Support CSFLE with .NET Framework 4.6.2+ (#2506)

rayokota · web-flow · commit 0a1b1d8ef744 · 2025-08-06T14:13:49.000-07:00
* Support CSFLE with .NET Framework 4.6.2

* Add hcvault

* Add netstandard2.1 for CSFLE
diff --git a/src/Confluent.SchemaRegistry.Encryption.Aws/Confluent.SchemaRegistry.Encryption.Aws.csproj b/src/Confluent.SchemaRegistry.Encryption.Aws/Confluent.SchemaRegistry.Encryption.Aws.csproj
@@ -16,7 +16,7 @@
         <Title>Confluent.SchemaRegistry.Encryption.Aws</Title>
         <AssemblyName>Confluent.SchemaRegistry.Encryption.Aws</AssemblyName>
         <VersionPrefix>2.11.0</VersionPrefix>
-        <TargetFrameworks>net6.0;net8.0</TargetFrameworks>
+        <TargetFrameworks>netstandard2.1;net462;net6.0;net8.0</TargetFrameworks>
         <AllowUnsafeBlocks>true</AllowUnsafeBlocks>
         <GenerateDocumentationFile>true</GenerateDocumentationFile>
         <SignAssembly>true</SignAssembly>
diff --git a/src/Confluent.SchemaRegistry.Encryption.Azure/Confluent.SchemaRegistry.Encryption.Azure.csproj b/src/Confluent.SchemaRegistry.Encryption.Azure/Confluent.SchemaRegistry.Encryption.Azure.csproj
@@ -16,7 +16,7 @@
         <Title>Confluent.SchemaRegistry.Encryption.Azure</Title>
         <AssemblyName>Confluent.SchemaRegistry.Encryption.Azure</AssemblyName>
         <VersionPrefix>2.11.0</VersionPrefix>
-        <TargetFrameworks>net6.0;net8.0</TargetFrameworks>
+        <TargetFrameworks>netstandard2.1;net462;net6.0;net8.0</TargetFrameworks>
         <AllowUnsafeBlocks>true</AllowUnsafeBlocks>
         <GenerateDocumentationFile>true</GenerateDocumentationFile>
         <SignAssembly>true</SignAssembly>
diff --git a/src/Confluent.SchemaRegistry.Encryption.Gcp/Confluent.SchemaRegistry.Encryption.Gcp.csproj b/src/Confluent.SchemaRegistry.Encryption.Gcp/Confluent.SchemaRegistry.Encryption.Gcp.csproj
@@ -16,7 +16,7 @@
         <Title>Confluent.SchemaRegistry.Encryption.Gcp</Title>
         <AssemblyName>Confluent.SchemaRegistry.Encryption.Gcp</AssemblyName>
         <VersionPrefix>2.11.0</VersionPrefix>
-        <TargetFrameworks>net6.0;net8.0</TargetFrameworks>
+        <TargetFrameworks>netstandard2.1;net462;net6.0;net8.0</TargetFrameworks>
         <AllowUnsafeBlocks>true</AllowUnsafeBlocks>
         <GenerateDocumentationFile>true</GenerateDocumentationFile>
         <SignAssembly>true</SignAssembly>
diff --git a/src/Confluent.SchemaRegistry.Encryption.HcVault/Confluent.SchemaRegistry.Encryption.HcVault.csproj b/src/Confluent.SchemaRegistry.Encryption.HcVault/Confluent.SchemaRegistry.Encryption.HcVault.csproj
@@ -16,7 +16,7 @@
         <Title>Confluent.SchemaRegistry.Encryption.HcVault</Title>
         <AssemblyName>Confluent.SchemaRegistry.Encryption.HcVault</AssemblyName>
         <VersionPrefix>2.11.0</VersionPrefix>
-        <TargetFrameworks>net6.0;net8.0</TargetFrameworks>
+        <TargetFrameworks>netstandard2.1;net462;net6.0;net8.0</TargetFrameworks>
         <AllowUnsafeBlocks>true</AllowUnsafeBlocks>
         <GenerateDocumentationFile>true</GenerateDocumentationFile>
         <SignAssembly>true</SignAssembly>
diff --git a/src/Confluent.SchemaRegistry.Encryption.HcVault/HcVaultKmsClient.cs b/src/Confluent.SchemaRegistry.Encryption.HcVault/HcVaultKmsClient.cs
@@ -36,8 +36,8 @@ public HcVaultKmsClient(string kekId, string ns, string tokenId)
             {
               throw new ArgumentException(string.Format($"key URI must contain a key name"));
             }
-            keyName = uri.Segments[^1];
-            
+            keyName = uri.Segments[uri.Segments.Length - 1];
+
             var vaultClientSettings = new VaultClientSettings(uri.Scheme + "://" + uri.Authority, authMethod);
             if (ns != null)
             {
diff --git a/src/Confluent.SchemaRegistry.Encryption/Confluent.SchemaRegistry.Encryption.csproj b/src/Confluent.SchemaRegistry.Encryption/Confluent.SchemaRegistry.Encryption.csproj
@@ -16,7 +16,7 @@
         <Title>Confluent.SchemaRegistry.Encryption</Title>
         <AssemblyName>Confluent.SchemaRegistry.Encryption</AssemblyName>
         <VersionPrefix>2.11.0</VersionPrefix>
-        <TargetFrameworks>net6.0;net8.0</TargetFrameworks>
+        <TargetFrameworks>netstandard2.1;net462;net6.0;net8.0</TargetFrameworks>
         <AllowUnsafeBlocks>true</AllowUnsafeBlocks>
         <GenerateDocumentationFile>true</GenerateDocumentationFile>
         <SignAssembly>true</SignAssembly>
@@ -27,6 +27,10 @@
         <ProjectReference Include="..\Confluent.SchemaRegistry\Confluent.SchemaRegistry.csproj" />
     </ItemGroup>
 
+    <ItemGroup Condition="'$(TargetFramework)' == 'net462'">
+        <PackageReference Include="Microsoft.Bcl.Cryptography" Version="10.0.0-preview.6.25358.103" />
+    </ItemGroup>
+
     <ItemGroup>
         <PackageReference Include="Google.Protobuf" Version="3.26.1" />
         <PackageReference Include="HKDF.Standard" Version="2.0.0" />
diff --git a/src/Confluent.SchemaRegistry.Encryption/Cryptor.cs b/src/Confluent.SchemaRegistry.Encryption/Cryptor.cs
@@ -117,10 +117,17 @@ public byte[] DecryptWithAesSiv(byte[] key, byte[] ciphertext)
 
         static byte[] EncryptWithAesGcm(byte[] key, byte[] plaintext)
         {
+#if NET462
+            using (var aes = new AesGcm(key, AesGcm.TagByteSizes.MaxSize))
+#else
             using (var aes = new AesGcm(key))
+#endif
             {
                 var nonce = new byte[AesGcm.NonceByteSizes.MaxSize];
-                RandomNumberGenerator.Fill(nonce);
+                using (var rng = RandomNumberGenerator.Create())
+                {
+                    rng.GetBytes(nonce);
+                }
 
                 var tag = new byte[AesGcm.TagByteSizes.MaxSize];
                 var ciphertext = new byte[plaintext.Length];
@@ -156,7 +163,11 @@ static byte[] DecryptWithAesGcm(byte[] key, byte[] payload)
                 }
             }
 
+#if NET462
+            using (var aes = new AesGcm(key, AesGcm.TagByteSizes.MaxSize))
+#else
             using (var aes = new AesGcm(key))
+#endif
             {
                 var plaintextBytes = new byte[ciphertext.Length];
 
diff --git a/src/Confluent.SchemaRegistry.Serdes.Avro/Confluent.SchemaRegistry.Serdes.Avro.csproj b/src/Confluent.SchemaRegistry.Serdes.Avro/Confluent.SchemaRegistry.Serdes.Avro.csproj
@@ -16,7 +16,7 @@
     <Title>Confluent.SchemaRegistry.Serdes.Avro</Title>
     <AssemblyName>Confluent.SchemaRegistry.Serdes.Avro</AssemblyName>
     <VersionPrefix>2.11.0</VersionPrefix>
-    <TargetFrameworks>netstandard2.0;net6.0;net8.0</TargetFrameworks>
+    <TargetFrameworks>netstandard2.0;net462;net6.0;net8.0</TargetFrameworks>
     <AllowUnsafeBlocks>true</AllowUnsafeBlocks>
     <GenerateDocumentationFile>true</GenerateDocumentationFile>
     <SignAssembly>true</SignAssembly>
@@ -32,7 +32,7 @@
     <ProjectReference Include="..\Confluent.SchemaRegistry\Confluent.SchemaRegistry.csproj" />
   </ItemGroup>
 
-  <ItemGroup Condition=" '$(TargetFramework)' == 'netstandard2.0' ">
+  <ItemGroup Condition=" '$(TargetFramework)' == 'netstandard2.0' or '$(TargetFramework)' == 'net462'">
     <PackageReference Include="System.Net.Sockets" Version="4.3.0" />
     <PackageReference Include="System.Net.NameResolution" Version="4.3.0" />
   </ItemGroup>
diff --git a/src/Confluent.SchemaRegistry.Serdes.Json/Confluent.SchemaRegistry.Serdes.Json.csproj b/src/Confluent.SchemaRegistry.Serdes.Json/Confluent.SchemaRegistry.Serdes.Json.csproj
@@ -16,7 +16,7 @@
     <Title>Confluent.SchemaRegistry.Serdes.Json</Title>
     <AssemblyName>Confluent.SchemaRegistry.Serdes.Json</AssemblyName>
     <VersionPrefix>2.11.0</VersionPrefix>
-    <TargetFrameworks>netstandard2.0;net6.0;net8.0</TargetFrameworks>
+    <TargetFrameworks>netstandard2.0;net462;net6.0;net8.0</TargetFrameworks>
     <AllowUnsafeBlocks>true</AllowUnsafeBlocks>
     <GenerateDocumentationFile>true</GenerateDocumentationFile>
     <SignAssembly>true</SignAssembly>
@@ -35,7 +35,7 @@
     <ProjectReference Include="..\Confluent.SchemaRegistry\Confluent.SchemaRegistry.csproj" />
   </ItemGroup>
 
-  <ItemGroup Condition=" '$(TargetFramework)' == 'netstandard2.0' ">
+  <ItemGroup Condition=" '$(TargetFramework)' == 'netstandard2.0' or '$(TargetFramework)' == 'net462'">
     <PackageReference Include="System.Net.Sockets" Version="4.3.0" />
     <PackageReference Include="System.Net.NameResolution" Version="4.3.0" />
   </ItemGroup>
diff --git a/src/Confluent.SchemaRegistry.Serdes.Protobuf/Confluent.SchemaRegistry.Serdes.Protobuf.csproj b/src/Confluent.SchemaRegistry.Serdes.Protobuf/Confluent.SchemaRegistry.Serdes.Protobuf.csproj
@@ -17,7 +17,7 @@
     <Title>Confluent.SchemaRegistry.Serdes.Protobuf</Title>
     <AssemblyName>Confluent.SchemaRegistry.Serdes.Protobuf</AssemblyName>
     <VersionPrefix>2.11.0</VersionPrefix>
-    <TargetFrameworks>netstandard2.0;net6.0;net8.0</TargetFrameworks>
+    <TargetFrameworks>netstandard2.0;net462;net6.0;net8.0</TargetFrameworks>
     <AllowUnsafeBlocks>true</AllowUnsafeBlocks>
     <GenerateDocumentationFile>true</GenerateDocumentationFile>
     <SignAssembly>true</SignAssembly>
@@ -41,7 +41,7 @@
     <ProjectReference Include="..\Confluent.SchemaRegistry\Confluent.SchemaRegistry.csproj" />
   </ItemGroup>
 
-  <ItemGroup Condition=" '$(TargetFramework)' == 'netstandard2.0' ">
+  <ItemGroup Condition=" '$(TargetFramework)' == 'netstandard2.0' or '$(TargetFramework)' == 'net462'">
     <PackageReference Include="System.Net.Sockets" Version="4.3.0" />
     <PackageReference Include="System.Net.NameResolution" Version="4.3.0" />
   </ItemGroup>
diff --git a/src/Confluent.SchemaRegistry/Confluent.SchemaRegistry.csproj b/src/Confluent.SchemaRegistry/Confluent.SchemaRegistry.csproj
@@ -17,7 +17,7 @@
     <Title>Confluent.SchemaRegistry</Title>
     <AssemblyName>Confluent.SchemaRegistry</AssemblyName>
     <VersionPrefix>2.11.0</VersionPrefix>
-    <TargetFrameworks>netstandard2.0;net6.0;net8.0</TargetFrameworks>
+    <TargetFrameworks>netstandard2.0;net462;net6.0;net8.0</TargetFrameworks>
     <AllowUnsafeBlocks>true</AllowUnsafeBlocks>
     <GenerateDocumentationFile>true</GenerateDocumentationFile>
     <SignAssembly>true</SignAssembly>
@@ -28,7 +28,7 @@
     <ProjectReference Include="..\Confluent.Kafka\Confluent.Kafka.csproj" />
   </ItemGroup>
 
-  <ItemGroup  Condition=" '$(TargetFramework)' == 'netstandard2.0' ">
+  <ItemGroup Condition=" '$(TargetFramework)' == 'netstandard2.0' or '$(TargetFramework)' == 'net462'">
     <PackageReference Include="Microsoft.Bcl.HashCode" Version="6.0.0" />
     <PackageReference Include="System.Net.Http" Version="4.3.4" />
   </ItemGroup>

Original file line number	Diff line number	Diff line change
`@@ -36,8 +36,8 @@ public HcVaultKmsClient(string kekId, string ns, string tokenId)`
`36`	`36`	`{`
`37`	`37`	`throw new ArgumentException(string.Format($"key URI must contain a key name"));`
`38`	`38`	`}`
`39`		`- keyName = uri.Segments[^1];`
`40`		`-`
	`39`	`+ keyName = uri.Segments[uri.Segments.Length - 1];`
	`40`	`+`
`41`	`41`	`var vaultClientSettings = new VaultClientSettings(uri.Scheme + "://" + uri.Authority, authMethod);`
`42`	`42`	`if (ns != null)`
`43`	`43`	`{`
Original file line number	Diff line number	Diff line change
`@@ -117,10 +117,17 @@ public byte[] DecryptWithAesSiv(byte[] key, byte[] ciphertext)`
`117`	`117`
`118`	`118`	`static byte[] EncryptWithAesGcm(byte[] key, byte[] plaintext)`
`119`	`119`	`{`
	`120`	`+#if NET462`
	`121`	`+ using (var aes = new AesGcm(key, AesGcm.TagByteSizes.MaxSize))`
	`122`	`+#else`
`120`	`123`	`using (var aes = new AesGcm(key))`
	`124`	`+#endif`
`121`	`125`	`{`
`122`	`126`	`var nonce = new byte[AesGcm.NonceByteSizes.MaxSize];`
`123`		`- RandomNumberGenerator.Fill(nonce);`
	`127`	`+ using (var rng = RandomNumberGenerator.Create())`
	`128`	`+ {`
	`129`	`+ rng.GetBytes(nonce);`
	`130`	`+ }`
`124`	`131`
`125`	`132`	`var tag = new byte[AesGcm.TagByteSizes.MaxSize];`
`126`	`133`	`var ciphertext = new byte[plaintext.Length];`
`@@ -156,7 +163,11 @@ static byte[] DecryptWithAesGcm(byte[] key, byte[] payload)`
`156`	`163`	`}`
`157`	`164`	`}`
`158`	`165`
	`166`	`+#if NET462`
	`167`	`+ using (var aes = new AesGcm(key, AesGcm.TagByteSizes.MaxSize))`
	`168`	`+#else`
`159`	`169`	`using (var aes = new AesGcm(key))`
	`170`	`+#endif`
`160`	`171`	`{`
`161`	`172`	`var plaintextBytes = new byte[ciphertext.Length];`
`162`	`173`