MichaelGrafnetter · wu-yafeng · Dec 23, 2025 · Dec 23, 2025
diff --git a/Src/DSInternals.Win32.WebAuthn.Adapter/DSInternals.Win32.WebAuthn.Adapter.csproj b/Src/DSInternals.Win32.WebAuthn.Adapter/DSInternals.Win32.WebAuthn.Adapter.csproj
@@ -15,6 +15,13 @@
 - Upgraded System.Text.Json to mitigate CVE-2024-43485.
 - Windows 10 1903 or newer is required.</PackageReleaseNotes>
   </PropertyGroup>
+
+  <!-- Enable AOT for .NET 7.0 and above -->
+  <PropertyGroup Condition="$([MSBuild]::VersionGreaterThanOrEquals('$([MSBuild]::GetTargetFrameworkVersion('$(TargetFramework)'))','7.0'))">
+    <IsAotCompatible>true</IsAotCompatible>
+    <PublishAot>true</PublishAot>
+    <VerifyReferenceAotCompatibility>true</VerifyReferenceAotCompatibility>
+  </PropertyGroup>
 
   <PropertyGroup Condition="'$(Configuration)'=='Release'">
     <GenerateDocumentationFile>true</GenerateDocumentationFile>

diff --git a/Src/DSInternals.Win32.WebAuthn.Adapter/packages.lock.json b/Src/DSInternals.Win32.WebAuthn.Adapter/packages.lock.json
@@ -883,6 +883,24 @@
         "resolved": "3.0.1",
         "contentHash": "mgjcuGETuYSCUEaZG+jQeeuuEMkDLc4GDJHBvKDdOz6oSOWp5adPdWP4btZx7Pi+9fu4szN3JIjJmby67MaILw=="
       },
+      "Microsoft.DotNet.ILCompiler": {
+        "type": "Direct",
+        "requested": "[7.0.20, )",
+        "resolved": "7.0.20",
+        "contentHash": "9gGpu74pc/FBQuHqTb0pnvTftfSpQIkOfic7z9czAPTlCxEvY8rsEsYcfIX7ExvcIEr35Rf5cpxqCH09gApW3Q=="
+      },
+      "Microsoft.NET.ILLink.Analyzers": {
+        "type": "Direct",
+        "requested": "[7.0.100-1.23401.1, )",
+        "resolved": "7.0.100-1.23401.1",
+        "contentHash": "XirkjOLc5Vc3HsXRc2Z6ZbQv6l0RvWgJa/31w7XqZ914MoSi3H3OCNRMWFw7H2EYfsnKbokFfhCcysAmUcEOgw=="
+      },
+      "Microsoft.NET.ILLink.Tasks": {
+        "type": "Direct",
+        "requested": "[7.0.100-1.23401.1, )",
+        "resolved": "7.0.100-1.23401.1",
+        "contentHash": "mI6vCdPEhluLtMn/GV0texEWg5oAPQWCCE4LWspM+Bmy75Nd4EQsziQXrdOFqNeSBQMrxDX9C/O5Xi3kpKSMIw=="
+      },
       "PeterO.Cbor": {
         "type": "Direct",
         "requested": "[4.5.3, )",

diff --git a/Src/DSInternals.Win32.WebAuthn/DSInternals.Win32.WebAuthn.csproj b/Src/DSInternals.Win32.WebAuthn/DSInternals.Win32.WebAuthn.csproj
@@ -18,6 +18,13 @@
 - A standalone package providing an adapter for data model defined in Fido2.Models is also available.</PackageReleaseNotes>
   </PropertyGroup>
 
+  <!-- Enable AOT for .NET 7.0 and above -->
+  <PropertyGroup Condition="$([MSBuild]::VersionGreaterThanOrEquals('$([MSBuild]::GetTargetFrameworkVersion('$(TargetFramework)'))','7.0')) AND '$(TargetFrameworkIdentifier)' == '.NETCoreApp'">
+    <IsAotCompatible>true</IsAotCompatible>
+    <PublishAot>true</PublishAot>
+    <VerifyReferenceAotCompatibility>true</VerifyReferenceAotCompatibility>
+  </PropertyGroup>
+
   <PropertyGroup Condition="'$(Configuration)'=='Release'">
     <GenerateDocumentationFile>true</GenerateDocumentationFile>
     <GeneratePackageOnBuild>true</GeneratePackageOnBuild>

diff --git a/Src/DSInternals.Win32.WebAuthn/EntraID/MicrosoftGraphWebauthnAttestationResponse.cs b/Src/DSInternals.Win32.WebAuthn/EntraID/MicrosoftGraphWebauthnAttestationResponse.cs
@@ -1,5 +1,6 @@
 using System.Text.Json;
 using System.Text.Json.Serialization;
+using DSInternals.Win32.WebAuthn.Serialization;
 
 namespace DSInternals.Win32.WebAuthn.EntraID
 {
@@ -25,7 +26,11 @@ public MicrosoftGraphWebauthnAttestationResponse(PublicKeyCredential publicKeyCr
 
         override public string ToString()
         {
+            #if NET7_0_OR_GREATER
+            return JsonSerializer.Serialize(this, WebAuthnJsonSerializerContext.Default.MicrosoftGraphWebauthnAttestationResponse);
+            #else
             return JsonSerializer.Serialize(this);
+            #endif
         }
     }
 }
diff --git a/Src/DSInternals.Win32.WebAuthn/EntraID/MicrosoftGraphWebauthnCredentialCreationOptions.cs b/Src/DSInternals.Win32.WebAuthn/EntraID/MicrosoftGraphWebauthnCredentialCreationOptions.cs
@@ -1,6 +1,7 @@
 using System;
 using System.Text.Json;
 using System.Text.Json.Serialization;
+using DSInternals.Win32.WebAuthn.Serialization;
 
 namespace DSInternals.Win32.WebAuthn.EntraID
 {
@@ -29,7 +30,11 @@ public static MicrosoftGraphWebauthnCredentialCreationOptions Create(string json
                 throw new ArgumentNullException(nameof(json));
             }
 
+            #if NET7_0_OR_GREATER
+            return JsonSerializer.Deserialize(json, WebAuthnJsonSerializerContext.Default.MicrosoftGraphWebauthnCredentialCreationOptions);
+            #else
             return JsonSerializer.Deserialize<MicrosoftGraphWebauthnCredentialCreationOptions>(json);
+            #endif
         }
     }
 }
diff --git a/Src/DSInternals.Win32.WebAuthn/FIDO/AttestedCredentialData.cs b/Src/DSInternals.Win32.WebAuthn/FIDO/AttestedCredentialData.cs
@@ -55,7 +55,7 @@ public AttestedCredentialData(BinaryReader reader)
             }
 
             // First 16 bytes is AAGUID
-            byte[] aaguidBytes = reader.ReadBytes(Marshal.SizeOf(typeof(Guid)));
+            byte[] aaguidBytes = reader.ReadBytes(Marshal.SizeOf<Guid>());
 
             // GUID from authenticator is big endian. If we are on a little endian system, convert.
             this.AaGuid = aaguidBytes.ToGuidBigEndian();

diff --git a/Src/DSInternals.Win32.WebAuthn/Interop/Marshalers/SafeStructArray.cs b/Src/DSInternals.Win32.WebAuthn/Interop/Marshalers/SafeStructArray.cs
@@ -1,10 +1,15 @@
 using System;
 using System.Runtime.InteropServices;
+using System.Diagnostics.CodeAnalysis;
 
 namespace DSInternals.Win32.WebAuthn.Interop
 {
     [StructLayout(LayoutKind.Sequential)]
+#if NET7_0_OR_GREATER
+    internal abstract class SafeStructArrayOut<[DynamicallyAccessedMembers(DynamicallyAccessedMemberTypes.PublicConstructors | DynamicallyAccessedMemberTypes.NonPublicConstructors)] T>
+#else
     internal abstract class SafeStructArrayOut<T>
+#endif
     {
         protected int _length;
         protected IntPtr _nativeArray = IntPtr.Zero;

diff --git a/Src/DSInternals.Win32.WebAuthn/Interop/Marshalers/VersionedStructMarshaler.cs b/Src/DSInternals.Win32.WebAuthn/Interop/Marshalers/VersionedStructMarshaler.cs
@@ -1,18 +1,23 @@
 using System;
 using System.Runtime.InteropServices;
+using System.Diagnostics.CodeAnalysis;
 
 namespace DSInternals.Win32.WebAuthn.Interop
 {
     internal static class VersionedStructMarshaler
     {
+#if NET7_0_OR_GREATER
+        public static T PtrToStructure<[DynamicallyAccessedMembers(DynamicallyAccessedMemberTypes.PublicConstructors | DynamicallyAccessedMemberTypes.NonPublicConstructors)] T>(IntPtr ptr, int sourceStructSize) where T : class
+#else
         public static T PtrToStructure<T>(IntPtr ptr, int sourceStructSize) where T : class
+#endif
         {
             if (ptr == IntPtr.Zero || sourceStructSize == 0)
             {
                 return null;
             }
 
-            if(sourceStructSize < 0)
+            if (sourceStructSize < 0)
             {
                 throw new ArgumentOutOfRangeException(nameof(sourceStructSize));
             }

diff --git a/Src/DSInternals.Win32.WebAuthn/Interop/Structs/ClientData.cs b/Src/DSInternals.Win32.WebAuthn/Interop/Structs/ClientData.cs
@@ -3,6 +3,7 @@
 using System.Text;
 using System.Text.Json;
 using DSInternals.Win32.WebAuthn.FIDO;
+using DSInternals.Win32.WebAuthn.Serialization;
 
 namespace DSInternals.Win32.WebAuthn.Interop
 {
@@ -60,7 +61,11 @@ public byte[] ClientDataRaw
 
         public ClientData(CollectedClientData clientData)
         {
+#if NET7_0_OR_GREATER
+            this.ClientDataJson = JsonSerializer.Serialize(clientData, WebAuthnJsonSerializerContext.Default.CollectedClientData);
+#else
             this.ClientDataJson = JsonSerializer.Serialize(clientData);
+#endif
             // Note that SHA-256 is currently hardcoded in Chromium and Firefox.
             this.HashAlgId = ApiConstants.HashAlgorithmSha256;
         }

diff --git a/Src/DSInternals.Win32.WebAuthn/Okta/OktaFido2AuthenticationMethod.cs b/Src/DSInternals.Win32.WebAuthn/Okta/OktaFido2AuthenticationMethod.cs
@@ -1,6 +1,7 @@
 using System;
 using System.Text.Json;
 using System.Text.Json.Serialization;
+using DSInternals.Win32.WebAuthn.Serialization;
 
 
 namespace DSInternals.Win32.WebAuthn.Okta
@@ -93,7 +94,11 @@ public static OktaFido2AuthenticationMethod FromJsonString(string json)
                 throw new ArgumentNullException(nameof(json));
             }
 
+            #if NET7_0_OR_GREATER
+            return JsonSerializer.Deserialize(json, WebAuthnJsonSerializerContext.Default.OktaFido2AuthenticationMethod);
+            #else
             return JsonSerializer.Deserialize<OktaFido2AuthenticationMethod>(json);
+            #endif
         }
         /// <summary>
         /// ID of the Factor

diff --git a/Src/DSInternals.Win32.WebAuthn/Okta/OktaWebauthnAttestationResponse.cs b/Src/DSInternals.Win32.WebAuthn/Okta/OktaWebauthnAttestationResponse.cs
@@ -1,5 +1,6 @@
 using System.Text.Json;
 using System.Text.Json.Serialization;
+using DSInternals.Win32.WebAuthn.Serialization;
 
 namespace DSInternals.Win32.WebAuthn.Okta
 {
@@ -46,7 +47,11 @@ public OktaWebauthnAttestationResponse(PublicKeyCredential publicKeyCredential,
 
         override public string ToString()
         {
+            #if NET7_0_OR_GREATER
+            return JsonSerializer.Serialize(this, WebAuthnJsonSerializerContext.Default.OktaWebauthnAttestationResponse);
+            #else
             return JsonSerializer.Serialize(this);
+            #endif
         }
     }
 }
diff --git a/Src/DSInternals.Win32.WebAuthn/Okta/OktaWebauthnCredentialCreationOptions.cs b/Src/DSInternals.Win32.WebAuthn/Okta/OktaWebauthnCredentialCreationOptions.cs
@@ -1,6 +1,7 @@
 using System;
 using System.Text.Json;
 using System.Text.Json.Serialization;
+using DSInternals.Win32.WebAuthn.Serialization;
 
 namespace DSInternals.Win32.WebAuthn.Okta
 {
@@ -38,7 +39,11 @@ public static OktaWebauthnCredentialCreationOptions Create(string json)
                 throw new ArgumentNullException(nameof(json));
             }
 
+            #if NET7_0_OR_GREATER
+            return JsonSerializer.Deserialize(json, WebAuthnJsonSerializerContext.Default.OktaWebauthnCredentialCreationOptions);
+            #else
             return JsonSerializer.Deserialize<OktaWebauthnCredentialCreationOptions>(json);
+            #endif
         }
     }
 }
diff --git a/Src/DSInternals.Win32.WebAuthn/Serialization/WebAuthnJsonSerializerContext.cs b/Src/DSInternals.Win32.WebAuthn/Serialization/WebAuthnJsonSerializerContext.cs
@@ -0,0 +1,21 @@
+using System;
+using System.Text.Json.Serialization;
+using DSInternals.Win32.WebAuthn.EntraID;
+using DSInternals.Win32.WebAuthn.FIDO;
+using DSInternals.Win32.WebAuthn.Okta;
+
+namespace DSInternals.Win32.WebAuthn.Serialization;
+
+#if NET7_0_OR_GREATER
+[JsonSourceGenerationOptions(WriteIndented = true)]
+[JsonSerializable(typeof(CollectedClientData))]
+[JsonSerializable(typeof(MicrosoftGraphWebauthnAttestationResponse))]
+[JsonSerializable(typeof(MicrosoftGraphWebauthnCredentialCreationOptions))]
+[JsonSerializable(typeof(OktaFido2AuthenticationMethod))]
+[JsonSerializable(typeof(OktaProfile))]
+[JsonSerializable(typeof(OktaWebauthnAttestationResponse))]
+[JsonSerializable(typeof(OktaWebauthnCredentialCreationOptions))]
+internal partial class WebAuthnJsonSerializerContext : JsonSerializerContext
+{
+}
+#endif
diff --git a/Src/Directory.Build.props b/Src/Directory.Build.props
@@ -37,8 +37,9 @@
 
     <!-- Turn off reference assembly generation -->
     <ProduceReferenceAssembly>false</ProduceReferenceAssembly>
-  </PropertyGroup>
 
+  </PropertyGroup>
+
   <!-- Note: Fido2.Models is currently not strong-name signed, so the Adapter DLLs cannot be signed. -->
   <PropertyGroup Condition="
                    '$(Configuration)' == 'Release' AND