Skip to content

[Breaking change]: CoseSigner.Key may now be null #46999

New issue
New issue
Closed
#47740
Closed
[Breaking change]: CoseSigner.Key may now be null#46999
#47740
Assignees
gewarrencopilot-swe-agent
Labels
📌 seQUESTeredIdentifies that an issue has been imported into Quest.breaking-changeIndicates a .NET Core breaking change
@PranavSenthilnathan

Description

@PranavSenthilnathan
PranavSenthilnathan
opened on Jun 28, 2025

Description

CoseSigner.Key may now be null. If CoseSigner is backed by an RSA or ECDSA key then CoseSigner.Key will continue to return the key and it will be non-null. However, when CoseSigner is backed by a key that doesn't derive from AsymmetricAlgorithm, like MLDsa (a new Post-Quantum Cryptography (PQC) signing algorithm), CoseSigner.Key will be null.

Version

.NET 10 Preview 7

Previous behavior

CoseSigner.Key cannot be null. It had type AsymmetricAlgorithm.

New behavior

CoseSigner.Key can be null. It now has type AsymmetricAlgorithm?.

using RSA rsaKey = RSA.Create();

CoseSigner signer = new CoseSigner(rsaKey, RSASignaturePadding.Pss, HashAlgorithmName.SHA512);
// signer.Key is rsaKey here

// CoseKey is a new abstraction for all keys used in COSE
CoseKey coseKey = new CoseKey(rsaKey, RSASignaturePadding.Pss, HashAlgorithmName.SHA512);
signer = new CoseSigner(coseKey);
// signer.Key is rsaKey here

using MLDsa mldsa = MLDsa.GenerateKey(MLDsaAlgorithm.MLDsa44);

coseKey = new CoseKey(mldsa);
signer = new CoseSigner(coseKey);
// signer.Key is null here

Type of breaking change

  • Binary incompatible: Existing binaries might encounter a breaking change in behavior, such as failure to load or execute, and if so, require recompilation.
  • Source incompatible: When recompiled using the new SDK or component or to target the new runtime, existing source code might require source changes to compile successfully.
  • Behavioral change: Existing binaries might behave differently at run time.

Reason for change

With the introduction of new signing algorithms such as ML-DSA, .NET has moved away from using AsymmetricAlgorithm as the universal base class for all asymmetric algorithms. Likewise, CoseSigner can now be constructed with a key that doesn't derive from AsymmetricAlgorithm. In this case CoseSigner.Key can't return a AsymmetricAlgorithm representing the underlying key and thus returns null instead.

This change was introduced in dotnet/runtime#115158.

Recommended action

CoseSigner.Key can still be used, but callers should handle null values.

Feature area

Cryptography

Affected APIs

namespace System.Security.Cryptography.Cose
{
    public partial class CoseSigner
    {
-        public System.Security.Cryptography.AsymmetricAlgorithm Key { get; }
+        public System.Security.Cryptography.AsymmetricAlgorithm? Key { get; }
    }
}

Associated WorkItem - 479057

Metadata

Metadata

Assignees

Labels

📌 seQUESTeredIdentifies that an issue has been imported into Quest.breaking-changeIndicates a .NET Core breaking change

Type

No type

Projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions