introduce IOptimizedDataProtector

Author: DeagleGross

src/DataProtection/Abstractions/src/IDataProtector.cs

@@ -27,22 +27,4 @@ public interface IDataProtector : IDataProtectionProvider
     /// Thrown if the protected data is invalid or malformed.
     /// </exception>
     byte[] Unprotect(byte[] protectedData);
-
-#if NET10_0_OR_GREATER
-    /// <summary>
-    /// Returns the size of the encrypted data for a given plaintext length.
-    /// </summary>
-    /// <param name="plainText">The plain text that will be encrypted later</param>
-    /// <returns>The length of the encrypted data</returns>
-    int GetProtectedSize(ReadOnlySpan<byte> plainText);
-
-    /// <summary>
-    /// Attempts to encrypt and tamper-proof a piece of data.
-    /// </summary>
-    /// <param name="plainText">The input to encrypt.</param>
-    /// <param name="destination">The ciphertext blob, including authentication tag.</param>
-    /// <param name="bytesWritten">When this method returns, the total number of bytes written into destination</param>
-    /// <returns>true if destination is long enough to receive the encrypted data; otherwise, false.</returns>
-    bool TryProtect(ReadOnlySpan<byte> plainText, Span<byte> destination, out int bytesWritten);
-#endif
 }

src/DataProtection/Abstractions/src/IOptimizedDataProtector.cs

@@ -0,0 +1,37 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+
+using System;
+using System.Collections.Generic;
+using System.Linq;
+using System.Text;
+using System.Threading.Tasks;
+
+namespace Microsoft.AspNetCore.DataProtection;
+
+#if NET10_0_OR_GREATER
+
+/// <summary>
+/// An interface that can provide data protection services.
+/// Is an optimized version of <see cref="IDataProtector"/>.
+/// </summary>
+public interface IOptimizedDataProtector : IDataProtector
+{
+    /// <summary>
+    /// Returns the size of the encrypted data for a given plaintext length.
+    /// </summary>
+    /// <param name="plainText">The plain text that will be encrypted later</param>
+    /// <returns>The length of the encrypted data</returns>
+    int GetProtectedSize(ReadOnlySpan<byte> plainText);
+
+    /// <summary>
+    /// Attempts to encrypt and tamper-proof a piece of data.
+    /// </summary>
+    /// <param name="plainText">The input to encrypt.</param>
+    /// <param name="destination">The ciphertext blob, including authentication tag.</param>
+    /// <param name="bytesWritten">When this method returns, the total number of bytes written into destination</param>
+    /// <returns>true if destination is long enough to receive the encrypted data; otherwise, false.</returns>
+    bool TryProtect(ReadOnlySpan<byte> plainText, Span<byte> destination, out int bytesWritten);
+}
+
+#endif

src/DataProtection/DataProtection/src/KeyManagement/KeyRingBasedDataProtector.cs

@@ -22,6 +22,9 @@
 namespace Microsoft.AspNetCore.DataProtection.KeyManagement;
 
 internal sealed unsafe class KeyRingBasedDataProtector : IDataProtector, IPersistedDataProtector
+#if NET10_0_OR_GREATER
+    , IOptimizedDataProtector
+#endif
 {
     // This magic header identifies a v0 protected data blob. It's the high 28 bits of the SHA1 hash of
     // "Microsoft.AspNet.DataProtection.KeyManagement.KeyRingBasedDataProtector" [US-ASCII], big-endian.

src/DataProtection/Extensions/src/DataProtectionAdvancedExtensions.cs

@@ -97,6 +97,9 @@ public static string Unprotect(this ITimeLimitedDataProtector protector, string
     }
 
     private sealed class TimeLimitedWrappingProtector : IDataProtector
+#if NET10_0_OR_GREATER
+    , IOptimizedDataProtector
+#endif
     {
         public DateTimeOffset Expiration;
         private readonly ITimeLimitedDataProtector _innerProtector;
@@ -128,8 +131,25 @@ public byte[] Unprotect(byte[] protectedData)
         }
 
 #if NET10_0_OR_GREATER
-        public int GetProtectedSize(ReadOnlySpan<byte> plainText) => _innerProtector.GetProtectedSize(plainText);
-        public bool TryProtect(ReadOnlySpan<byte> plainText, Span<byte> destination, out int bytesWritten) => _innerProtector.TryProtect(plainText, destination, out bytesWritten);
+        public int GetProtectedSize(ReadOnlySpan<byte> plainText)
+        {
+            if (_innerProtector is IOptimizedDataProtector optimizedDataProtector)
+            {
+                return optimizedDataProtector.GetProtectedSize(plainText);
+            }
+
+            throw new NotSupportedException("The inner protector does not support optimized data protection.");
+        }
+
+        public bool TryProtect(ReadOnlySpan<byte> plainText, Span<byte> destination, out int bytesWritten)
+        {
+            if (_innerProtector is IOptimizedDataProtector optimizedDataProtector)
+            {
+                return optimizedDataProtector.TryProtect(plainText, destination, out bytesWritten);
+            }
+
+            throw new NotSupportedException("The inner protector does not support optimized data protection.");
+        }
 #endif
     }
 }

src/DataProtection/Extensions/src/TimeLimitedDataProtector.cs

@@ -17,6 +17,9 @@ namespace Microsoft.AspNetCore.DataProtection;
 /// protecting data with a finite lifetime.
 /// </summary>
 internal sealed class TimeLimitedDataProtector : ITimeLimitedDataProtector
+#if NET10_0_OR_GREATER
+    , IOptimizedDataProtector
+#endif
 {
     private const string MyPurposeString = "Microsoft.AspNetCore.DataProtection.TimeLimitedDataProtector.v1";
 
@@ -134,18 +137,28 @@ byte[] IDataProtector.Unprotect(byte[] protectedData)
     public int GetProtectedSize(ReadOnlySpan<byte> plainText)
     {
         var dataProtector = GetInnerProtectorWithTimeLimitedPurpose();
-        var size = dataProtector.GetProtectedSize(plainText);
+        if (dataProtector is IOptimizedDataProtector optimizedDataProtector)
+        {
+            var size = optimizedDataProtector.GetProtectedSize(plainText);
+
+            // prepended the expiration time as a 64-bit UTC tick count takes ExpirationTimeHeaderSize bytes;
+            // see Protect(byte[] plaintext, DateTimeOffset expiration) for details
+            return size + ExpirationTimeHeaderSize;
+        }
 
-        // prepended the expiration time as a 64-bit UTC tick count takes ExpirationTimeHeaderSize bytes;
-        // see Protect(byte[] plaintext, DateTimeOffset expiration) for details
-        return size + ExpirationTimeHeaderSize;
+        throw new NotSupportedException("The inner protector does not support optimized data protection.");
     }
 
     public bool TryProtect(ReadOnlySpan<byte> plaintext, Span<byte> destination, out int bytesWritten)
         => TryProtect(plaintext, destination, DateTimeOffset.MaxValue, out bytesWritten);
 
     public bool TryProtect(ReadOnlySpan<byte> plaintext, Span<byte> destination, DateTimeOffset expiration, out int bytesWritten)
     {
+        if (_innerProtector is not IOptimizedDataProtector optimizedDataProtector)
+        {
+            throw new NotSupportedException("The inner protector does not support optimized data protection.");
+        }
+
         // we need to prepend the expiration time, so we need to allocate a buffer for the plaintext with header
         byte[]? plainTextWithHeader = null;
         try
@@ -159,7 +172,7 @@ public bool TryProtect(ReadOnlySpan<byte> plaintext, Span<byte> destination, Dat
             // and copy the plaintext into the buffer
             plaintext.CopyTo(plainTextWithHeaderSpan.Slice(ExpirationTimeHeaderSize));
 
-            return _innerProtector.TryProtect(plainTextWithHeaderSpan, destination, out bytesWritten);
+            return optimizedDataProtector.TryProtect(plainTextWithHeaderSpan, destination, out bytesWritten);
         }
         finally
         {