SafeEvpPKeyHandle.DuplicateHandle up-refs the handle

Along with work to enable OpenSSL providers support, a change was made to the SafeEvpPKeyHandle.DuplicateHandle() method that impacts the ECDsaOpenSsl and RSAOpenSsl constructors that take a SafeEvpPKeyHandle. External modifications of the passed handle now also affect the handle stored in instances of those classes.

Previous behavior

DuplicateHandle() created a new EVP_PKEY instance. Modifications to the duplicated key (that is, through direct calls to OpenSSL APIs) did not impact the original key. SafeEvpPKeyHandle.DuplicateHandle was called by the constructors of ECDsaOpenSsl and RSAOpenSsl that take a SafeEvpPKeyHandle.

New behavior

DuplicateHandle() increments the reference count of the existing EVP_PKEY and returns a handle to the same key. That means external calls to OpenSSL APIs that modify EVP_PKEY now also affect instances of the duplicated SafeEvpPKeyHandle. Those APIs include ECDsaOpenSsl and RSAOpenSsl instances created from such handles.

Version introduced

.NET 9 Preview 7

Type of breaking change

This change is a behavioral change.

Reason for change

This change was made to enable OpenSSL providers support. As a side effect, there are also some performance improvements.

Recommended action

Avoid modifications of EVP_PKEY passed in to .NET APIs. If you can't avoid modifications to EVP_PKEY, create a copy of EVP_PKEY yourself (that is, copy parameters into the new EVP_PKEY instance).

Affected APIs

• System.Security.Cryptography.SafeEvpPKeyHandle.DuplicateHandle()
• ECDsaOpenSsl(SafeEvpPKeyHandle)
• RSAOpenSsl(SafeEvpPKeyHandle)

Every API that accepts an RSA or ECDsa instance that originates from SafeEvpPKeyHandle is also affected.