBytes(byte[] password, byte[] salt, int iterations, HashAlgorithmName hashAlgorithm); - [Obsolete(Obsoletions.Rfc2898OutdatedCtorMessage, DiagnosticId = Obsoletions.Rfc2898OutdatedCtorDiagId, UrlFormat = Obsoletions.SharedUrlFormat)] + [Obsolete("Creating instances of Rfc2898DeriveBytes is obsolete. Use the static Pbkdf2 method instead.", DiagnosticId = "SYSLIBXXXX", UrlFormat = Obsoletions.SharedUrlFormat)] public Rfc2898DeriveBytes(string password, byte[] salt); - [Obsolete(Obsoletions.Rfc2898OutdatedCtorMessage, DiagnosticId = Obsoletions.Rfc2898OutdatedCtorDiagId, UrlFormat = Obsoletions.SharedUrlFormat)] + [Obsolete("Creating instances of Rfc2898DeriveBytes is obsolete. Use the static Pbkdf2 method instead.", DiagnosticId = "SYSLIBXXXX", UrlFormat = Obsoletions.SharedUrlFormat)] public Rfc2898DeriveBytes(string password, byte[] salt, int iterations); + [Obsolete("Creating instances of Rfc2898DeriveBytes is obsolete. Use the static Pbkdf2 method instead.", DiagnosticId = "SYSLIBXXXX", UrlFormat = Obsoletions.SharedUrlFormat)] public Rfc2898DeriveBytes(string password, byte[] salt, int iterations, HashAlgorithmName hashAlgorithm); - [Obsolete(Obsoletions.Rfc2898OutdatedCtorMessage, DiagnosticId = Obsoletions.Rfc2898OutdatedCtorDiagId, UrlFormat = Obsoletions.SharedUrlFormat)] + [Obsolete("Creating instances of Rfc2898DeriveBytes is obsolete. Use the static Pbkdf2 method instead.", DiagnosticId = "SYSLIBXXXX", UrlFormat = Obsoletions.SharedUrlFormat)] public Rfc2898DeriveBytes(string password, int saltSize); - [Obsolete(Obsoletions.Rfc2898OutdatedCtorMessage, DiagnosticId = Obsoletions.Rfc2898OutdatedCtorDiagId, UrlFormat = Obsoletions.SharedUrlFormat)] + [Obsolete("Creating instances of Rfc2898DeriveBytes is obsolete. Use the static Pbkdf2 method instead.", DiagnosticId = "SYSLIBXXXX", UrlFormat = Obsoletions.SharedUrlFormat)] public Rfc2898DeriveBytes(string password, int saltSize, int iterations); + [Obsolete("Creating instances of Rfc2898DeriveBytes is obsolete. Use the static Pbkdf2 method instead.", DiagnosticId = "SYSLIBXXXX", UrlFormat = Obsoletions.SharedUrlFormat)] public Rfc2898DeriveBytes(string password, int saltSize, int iterations, HashAlgorithmName hashAlgorithm);API Usage
Alternative Designs
No response
Risks
No response
The text was updated successfully, but these errors were encountered: