Skip to content

feat: "Spanify" DataProtector with GetSize/TryProtect pattern #62903

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 57 commits into
base: main
Choose a base branch
from
Open

feat: "Spanify" DataProtector with GetSize/TryProtect pattern #62903

wants to merge 57 commits into from

Conversation

@DeagleGross
Copy link
Member

@DeagleGross DeagleGross commented Jul 24, 2025
edited
Loading

Please, review with caution! This is cryptography and failures here can be pretty dramatic...

This PR introduces 2 new interfaces which allow usage of DataProtection via Span<byte>: ISpanDataProtector and IAuthenticatedEncryptor.

Details

Current PR proposes extra interfaces ISpanDataProtector and ISpanAuthenticatedEncryptor (Inspiration taken from ISpanFormattable : IFormattable). The APIs are:

namespace Microsoft.AspNetCore.DataProtection;

+ public interface ISpanDataProtector : IDataProtector
+ {
+     int GetProtectedSize(int plainTextLength);
+     bool TryProtect(ReadOnlySpan<byte> plainText, Span<byte> destination, out int bytesWritten);

+     int GetUnprotectedSize(int cipherTextLength);
+     bool TryUnprotect(ReadOnlySpan<byte> cipherText, Span<byte> destination, out int bytesWritten);
+ }

and

namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption;

+public interface ISpanAuthenticatedEncryptor : IAuthenticatedEncryptor
+ {
+     int GetEncryptedSize(int plainTextLength);
+     bool TryEncrypt(ReadOnlySpan<byte> plaintext, ReadOnlySpan<byte> additionalAuthenticatedData, Span<byte> destination, out int bytesWritten);

+     int GetDecryptedSize(int cipherTextLength);
+     bool TryDecrypt(ReadOnlySpan<byte> cipherText, ReadOnlySpan<byte> additionalAuthenticatedData, Span<byte> destination, out int bytesWritten);
+ }

From the implementation standpoint, these APIs are basically doing what existing Protect() / Unprotect() and Encrypt() / Decrypt() do, but without allocating a result array and instead filling in the Span<byte> destination.

For IAuthenticatedEncryptors I tried to reuse the TryEncrypt/TryDecrypt from Encrypt/Decrypt where possible to reduce code duplication.

Registrations

IDataProtector also should implement IDataProtectionProvider which provides the protector instance:

public interface IDataProtectionProvider
{
  IDataProtector CreateProtector(string purpose);
}

And in default DI (AddDataProtection) IDataProtector is created in such a manner:
https://github.com/dotnet/aspnetcore/blob/b52c80fef2b8bf5239c7643d9c79d1029bb6c988/src/DataProtection/DataProtection/src/DataProtectionServiceCollectionExtensions.cs#L89C13-L95C14

I dont want to introduce more APIs and interfaces for providing ISpanDataProtector and instead when providing I am doing a lookup to determine whether it is possible to return ISpanDataProtector or IDataProtector. Users will then be able to differentiate based on their needs and registrations.

Usage

Having IDataProtector:

void Do(IDataProtector protector, ReadOnlySpan<byte> plaintext)
{
    if (protector is ISpanDataProtector spanDataProtector)
    {
        // Use the Span API
        
        var destination = new byte[spanDataProtector.GetProtectedSize(plaintext.Length)];
        if (spanDataProtector.TryProtect(plaintext, destination, out var bytesWritten))
        {
            Console.WriteLine($"Protected {bytesWritten} bytes using Span API.");
        }
    }
    else
    {
        var ciphertext = protector.Protect(plaintext.ToArray());
        Console.WriteLine($"Protected {ciphertext.Length} bytes using regular API.");
    }
}

and the same goes for IAuthenticatedEncryptor, but I doubt majority of users implement their own IAuthenticatedEncryptor.

Testing

In order to verify correctness of the changes I've created RoundtripEncryptionHelpers.AssertTryEncryptTryDecryptParity where I try to call Encrypt/Decrypt in different order for IDataProtector and IAuthenticatedEncryptor to ensure any order of operations give a correct roundtrip result.

I will also change any other place in aspnetcore to use this API to make sure new APIs behave correctly and in the same way as existing APIs

Fixes #44758

@github-actions github-actions bot added the area-dataprotection Includes: DataProtection label Jul 24, 2025
@DeagleGross DeagleGross changed the title feat: "Spanify" DataProtector Protect/Unprotect feat: "Spanify" DataProtector Protect [part 1] Jul 24, 2025
@DeagleGross DeagleGross marked this pull request as ready for review July 24, 2025 13:54
Copilot AI review requested due to automatic review settings July 24, 2025 13:54
@DeagleGross DeagleGross self-assigned this Jul 24, 2025
Copilot AI reviewed Jul 24, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR adds new non-allocating "Span-based" APIs to the DataProtection interfaces, specifically implementing the Protect/Encrypt functionality without requiring heap allocations. The new APIs allow callers to get the size of protected data upfront and then encrypt directly into a provided buffer.

Key changes:

  • Added GetProtectedSize() and TryProtect() methods to IDataProtector interface
  • Added GetEncryptedSize() and TryEncrypt() methods to IAuthenticatedEncryptor interface
  • Implemented these methods across all encryptor types (AES-GCM, CBC, CNG variants, Managed implementations)

Reviewed Changes

Copilot reviewed 23 out of 23 changed files in this pull request and generated 4 comments.

Show a summary per file
File Description
src/DataProtection/Abstractions/src/IDataProtector.cs Added new span-based APIs to the main data protector interface
src/DataProtection/DataProtection/src/AuthenticatedEncryption/IAuthenticatedEncryptor.cs Added new span-based APIs to the authenticated encryptor interface
src/DataProtection/DataProtection/src/KeyManagement/KeyRingBasedDataProtector.cs Core implementation of new APIs with proper header management
src/DataProtection/DataProtection/src/Managed/ManagedAuthenticatedEncryptor.cs Implementation for managed (non-CNG) encryption algorithms
src/DataProtection/DataProtection/src/Managed/AesGcmAuthenticatedEncryptor.cs Implementation for AES-GCM encryption
src/DataProtection/DataProtection/src/Cng/CbcAuthenticatedEncryptor.cs Implementation for CNG-based CBC encryption
src/DataProtection/DataProtection/src/Cng/CngGcmAuthenticatedEncryptor.cs Implementation for CNG-based GCM encryption
src/DataProtection/Extensions/src/TimeLimitedDataProtector.cs Updated time-limited protector to support new APIs
Multiple test files Comprehensive test coverage for the new functionality

halter73
halter73 reviewed Jul 24, 2025
View reviewed changes
Copy link
Member

@halter73 halter73 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we should update our existing code that calls into IDataProtecter to use the new methods to get good test coverage of the new methods.

@DeagleGross DeagleGross changed the title feat: "Spanify" DataProtector Protect [part 1] feat: "Spanify" DataProtector Aug 4, 2025
@build-analysis build-analysis bot mentioned this pull request Aug 6, 2025
Closed
3 tasks
@DeagleGross
Copy link
Member Author

DeagleGross commented Aug 6, 2025

Pushed the dotnetbenchmark project showing the updated numbers. Results on my machine:
image

BrennanConroy
BrennanConroy reviewed Aug 11, 2025
View reviewed changes
@dotnet-policy-service dotnet-policy-service bot added the pending-ci-rerun When assigned to a PR indicates that the CI checks should be rerun label Aug 18, 2025
@DeagleGross DeagleGross mentioned this pull request Aug 25, 2025
Open
4 tasks
@DeagleGross
Copy link
Member Author

DeagleGross commented Oct 9, 2025

/azp run

@dotnet-policy-service dotnet-policy-service bot removed the pending-ci-rerun When assigned to a PR indicates that the CI checks should be rerun label Oct 9, 2025
@azure-pipelines
Copy link

azure-pipelines bot commented Oct 9, 2025

Azure Pipelines successfully started running 2 pipeline(s).

@dotnet-policy-service
Copy link
Contributor

dotnet-policy-service bot commented Oct 16, 2025

Looks like this PR hasn't been active for some time and the codebase could have been changed in the meantime.
To make sure no conflicting changes have occurred, please rerun validation before merging. You can do this by leaving an /azp run comment here (requires commit rights), or by simply closing and reopening.

@dotnet-policy-service dotnet-policy-service bot added the pending-ci-rerun When assigned to a PR indicates that the CI checks should be rerun label Oct 16, 2025
@DeagleGross DeagleGross changed the title feat: "Spanify" DataProtector feat: "Spanify" DataProtector with GetSize/TryProtect pattern Nov 10, 2025
@DeagleGross DeagleGross mentioned this pull request Nov 11, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@halter73 halter73 halter73 left review comments

@BrennanConroy BrennanConroy BrennanConroy left review comments

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

@DeagleGross DeagleGross

Labels

area-dataprotection Includes: DataProtection pending-ci-rerun When assigned to a PR indicates that the CI checks should be rerun

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

API proposal: Add ReadOnlySpan<byte> to IDataProtector (un)Protect

5 participants

@DeagleGross @martincostello @halter73 @BrennanConroy