introduce optimized IAuthenticatedEncryptor

DeagleGross · DeagleGross · commit ae5bb82c2ded · 2025-07-25T17:19:06.000+02:00
diff --git a/src/DataProtection/Abstractions/src/PublicAPI.Unshipped.txt b/src/DataProtection/Abstractions/src/PublicAPI.Unshipped.txt
@@ -1,3 +1,4 @@
 #nullable enable
-Microsoft.AspNetCore.DataProtection.IDataProtector.GetProtectedSize(System.ReadOnlySpan<byte> plainText) -> int
-Microsoft.AspNetCore.DataProtection.IDataProtector.TryProtect(System.ReadOnlySpan<byte> plainText, System.Span<byte> destination, out int bytesWritten) -> bool
+Microsoft.AspNetCore.DataProtection.IOptimizedDataProtector
+Microsoft.AspNetCore.DataProtection.IOptimizedDataProtector.GetProtectedSize(System.ReadOnlySpan<byte> plainText) -> int
+Microsoft.AspNetCore.DataProtection.IOptimizedDataProtector.TryProtect(System.ReadOnlySpan<byte> plainText, System.Span<byte> destination, out int bytesWritten) -> bool
diff --git a/src/DataProtection/DataProtection/src/AuthenticatedEncryption/IAuthenticatedEncryptor.cs b/src/DataProtection/DataProtection/src/AuthenticatedEncryption/IAuthenticatedEncryptor.cs
@@ -32,27 +32,4 @@ public interface IAuthenticatedEncryptor
     /// <returns>The ciphertext blob, including authentication tag.</returns>
     /// <remarks>All cryptography-related exceptions should be homogenized to CryptographicException.</remarks>
     byte[] Encrypt(ArraySegment<byte> plaintext, ArraySegment<byte> additionalAuthenticatedData);
-
-#if NET10_0_OR_GREATER
-    /// <summary>
-    /// Returns the size of the encrypted data for a given plaintext length.
-    /// </summary>
-    /// <param name="plainTextLength">Length of the plain text that will be encrypted later</param>
-    /// <returns>The length of the encrypted data</returns>
-    int GetEncryptedSize(int plainTextLength);
-
-    /// <summary>
-    /// Attempts to encrypt and tamper-proof a piece of data.
-    /// </summary>
-    /// <param name="plaintext">The input to encrypt.</param>
-    /// <param name="additionalAuthenticatedData">
-    /// A piece of data which will not be included in
-    /// the returned ciphertext but which will still be covered by the authentication tag.
-    /// This input may be zero bytes in length. The same AAD must be specified in the corresponding decryption call.
-    /// </param>
-    /// <param name="destination">The ciphertext blob, including authentication tag.</param>
-    /// <param name="bytesWritten">When this method returns, the total number of bytes written into destination</param>
-    /// <returns>true if destination is long enough to receive the encrypted data; otherwise, false.</returns>
-    bool TryEncrypt(ReadOnlySpan<byte> plaintext, ReadOnlySpan<byte> additionalAuthenticatedData, Span<byte> destination, out int bytesWritten);
-#endif
 }
diff --git a/src/DataProtection/DataProtection/src/AuthenticatedEncryption/IOptimizedAuthenticatedEncryptor.cs b/src/DataProtection/DataProtection/src/AuthenticatedEncryption/IOptimizedAuthenticatedEncryptor.cs
@@ -8,7 +8,12 @@ namespace Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption;
 /// <summary>
 /// An optimized encryptor that can avoid buffer allocations in common code paths.
 /// </summary>
-internal interface IOptimizedAuthenticatedEncryptor : IAuthenticatedEncryptor
+#if NET10_0_OR_GREATER
+public
+#else
+internal
+#endif
+interface IOptimizedAuthenticatedEncryptor : IAuthenticatedEncryptor
 {
     /// <summary>
     /// Encrypts and tamper-proofs a piece of data.
@@ -37,5 +42,28 @@ internal interface IOptimizedAuthenticatedEncryptor : IAuthenticatedEncryptor
     ///
     /// All cryptography-related exceptions should be homogenized to CryptographicException.
     /// </remarks>
-    byte[] Encrypt(ArraySegment<byte> plaintext, ArraySegment<byte> additionalAuthenticatedData, uint preBufferSize, uint postBufferSize);
+    internal byte[] Encrypt(ArraySegment<byte> plaintext, ArraySegment<byte> additionalAuthenticatedData, uint preBufferSize, uint postBufferSize);
+
+#if NET10_0_OR_GREATER
+    /// <summary>
+    /// Returns the size of the encrypted data for a given plaintext length.
+    /// </summary>
+    /// <param name="plainTextLength">Length of the plain text that will be encrypted later</param>
+    /// <returns>The length of the encrypted data</returns>
+    int GetEncryptedSize(int plainTextLength);
+
+    /// <summary>
+    /// Attempts to encrypt and tamper-proof a piece of data.
+    /// </summary>
+    /// <param name="plaintext">The input to encrypt.</param>
+    /// <param name="additionalAuthenticatedData">
+    /// A piece of data which will not be included in
+    /// the returned ciphertext but which will still be covered by the authentication tag.
+    /// This input may be zero bytes in length. The same AAD must be specified in the corresponding decryption call.
+    /// </param>
+    /// <param name="destination">The ciphertext blob, including authentication tag.</param>
+    /// <param name="bytesWritten">When this method returns, the total number of bytes written into destination</param>
+    /// <returns>true if destination is long enough to receive the encrypted data; otherwise, false.</returns>
+    bool TryEncrypt(ReadOnlySpan<byte> plaintext, ReadOnlySpan<byte> additionalAuthenticatedData, Span<byte> destination, out int bytesWritten);
+#endif
 }
diff --git a/src/DataProtection/DataProtection/src/Managed/AesGcmAuthenticatedEncryptor.cs b/src/DataProtection/DataProtection/src/Managed/AesGcmAuthenticatedEncryptor.cs
@@ -141,46 +141,48 @@ public byte[] Decrypt(ArraySegment<byte> ciphertext, ArraySegment<byte> addition
         }
     }
 
-    public int GetEncryptedSize(int plainTextLength)
-    {
-        // A buffer to hold the key modifier, nonce, encrypted data, and tag.
-        // In GCM, the encrypted output will be the same length as the plaintext input.
-        return checked((int)(KEY_MODIFIER_SIZE_IN_BYTES + NONCE_SIZE_IN_BYTES + plainTextLength + TAG_SIZE_IN_BYTES));
-    }
-
-    public bool TryEncrypt(ReadOnlySpan<byte> plaintext, ReadOnlySpan<byte> additionalAuthenticatedData, Span<byte> destination, out int bytesWritten)
+    public byte[] Encrypt(ArraySegment<byte> plaintext, ArraySegment<byte> additionalAuthenticatedData, uint preBufferSize, uint postBufferSize)
     {
-        bytesWritten = 0;
+        plaintext.Validate();
+        additionalAuthenticatedData.Validate();
 
         try
         {
-            // Generate random key modifier and nonce
+            // Allocate a buffer to hold the key modifier, nonce, encrypted data, and tag.
+            // In GCM, the encrypted output will be the same length as the plaintext input.
+            var retVal = new byte[checked(preBufferSize + KEY_MODIFIER_SIZE_IN_BYTES + NONCE_SIZE_IN_BYTES + plaintext.Count + TAG_SIZE_IN_BYTES + postBufferSize)];
+            int keyModifierOffset; // position in ciphertext.Array where key modifier begins
+            int nonceOffset; // position in ciphertext.Array where key modifier ends / nonce begins
+            int encryptedDataOffset; // position in ciphertext.Array where nonce ends / encryptedData begins
+            int tagOffset; // position in ciphertext.Array where encrypted data ends
+
+            checked
+            {
+                keyModifierOffset = plaintext.Offset + (int)preBufferSize;
+                nonceOffset = keyModifierOffset + KEY_MODIFIER_SIZE_IN_BYTES;
+                encryptedDataOffset = nonceOffset + NONCE_SIZE_IN_BYTES;
+                tagOffset = encryptedDataOffset + plaintext.Count;
+            }
+
+            // Randomly generate the key modifier and nonce
             var keyModifier = _genRandom.GenRandom(KEY_MODIFIER_SIZE_IN_BYTES);
             var nonceBytes = _genRandom.GenRandom(NONCE_SIZE_IN_BYTES);
 
-            // KeyModifier and nonce to destination
-            keyModifier.CopyTo(destination.Slice(bytesWritten, KEY_MODIFIER_SIZE_IN_BYTES));
-            bytesWritten += KEY_MODIFIER_SIZE_IN_BYTES;
-            nonceBytes.CopyTo(destination.Slice(bytesWritten, NONCE_SIZE_IN_BYTES));
-            bytesWritten += NONCE_SIZE_IN_BYTES;
+            Buffer.BlockCopy(keyModifier, 0, retVal, (int)preBufferSize, keyModifier.Length);
+            Buffer.BlockCopy(nonceBytes, 0, retVal, (int)preBufferSize + keyModifier.Length, nonceBytes.Length);
 
-            // At this point, destination := { keyModifier | nonce | _____ | _____ }
+            // At this point, retVal := { preBuffer | keyModifier | nonce | _____ | _____ | postBuffer }
 
             // Use the KDF to generate a new symmetric block cipher key
             // We'll need a temporary buffer to hold the symmetric encryption subkey
-            Span<byte> decryptedKdk = _keyDerivationKey.Length <= 256
-                ? stackalloc byte[256].Slice(0, _keyDerivationKey.Length)
-                : new byte[_keyDerivationKey.Length];
-            var derivedKey = _derivedkeySizeInBytes <= 256
-                ? stackalloc byte[256].Slice(0, _derivedkeySizeInBytes)
-                : new byte[_derivedkeySizeInBytes];
-
-            fixed (byte* decryptedKdkUnsafe = decryptedKdk)
+            var decryptedKdk = new byte[_keyDerivationKey.Length];
+            var derivedKey = new byte[_derivedkeySizeInBytes];
+            fixed (byte* __unused__1 = decryptedKdk)
             fixed (byte* __unused__2 = derivedKey)
             {
                 try
                 {
-                    _keyDerivationKey.WriteSecretIntoBuffer(decryptedKdkUnsafe, decryptedKdk.Length);
+                    _keyDerivationKey.WriteSecretIntoBuffer(new ArraySegment<byte>(decryptedKdk));
                     ManagedSP800_108_CTR_HMACSHA512.DeriveKeys(
                         kdk: decryptedKdk,
                         label: additionalAuthenticatedData,
@@ -189,25 +191,22 @@ public bool TryEncrypt(ReadOnlySpan<byte> plaintext, ReadOnlySpan<byte> addition
                         operationSubkey: derivedKey,
                         validationSubkey: Span<byte>.Empty /* filling in derivedKey only */ );
 
-                    // Perform GCM encryption. Destination buffer expected structure:
-                    // { keyModifier | nonce | encryptedData | authenticationTag }
-                    var nonce = destination.Slice(KEY_MODIFIER_SIZE_IN_BYTES, NONCE_SIZE_IN_BYTES);
-                    var encrypted = destination.Slice(bytesWritten, plaintext.Length);
-                    var tag = destination.Slice(bytesWritten + plaintext.Length, TAG_SIZE_IN_BYTES);
-
+                    // do gcm
+                    var nonce = new Span<byte>(retVal, nonceOffset, NONCE_SIZE_IN_BYTES);
+                    var tag = new Span<byte>(retVal, tagOffset, TAG_SIZE_IN_BYTES);
+                    var encrypted = new Span<byte>(retVal, encryptedDataOffset, plaintext.Count);
                     using var aes = new AesGcm(derivedKey, TAG_SIZE_IN_BYTES);
                     aes.Encrypt(nonce, plaintext, encrypted, tag);
 
-                    // At this point, destination := { keyModifier | nonce | encryptedData | authenticationTag }
+                    // At this point, retVal := { preBuffer | keyModifier | nonce | encryptedData | authenticationTag | postBuffer }
                     // And we're done!
-                    bytesWritten += plaintext.Length + TAG_SIZE_IN_BYTES;
-                    return true;
+                    return retVal;
                 }
                 finally
                 {
                     // delete since these contain secret material
-                    decryptedKdk.Clear();
-                    derivedKey.Clear();
+                    Array.Clear(decryptedKdk, 0, decryptedKdk.Length);
+                    Array.Clear(derivedKey, 0, derivedKey.Length);
                 }
             }
         }
@@ -218,48 +217,50 @@ public bool TryEncrypt(ReadOnlySpan<byte> plaintext, ReadOnlySpan<byte> addition
         }
     }
 
-    public byte[] Encrypt(ArraySegment<byte> plaintext, ArraySegment<byte> additionalAuthenticatedData, uint preBufferSize, uint postBufferSize)
+    public byte[] Encrypt(ArraySegment<byte> plaintext, ArraySegment<byte> additionalAuthenticatedData)
+        => Encrypt(plaintext, additionalAuthenticatedData, 0, 0);
+
+#if NET10_0_OR_GREATER
+    public int GetEncryptedSize(int plainTextLength)
     {
-        plaintext.Validate();
-        additionalAuthenticatedData.Validate();
+        // A buffer to hold the key modifier, nonce, encrypted data, and tag.
+        // In GCM, the encrypted output will be the same length as the plaintext input.
+        return checked((int)(KEY_MODIFIER_SIZE_IN_BYTES + NONCE_SIZE_IN_BYTES + plainTextLength + TAG_SIZE_IN_BYTES));
+    }
+
+    public bool TryEncrypt(ReadOnlySpan<byte> plaintext, ReadOnlySpan<byte> additionalAuthenticatedData, Span<byte> destination, out int bytesWritten)
+    {
+        bytesWritten = 0;
 
         try
         {
-            // Allocate a buffer to hold the key modifier, nonce, encrypted data, and tag.
-            // In GCM, the encrypted output will be the same length as the plaintext input.
-            var retVal = new byte[checked(preBufferSize + KEY_MODIFIER_SIZE_IN_BYTES + NONCE_SIZE_IN_BYTES + plaintext.Count + TAG_SIZE_IN_BYTES + postBufferSize)];
-            int keyModifierOffset; // position in ciphertext.Array where key modifier begins
-            int nonceOffset; // position in ciphertext.Array where key modifier ends / nonce begins
-            int encryptedDataOffset; // position in ciphertext.Array where nonce ends / encryptedData begins
-            int tagOffset; // position in ciphertext.Array where encrypted data ends
-
-            checked
-            {
-                keyModifierOffset = plaintext.Offset + (int)preBufferSize;
-                nonceOffset = keyModifierOffset + KEY_MODIFIER_SIZE_IN_BYTES;
-                encryptedDataOffset = nonceOffset + NONCE_SIZE_IN_BYTES;
-                tagOffset = encryptedDataOffset + plaintext.Count;
-            }
-
-            // Randomly generate the key modifier and nonce
+            // Generate random key modifier and nonce
             var keyModifier = _genRandom.GenRandom(KEY_MODIFIER_SIZE_IN_BYTES);
             var nonceBytes = _genRandom.GenRandom(NONCE_SIZE_IN_BYTES);
 
-            Buffer.BlockCopy(keyModifier, 0, retVal, (int)preBufferSize, keyModifier.Length);
-            Buffer.BlockCopy(nonceBytes, 0, retVal, (int)preBufferSize + keyModifier.Length, nonceBytes.Length);
+            // KeyModifier and nonce to destination
+            keyModifier.CopyTo(destination.Slice(bytesWritten, KEY_MODIFIER_SIZE_IN_BYTES));
+            bytesWritten += KEY_MODIFIER_SIZE_IN_BYTES;
+            nonceBytes.CopyTo(destination.Slice(bytesWritten, NONCE_SIZE_IN_BYTES));
+            bytesWritten += NONCE_SIZE_IN_BYTES;
 
-            // At this point, retVal := { preBuffer | keyModifier | nonce | _____ | _____ | postBuffer }
+            // At this point, destination := { keyModifier | nonce | _____ | _____ }
 
             // Use the KDF to generate a new symmetric block cipher key
             // We'll need a temporary buffer to hold the symmetric encryption subkey
-            var decryptedKdk = new byte[_keyDerivationKey.Length];
-            var derivedKey = new byte[_derivedkeySizeInBytes];
-            fixed (byte* __unused__1 = decryptedKdk)
+            Span<byte> decryptedKdk = _keyDerivationKey.Length <= 256
+                ? stackalloc byte[256].Slice(0, _keyDerivationKey.Length)
+                : new byte[_keyDerivationKey.Length];
+            var derivedKey = _derivedkeySizeInBytes <= 256
+                ? stackalloc byte[256].Slice(0, _derivedkeySizeInBytes)
+                : new byte[_derivedkeySizeInBytes];
+
+            fixed (byte* decryptedKdkUnsafe = decryptedKdk)
             fixed (byte* __unused__2 = derivedKey)
             {
                 try
                 {
-                    _keyDerivationKey.WriteSecretIntoBuffer(new ArraySegment<byte>(decryptedKdk));
+                    _keyDerivationKey.WriteSecretIntoBuffer(decryptedKdkUnsafe, decryptedKdk.Length);
                     ManagedSP800_108_CTR_HMACSHA512.DeriveKeys(
                         kdk: decryptedKdk,
                         label: additionalAuthenticatedData,
@@ -268,22 +269,25 @@ public byte[] Encrypt(ArraySegment<byte> plaintext, ArraySegment<byte> additiona
                         operationSubkey: derivedKey,
                         validationSubkey: Span<byte>.Empty /* filling in derivedKey only */ );
 
-                    // do gcm
-                    var nonce = new Span<byte>(retVal, nonceOffset, NONCE_SIZE_IN_BYTES);
-                    var tag = new Span<byte>(retVal, tagOffset, TAG_SIZE_IN_BYTES);
-                    var encrypted = new Span<byte>(retVal, encryptedDataOffset, plaintext.Count);
+                    // Perform GCM encryption. Destination buffer expected structure:
+                    // { keyModifier | nonce | encryptedData | authenticationTag }
+                    var nonce = destination.Slice(KEY_MODIFIER_SIZE_IN_BYTES, NONCE_SIZE_IN_BYTES);
+                    var encrypted = destination.Slice(bytesWritten, plaintext.Length);
+                    var tag = destination.Slice(bytesWritten + plaintext.Length, TAG_SIZE_IN_BYTES);
+
                     using var aes = new AesGcm(derivedKey, TAG_SIZE_IN_BYTES);
                     aes.Encrypt(nonce, plaintext, encrypted, tag);
 
-                    // At this point, retVal := { preBuffer | keyModifier | nonce | encryptedData | authenticationTag | postBuffer }
+                    // At this point, destination := { keyModifier | nonce | encryptedData | authenticationTag }
                     // And we're done!
-                    return retVal;
+                    bytesWritten += plaintext.Length + TAG_SIZE_IN_BYTES;
+                    return true;
                 }
                 finally
                 {
                     // delete since these contain secret material
-                    Array.Clear(decryptedKdk, 0, decryptedKdk.Length);
-                    Array.Clear(derivedKey, 0, derivedKey.Length);
+                    decryptedKdk.Clear();
+                    derivedKey.Clear();
                 }
             }
         }
@@ -293,9 +297,7 @@ public byte[] Encrypt(ArraySegment<byte> plaintext, ArraySegment<byte> additiona
             throw Error.CryptCommon_GenericError(ex);
         }
     }
-
-    public byte[] Encrypt(ArraySegment<byte> plaintext, ArraySegment<byte> additionalAuthenticatedData)
-        => Encrypt(plaintext, additionalAuthenticatedData, 0, 0);
+#endif
 
     public void Dispose()
     {
diff --git a/src/DataProtection/DataProtection/src/PublicAPI.Unshipped.txt b/src/DataProtection/DataProtection/src/PublicAPI.Unshipped.txt
@@ -1,3 +1,4 @@
 #nullable enable
-Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.IAuthenticatedEncryptor.GetEncryptedSize(int plainTextLength) -> int
-Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.IAuthenticatedEncryptor.TryEncrypt(System.ReadOnlySpan<byte> plaintext, System.ReadOnlySpan<byte> additionalAuthenticatedData, System.Span<byte> destination, out int bytesWritten) -> bool
+Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.IOptimizedAuthenticatedEncryptor
+Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.IOptimizedAuthenticatedEncryptor.GetEncryptedSize(int plainTextLength) -> int
+Microsoft.AspNetCore.DataProtection.AuthenticatedEncryption.IOptimizedAuthenticatedEncryptor.TryEncrypt(System.ReadOnlySpan<byte> plaintext, System.ReadOnlySpan<byte> additionalAuthenticatedData, System.Span<byte> destination, out int bytesWritten) -> bool
