Consider path forward for {RSA, DSA}CryptoServiceProvider #84259
Description
Over the past few years, we have obsoleted many "older" cryptographic implementations such a *CryptoServiceProvider, *Managed etc.
There are two exceptions for that: RSACryptoServiceProvider and DSACryptoServiceProvider. These hark back to the CSP implementation in Windows, and CSP is deprecated.
These never got deprecated because they had a lot of inertia going back to .NET Framework 1.0, and a lot of code has been written to use them. Additionally, there are some legitimate uses of CSP on Windows.
On non-Windows, these classes fake the implementation. They are instead backed by their real implementation behind the scenes for the core APIs. The CSP-specific things throw platform not supported exception. Additionally, these classes try to mimic CSP's limitations: no SHA2-OAEP in RSA, for example. These limitations will continue to grow.
Instead, we prefer the use of the factory Create() methods. These APIs should be preferred for a number of reasons. Some examples why:
RSA.Createis going to give you an implementation that is faster thanRSACryptoServiceProvider. (.NET 8+)Encrypt(andDecrypt) for OAEP is limited to SHA1 in CSP.- CSP will not gain SHA3 signing capabilities.
So the question becomes is there a way we can better steer people away from RSACryptoServiceProvider to RSA.Create()?