Skip to content

Drop support for OpenSSL primitives on macOS #116481

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Jun 11, 2025
Merged

Drop support for OpenSSL primitives on macOS #116481

merged 2 commits into from
Jun 11, 2025

Conversation

vcsjones
Copy link
Member

@vcsjones vcsjones commented Jun 10, 2025
edited
Loading

macOS has historically supported AesCcm and OpenSsl suffixed types like RSAOpenSsl as a "light up" option.

This support is largely vestigial from when .NET used OpenSSL on macOS as its main cryptographic implementation. It hasn't had test coverage in some time due to the hardened runtime preventing loading the openssl libraries.

This pull request changes the OpenSSL primitives on macOS to unconditionally throw PlatformNotSupportedException.

It does not fully remove building of System.Security.Cryptography.Native or shipping the native library. That will be done as a follow up pending some open questions.

@vcsjones vcsjones added this to the 10.0.0 milestone Jun 10, 2025
@vcsjones vcsjones requested a review from bartonjs June 10, 2025 15:03
@vcsjones vcsjones self-assigned this Jun 10, 2025
@Copilot Copilot AI review requested due to automatic review settings June 10, 2025 15:03
@vcsjones vcsjones added area-System.Security breaking-change Issue or PR that represents a breaking API or functional change over a prerelease. labels Jun 10, 2025
@dotnet-policy-service dotnet-policy-service bot added the needs-breaking-change-doc-created Breaking changes need an issue opened with https://github.com/dotnet/docs/issues/new?template=dotnet label Jun 10, 2025
@dotnet-policy-service Dotnet Policy Service
Copy link
Contributor

Tagging subscribers to this area: @dotnet/area-system-security, @bartonjs, @vcsjones
See info in area-owners.md if you want to be subscribed.

Copilot
Copilot AI reviewed Jun 10, 2025
View reviewed changes
Copy link
Contributor

@Copilot Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR removes vestigial OpenSSL-based implementations on macOS, replacing them with stubs that throw PlatformNotSupportedException, and updates project files to stop building or running those tests on macOS.

  • Deleted the SafeEvpPKeyHandle OpenSSL macOS implementation.
  • Added NotSupported source files and adjusted <Compile> includes in the main crypto csproj.
  • Updated test projects to ignore OpenSSL tests on macOS.

Reviewed Changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.

File Description
src/libraries/tests.proj Removed ARM64/macOS exclusion for OpenSSL tests (no longer needed)
src/libraries/System.Security.Cryptography/src/.../SafeEvpPKeyHandle.OpenSsl.macOS.cs Deleted macOS-specific OpenSSL key handle implementation
src/libraries/System.Security.Cryptography/src/System.Security.Cryptography.csproj Reworked OpenSSL ItemGroups: removed AEAD group, added NotSupported stubs and moved compile items
src/libraries/System.Security.Cryptography.OpenSsl/tests/System.Security.Cryptography.OpenSsl.Tests.csproj Extended IgnoreForCI to also skip OpenSSL tests on macOS
Comments suppressed due to low confidence (2)

src/libraries/System.Security.Cryptography.OpenSsl/tests/System.Security.Cryptography.OpenSsl.Tests.csproj:5

  • There are no new tests verifying that AesCcm and other OpenSSL-based APIs on macOS throw PlatformNotSupportedException. Consider adding tests (with ActiveIssue for macOS) to cover the new NotSupported stubs.
<IgnoreForCI Condition="'$(TargetOS)' == 'android' or '$(TargetOS)' == 'ios' or '$(TargetOS)' == 'tvos' or '$(TargetOS)' == 'osx'">true</IgnoreForCI>

src/libraries/System.Security.Cryptography.OpenSsl/tests/System.Security.Cryptography.OpenSsl.Tests.csproj:4

  • [nitpick] The comment could explicitly list macOS alongside iOS and tvOS for clarity, e.g. “The library is not supported on Android or Apple platforms (iOS, tvOS, macOS)”.
<!-- The library is not supported on Android / Apple (PNSE) -->

@build-analysis build-analysis bot mentioned this pull request Jun 10, 2025
Closed
This was referenced Jun 11, 2025
Closed
Closed
@bartonjs
Copy link
Member

/ba-g iOS queue is dead-lettered, and this change doesn't affect iOS.

@vcsjones vcsjones merged commit 74ac225 into dotnet:main Jun 11, 2025
84 of 87 checks passed
@vcsjones vcsjones deleted the nossl-macos branch June 11, 2025 17:57
@vcsjones vcsjones removed the needs-breaking-change-doc-created Breaking changes need an issue opened with https://github.com/dotnet/docs/issues/new?template=dotnet label Jun 11, 2025
@vcsjones
Copy link
Member Author

Breaking change doc. dotnet/docs#46789

This was referenced Jul 9, 2025
Merged
Open
@github-actions github-actions bot locked and limited conversation to collaborators Jul 12, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

Copilot code review Copilot Copilot left review comments

@bartonjs bartonjs bartonjs approved these changes

Assignees

@vcsjones vcsjones

Labels
area-System.Security breaking-change Issue or PR that represents a breaking API or functional change over a prerelease.
Projects
None yet
Milestone
10.0.0
Development

Successfully merging this pull request may close these issues.
2 participants
@vcsjones @bartonjs