Implement HKDF with CryptoKit on Apple #119998
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Contributor
|
Tagging subscribers to this area: @dotnet/area-system-security, @bartonjs, @vcsjones |
Contributor
There was a problem hiding this comment.
Pull Request Overview
This PR implements native HKDF (HMAC-based Key Derivation Function) support on Apple platforms using CryptoKit. The implementation provides better performance by leveraging Apple's native cryptographic libraries when available (iOS 14+, tvOS 14+, macOS, Mac Catalyst), while falling back to the existing managed implementation on older platforms.
Key changes:
- Added native CryptoKit HKDF implementation with platform detection
- Enhanced test coverage for previously untested hash algorithms (MD5, SHA-384, SHA-512)
- Refactored shared code by extracting hash algorithm mapping utility
Reviewed Changes
Copilot reviewed 10 out of 10 changed files in this pull request and generated 16 comments.
Show a summary per file
| File | Description |
|---|---|
| pal_swiftbindings.swift | Implements HKDF extract, expand, and derive operations using CryptoKit |
| pal_swiftbindings.h | Declares native function entry points for HKDF operations |
| entrypoints.c | Registers HKDF native functions for P/Invoke |
| HKDFTests.cs | Adds comprehensive test cases for MD5, SHA-384, and SHA-512 algorithms |
| HKDF.cs | Fixes documentation comment parameter reference |
| HKDF.Apple.cs | Provides Apple-specific HKDF implementation with platform detection and fallback |
| System.Security.Cryptography.csproj | Updates project file to include Apple HKDF implementation |
| Interop.RSA.cs | Removes duplicate hash algorithm mapping function |
| Interop.PAL_HashAlgorithm.cs | Centralizes hash algorithm mapping utility function |
| Interop.HKDF.cs | Provides managed wrapper for native HKDF P/Invoke calls |
src/native/libs/System.Security.Cryptography.Native.Apple/pal_swiftbindings.swift
Outdated
Show resolved
Hide resolved
src/native/libs/System.Security.Cryptography.Native.Apple/pal_swiftbindings.swift
Outdated
Show resolved
Hide resolved
src/native/libs/System.Security.Cryptography.Native.Apple/pal_swiftbindings.swift
Outdated
Show resolved
Hide resolved
src/native/libs/System.Security.Cryptography.Native.Apple/pal_swiftbindings.swift
Outdated
Show resolved
Hide resolved
src/native/libs/System.Security.Cryptography.Native.Apple/pal_swiftbindings.swift
Outdated
Show resolved
Hide resolved
src/native/libs/System.Security.Cryptography.Native.Apple/pal_swiftbindings.swift
Outdated
Show resolved
Hide resolved
src/native/libs/System.Security.Cryptography.Native.Apple/pal_swiftbindings.swift
Outdated
Show resolved
Hide resolved
src/native/libs/System.Security.Cryptography.Native.Apple/pal_swiftbindings.swift
Outdated
Show resolved
Hide resolved
src/native/libs/System.Security.Cryptography.Native.Apple/pal_swiftbindings.swift
Outdated
Show resolved
Hide resolved
src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/HKDF.Apple.cs
Outdated
Show resolved
Hide resolved
Co-authored-by: Copilot <[email protected]>
Member
Author
|
Hum. CoreCLR passed, Mono failed. |
bartonjs
reviewed
Sep 23, 2025
src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/HKDF.Apple.cs
Show resolved
Hide resolved
Member
Author
Of course I cannot reproduce it... |
bartonjs
reviewed
Sep 23, 2025
src/native/libs/System.Security.Cryptography.Native.Apple/pal_swiftbindings.swift
Outdated
Show resolved
Hide resolved
bartonjs
approved these changes
Sep 23, 2025
vcsjones
added
the
NO-MERGE
Member
Author
|
Draft / NO-MERGE because this has debugging logs for CI since issue cannot be reproduced locally. |
This was referenced Sep 25, 2025
vcsjones
changed the title
bartonjs
approved these changes
Sep 25, 2025
bartonjs
reviewed
Sep 25, 2025
src/native/libs/System.Security.Cryptography.Native.Apple/pal_swiftbindings.swift
Outdated
Show resolved
Hide resolved
vcsjones
removed
the
NO-MERGE
vcsjones
added
the
cryptographic-docs-impact
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
CryptoKit has a native HKDF implementation. For platforms where CryptoKit HKDF is available, this implements the HKDF algorithm using CryptoKit. On platforms where CryptoKit HKDF is not available (< iOS 14) the managed fallback is used.
There was also a notable lack any tests for MD5, SHA-384, and SHA-512. The entire HKDF test suite would pass even if I did not implement those algorithms at all. So lets create some tests while we are here.