Skip to content

Use native .NET 10 AES Key Wrap APIs#3400

Open
Copilot wants to merge 3 commits intodevfrom
copilot/use-aes-kw-on-dotnet10
Open

Use native .NET 10 AES Key Wrap APIs#3400
Copilot wants to merge 3 commits intodevfrom
copilot/use-aes-kw-on-dotnet10

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Jan 14, 2026
edited
Loading

Use native .NET 10 AES Key Wrap APIs

  • You've read the Contributor Guide and Code of Conduct.
  • You've included unit or integration tests for your change, where applicable.
  • You've included inline docs for your change, where applicable.
  • If any gains or losses in performance are possible, you've included benchmarks for your changes. More info
  • There's an open issue for the PR that you are making. If you'd like to propose a new feature or change, please open an issue to discuss the change or find an existing issue.

Replace manual RFC 3394 implementation with native platform APIs on .NET 10+

Description

SymmetricKeyWrapProvider manually implemented AES Key Wrap (RFC 3394) using ECB mode. .NET 10 now provides Aes.EncryptKeyWrapPadded/DecryptKeyWrapPadded implementing RFC 5649, which is backward compatible with RFC 3394 for inputs that are multiples of 8 bytes (already enforced by existing validation).

Implementation Changes:

  • On .NET 10+: Use Aes.EncryptKeyWrapPadded/DecryptKeyWrapPadded
  • On .NET 9 and below: Retain existing manual RFC 3394 implementation
  • Skip ECB mode configuration on .NET 10+ (not needed for native APIs)

Test Cases Added:

  • Net10_WrapUnwrap_BackwardCompatibility (7 tests): Verify RFC 5649 compatibility with RFC 3394 for various key sizes (Aes128, Aes256) and data sizes (16-40 bytes)
  • Net10_WrapUnwrap_RoundTrip (3 tests): Ensure multiple wrap/unwrap cycles work correctly with different algorithms (Aes128KW, Aes256KW) and key types (SymmetricSecurityKey, JsonWebKey)
  • All new tests are conditionally compiled for .NET 10+ only using #if NET10_0_OR_GREATER

Testing Results:

  • ✅ All 65 tests pass on .NET 10 (55 original + 10 new)
  • ✅ All 55 tests pass on .NET 8 (new tests excluded as expected)
  • ✅ Build succeeds for all 7 target frameworks
Original prompt

This section details on the original issue you should resolve

<issue_title>Use AES-KW on .NET10</issue_title>
<issue_description>On .NET10, there are APIs that use AES-KW, so we need to not use this code: azure-activedirectory-identitymodel-extensions-for-dotnet/src/Microsoft.IdentityModel.Tokens/Encryption/SymmetricKeyWrapProvider.cs at d25996a6c7e9a9cd11655a70566e913d6ccdad51 · AzureAD/azure-activedirectory-identitymodel-extensions-for-dotnet

And use AES-KW instead: Aes.EncryptKeyWrapPadded Method (System.Security.Cryptography) | Microsoft Learn</issue_description>

Comments on the Issue (you are @copilot in this section)

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.

@saurabhsathe-ms
Use native .NET 10 AES-KW APIs (WrapKey/UnwrapKey)
18816f8 
Co-authored-by: saurabhsathe-ms <197688485+saurabhsathe-ms@users.noreply.github.com>
Copilot AI requested a review from saurabhsathe-ms January 14, 2026 19:13
@saurabhsathe-ms
Copy link
Copy Markdown
Contributor

saurabhsathe-ms commented Jan 14, 2026

@copilot can you please also add some testcases?

@saurabhsathe-ms
Fix implementation and add .NET 10 specific test cases
f8d729a 
- Fix SymmetricKeyWrapProvider to use correct .NET 10 APIs (EncryptKeyWrapPadded/DecryptKeyWrapPadded)
- Add comprehensive test cases for .NET 10 to verify backward compatibility
- Add round-trip tests with multiple key sizes and algorithms
- All 65 tests pass on .NET 10 (55 original + 10 new)
- All 55 tests pass on .NET 8 (new tests are .NET 10+ only)

Co-authored-by: saurabhsathe-ms <197688485+saurabhsathe-ms@users.noreply.github.com>
Copy link
Copy Markdown
Contributor Author

Copilot AI commented Jan 14, 2026

@copilot can you please also add some testcases?

Added comprehensive test cases in commit f8d729a:

  • Net10_WrapUnwrap_BackwardCompatibility: 7 tests verifying RFC 5649 (used in .NET 10) is compatible with RFC 3394 (manual implementation) for various key sizes and data sizes
  • Net10_WrapUnwrap_RoundTrip: 3 tests ensuring multiple wrap/unwrap cycles work correctly with different algorithms (Aes128KW, Aes256KW) and key types (SymmetricSecurityKey, JsonWebKey)

All 65 tests pass on .NET 10 (55 original + 10 new). Tests are conditionally compiled for .NET 10+ only.

Copilot AI changed the title [WIP] Use AES-KW on .NET10 APIs Use native .NET 10 AES Key Wrap APIs Jan 14, 2026
@saurabhsathe-ms saurabhsathe-ms marked this pull request as ready for review January 14, 2026 22:31
@saurabhsathe-ms saurabhsathe-ms requested a review from a team as a code owner January 14, 2026 22:31
github-advanced-security[bot]
github-advanced-security AI found potential problems Jan 14, 2026
View reviewed changes
Comment thread src/Microsoft.IdentityModel.Tokens/Encryption/SymmetricKeyWrapProvider.cs Dismissed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@saurabhsathe-ms saurabhsathe-ms Awaiting requested review from saurabhsathe-ms

At least 2 approving reviews are required to merge this pull request.

Assignees

@saurabhsathe-ms saurabhsathe-ms

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Use AES-KW on .NET10

3 participants

@saurabhsathe-ms @github-advanced-security