breaking change: X509Certificate and PublicKey key parameters can be null (#45343)

CamSoper · web-flow · commit e7f04ed3e10c · 2025-03-13T23:43:54.000Z
* Add documentation for breaking change: X509Certificate and PublicKey key parameters can be null * Revert "Add documentation for breaking change: X509Certificate and PublicKey key parameters can be null" This reverts commit 96e0acd. * [Breaking change]: X509Certificate and PublicKey key parameters can be null Fixes #45325 * whoops, thanks @adegeo
diff --git a/docs/core/compatibility/10.0.md b/docs/core/compatibility/10.0.md
@@ -41,10 +41,11 @@ If you're migrating an app to .NET 10, the breaking changes listed here might af
 
 ## Cryptography
 
-| Title                                                                                                      | Type of change    | Introduced version |
-|------------------------------------------------------------------------------------------------------------|-------------------|--------------------|
-| [X500DistinguishedName validation is stricter](cryptography/10.0/x500distinguishedname-validation.md)      | Behavioral change | Preview 1          |
-| [Environment variable renamed to DOTNET_OPENSSL_VERSION_OVERRIDE](cryptography/10.0/version-override.md)   | Behavioral change | Preview 1          |
+| Title                                                                                                    | Type of change                        | Introduced version |
+|----------------------------------------------------------------------------------------------------------|---------------------------------------|--------------------|
+| [X500DistinguishedName validation is stricter](cryptography/10.0/x500distinguishedname-validation.md)    | Behavioral change                     | Preview 1          |
+| [X509Certificate and PublicKey key parameters can be null](cryptography/10.0/x509-publickey-null.md)     | Behavioral/source incompatible change | Preview 3          |
+| [Environment variable renamed to DOTNET_OPENSSL_VERSION_OVERRIDE](cryptography/10.0/version-override.md) | Behavioral change                     | Preview 1          |
 
 ## SDK
 
diff --git a/docs/core/compatibility/cryptography/10.0/x509-publickey-null.md b/docs/core/compatibility/cryptography/10.0/x509-publickey-null.md
@@ -0,0 +1,60 @@
+---
+title: "Breaking change - X509Certificate and PublicKey key parameters can be null"
+description: "Learn about the breaking change in .NET 10 Preview 3 where key parameters in X509Certificate and PublicKey can be null."
+ms.date: 3/13/2025
+ai-usage: ai-assisted
+ms.custom: https://github.com/dotnet/docs/issues/45325
+---
+
+# X509Certificate and PublicKey key parameters can be null
+
+In .NET 10, the behavior of <xref:System.Security.Cryptography.X509Certificates.X509Certificate> and <xref:System.Security.Cryptography.X509Certificates.PublicKey> has changed. When these objects contain a key without algorithm parameters, they now return `null` instead of an empty array.
+
+## Version introduced
+
+.NET 10 Preview 3
+
+## Previous behavior
+
+<xref:System.Security.Cryptography.X509Certificates.X509Certificate> or <xref:System.Security.Cryptography.X509Certificates.PublicKey> objects that contained a key without algorithm parameters would return an empty array when accessing the key algorithm parameters.
+
+```csharp
+byte[] parameters = certificate.GetKeyAlgorithmParameters();
+// parameters would be an empty array if no algorithm parameters were present
+```
+
+## New behavior
+
+<xref:System.Security.Cryptography.X509Certificates.X509Certificate> or <xref:System.Security.Cryptography.X509Certificates.PublicKey> objects that contain a key without algorithm parameters will return `null` when accessing the key algorithm parameters.
+
+```csharp
+byte[] parameters = certificate.GetKeyAlgorithmParameters();
+// parameters will be null if no algorithm parameters are present
+```
+
+## Type of breaking change
+
+This is both a [behavioral](../../categories.md#behavioral-change) and [source compatibility](../../categories.md#source-compatibility) change.
+
+## Reason for change
+
+The <xref:System.Security.Cryptography.X509Certificates.X509Certificate>, <xref:System.Security.Cryptography.X509Certificates.X509Certificate2>, and <xref:System.Security.Cryptography.X509Certificates.PublicKey> classes expose information about the *Subject Public Key Info*. One of the properties of the *Subject Public Key Info* is the parameters for the algorithm. A *Subject Public Key Info* is not required to contain algorithm parameters. Previously, this was represented as an empty byte array, which is not valid ASN.1. Attempting to encode or decode it would result in an exception. To more clearly represent absent key parameters, `null` is now returned, and the members that return algorithm parameters have been annotated to return nullable values.
+
+## Recommended action
+
+When accessing a member that returns information about a subject public key info's algorithm parameters, expect the member to possibly return `null` and handle the `null` value accordingly.
+
+```csharp
+byte[] parameters = certificate.GetKeyAlgorithmParameters();
+if (parameters == null)
+{
+    // Handle the absence of algorithm parameters
+}
+```
+
+## Affected APIs
+
+- <xref:System.Security.Cryptography.X509Certificates.X509Certificate.GetKeyAlgorithmParameters?displayProperty=fullName>
+- <xref:System.Security.Cryptography.X509Certificates.X509Certificate.GetKeyAlgorithmParametersString?displayProperty=fullName>
+- <xref:System.Security.Cryptography.X509Certificates.PublicKey.%23ctor(System.Security.Cryptography.Oid,System.Security.Cryptography.AsnEncodedData,System.Security.Cryptography.AsnEncodedData)?displayProperty=fullName>
+- <xref:System.Security.Cryptography.X509Certificates.PublicKey.EncodedParameters?displayProperty=fullName>
diff --git a/docs/core/compatibility/toc.yml b/docs/core/compatibility/toc.yml
@@ -32,6 +32,8 @@ items:
             items:
               - name: X500DistinguishedName validation is stricter
                 href: cryptography/10.0/x500distinguishedname-validation.md
+              - name: X509Certificate and PublicKey key parameters can be null
+                href: cryptography/10.0/x509-publickey-null.md
               - name: Environment variable renamed to DOTNET_OPENSSL_VERSION_OVERRIDE
                 href: cryptography/10.0/version-override.md
           - name: Globalization
@@ -1618,6 +1620,8 @@ items:
             items:
               - name: X500DistinguishedName validation is stricter
                 href: cryptography/10.0/x500distinguishedname-validation.md
+              - name: X509Certificate and PublicKey key parameters can be null
+                href: cryptography/10.0/x509-publickey-null.md
               - name: Environment variable renamed to DOTNET_OPENSSL_VERSION_OVERRIDE
                 href: cryptography/10.0/version-override.md
           - name: .NET 9
