Use `ref struct` key loaders by vcsjones · Pull Request #125528 · dotnet/runtime

vcsjones · 2026-03-13T17:30:06Z

This moves a significant portion of our ASN.1 reading logic, particularly around key loaders, to use the new ref struct Value loaders. There are several other supporting changes to make this work

The emitted ref struct loaders now also support Encode members on the XSLT. We use this in several places for key loading (for example, when we load an RSAPublicKey, it gets wrapped in a SubjectPublicKeyInfo for the platform to decode).
The asn:Choice had its validation moved to another file-scoped validator. It uses a static constructor that is triggered by a call to an empty method. This is so that if the emitType="both" the validation logic only happens once.
Many of the ASN.1 are now ref emitted only as they no longer have any "regular" struct loads.
The overall intention of this is to get rid of most usages of PointerMemoryManager. It still has some uses in PKCS#12, but that will be a follow up pull request.

Move the #if DEBUG ensureUniqueTag validation from the Choice struct's static constructor into a separate file static class (Validate<Name>) that is emitted regardless of emitType. This ensures tag uniqueness validation runs even for ref-only Choice types like MLKemPrivateKeyAsn. The entire Validate class is wrapped in #if DEBUG so it is completely absent in release builds. The class uses the Validate prefix (not Shared) to avoid any potential collision with the Shared<Name> class used for defaultDerInit in Sequence types. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

dotnet-policy-service · 2026-03-13T17:31:46Z

Tagging subscribers to this area: @bartonjs, @vcsjones, @dotnet/area-system-security
See info in area-owners.md if you want to be subscribed.

Copilot

Pull request overview

This PR migrates key-loading and ASN.1 handling across cryptography components to use ref struct / Value* ASN loaders, reducing PointerMemoryManager usage and enabling Encode support on the emitted Value* types.

Changes:

Switched multiple key import/export paths (RSA/ECC/PKCS#8/SPKI/PBE) to span-based Value* ASN decoding/encoding.
Updated ASN.1 XSLT emission to generate Encode methods for Value* types and moved Choice validation into file-scoped debug validators.
Simplified/removed PointerMemoryManager usag 8000 e in several hot paths (RSA/ECC/KeyFormatHelper).

Reviewed changes

Copilot reviewed 90 out of 90 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/RSAPssX509SignatureGenerator.cs	Uses `ValuePssParamsAsn` / `ValueAlgorithmIdentifierAsn` to build RSA-PSS AlgorithmIdentifier.
src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/Asn1/TimeAsn.xml.cs	Moves DEBUG choice/tag validation to file-scoped validator; keeps struct shape.
src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/Asn1/DistributionPointNameAsn.xml.cs	Same validator refactor pattern for generated ASN.1 type.
src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/Asn1/CertificationRequestInfoAsn.xml.cs	Adds `Encode` for value/ref emitted `CertificationRequestInfo`.
src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/RSA.cs	Removes `PointerMemoryManager` usage, switches to span-based helpers for import.
src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/KeyBlobHelpers.cs	Adds span overloads to reduce allocations and improve interop compatibility.
src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/EccKeyFormatHelper.cs	Converts ECC key parsing to `Value*` ASN types and span-based decoding.
src/libraries/System.Security.Cryptography.Pkcs/src/System/Security/Cryptography/Pkcs/CmsSignature.RSA.cs	Updates PSS parameter parsing to `ValuePssParamsAsn`.
src/libraries/System.Security.Cryptography.Pkcs/src/System/Security/Cryptography/Pkcs/Asn1/SignedAttributesSet.xml.cs	Applies validator refactor pattern to generated ASN.1 choice.
src/libraries/System.Security.Cryptography.Pkcs/src/System/Security/Cryptography/Pkcs/Asn1/Rfc3161TstInfo.xml.cs	Adds `Encode` for value/ref emitted RFC3161 TST info.
src/libraries/System.Security.Cryptography.Pkcs/src/System/Security/Cryptography/Pkcs/Asn1/RecipientInfoAsn.xml.cs	Applies validator refactor pattern to generated ASN.1 choice.
src/libraries/System.Security.Cryptography.Pkcs/src/System/Security/Cryptography/Pkcs/Asn1/RecipientIdentifierAsn.xml.cs	Applies validator refactor pattern to generated ASN.1 choice.
src/libraries/System.Security.Cryptography.Pkcs/src/System/Security/Cryptography/Pkcs/Asn1/OriginatorIdentifierOrKeyAsn.xml.cs	Applies validator refactor pattern to generated ASN.1 choice.
src/libraries/System.Security.Cryptography.Pkcs/src/System/Security/Cryptography/Pkcs/Asn1/MessageImprint.xml.cs	Adds `Encode` for value/ref emitted MessageImprint.
src/libraries/System.Security.Cryptography.Pkcs/src/System/Security/Cryptography/Pkcs/Asn1/KeyAgreeRecipientIdentifierAsn.xml.cs	Applies validator refactor pattern to generated ASN.1 choice.
src/libraries/Common/src/System/Security/Cryptography/X509Certificates/X509CertificateLoader.Pkcs12.cs	Uses value/ref ASN decoding for PKCS#12 PBE parameter parsing.
src/libraries/Common/src/System/Security/Cryptography/SlhDsa.cs	Updates KeyFormatHelper callbacks to span + value AlgorithmIdentifier.
src/libraries/Common/src/System/Security/Cryptography/RSAOpenSsl.cs	Uses span-based PKCS#8/SPKI parsing and value/ref ASN decoders.
src/libraries/Common/src/System/Security/Cryptography/RSAKeyFormatHelper.cs	Converts helpers to span-based and value/ref ASN decoding.
src/libraries/Common/src/System/Security/Cryptography/RSAKeyFormatHelper.Pkcs1.cs	Converts PKCS#1 parsing to `ValueRSAPrivateKeyAsn`/`ValueRSAPublicKeyAsn`.
src/libraries/Common/src/System/Security/Cryptography/RSAAppleCrypto.macOS.cs	Uses `ValueAlgorithmIdentifierAsn` with new helpers.
src/libraries/Common/src/System/Security/Cryptography/RSAAppleCrypto.cs	Removes `PointerMemoryManager` from RSA public key import, uses spans.
src/libraries/Common/src/System/Security/Cryptography/RSAAndroid.cs	Rebuilds SPKI using `ValueSubjectPublicKeyInfoAsn` for Android decode.
src/libraries/Common/src/System/Security/Cryptography/PasswordBasedEncryption.cs	Adds `ValueAlgorithmIdentifierAsn` decrypt entrypoint and span-based parameter plumbing.
src/libraries/Common/src/System/Security/Cryptography/MLKemPkcs8.cs	Converts PKCS#8 export to use `Value*` ASN types and spans.
src/libraries/Common/src/System/Security/Cryptography/MLKem.cs	Updates KeyFormatHelper callbacks to span + value AlgorithmIdentifier and `Value*` ASN decode.
src/libraries/Common/src/System/Security/Cryptography/MLDsaPkcs8.cs	Converts PKCS#8 export to use `Value*` ASN types and spans.
src/libraries/Common/src/System/Security/Cryptography/MLDsaCng.Windows.cs	Updates encrypted-only export and PKCS#8 parsing to `Value*` types.
src/libraries/Common/src/System/Security/Cryptography/MLDsa.cs	Rewrites SPKI/PKCS#8 parsing to KeyFormatHelper span-based callbacks and `Value*` types.
src/libraries/Common/src/System/Security/Cryptography/KeyFormatHelper.cs	Replaces `ReadOnlyMemory` callbacks with span-based `ValueKeyReader`, removes pointer pinning.
src/libraries/Common/src/System/Security/Cryptography/KeyFormatHelper.Encrypted.cs	Updates encrypted PKCS#8 read/decrypt flow to span + `Value*` ASN types.
src/libraries/Common/src/System/Security/Cryptography/KeyBlobHelpers.cs	Adds span-first unsigned-integer conversion helpers used by new `Value*` decoders.
src/libraries/Common/src/System/Security/Cryptography/Helpers.cs	Adds value/ref AlgorithmIdentifier overload for unknown algorithm exception building.
src/libraries/Common/src/System/Security/Cryptography/DSAKeyFormatHelper.cs	Converts DSA parsing to span + value/ref ASN types (`ValueDssParms`).
src/libraries/Common/src/System/Security/Cryptography/CompositeMLDsaManaged.ECDsa.cs	Uses `ValueECPrivateKey` decoding and span-based key extraction.
src/libraries/Common/src/System/Security/Cryptography/CompositeMLDsa.cs	Updates KeyFormatHelper callbacks to span + value AlgorithmIdentifier.
src/libraries/Common/src/System/Security/Cryptography/CngPkcs8.cs	Uses `ValuePrivateKeyInfoAsn` / `ValueECPrivateKey` and new attribute encoding path.
src/libraries/Common/src/System/Security/Cryptography/Asn1/asn.xslt	Emits `Encode` for `Value*` loaders and moves Choice validation to file-scoped validators.
src/libraries/Common/src/System/Security/Cryptography/Asn1/X509ExtensionAsn.xml.cs	Adds `Encode` for `ValueX509ExtensionAsn`.
src/libraries/Common/src/System/Security/Cryptography/Asn1/SubjectPublicKeyInfoAsn.xml.cs	Adds `Encode` for `ValueSubjectPublicKeyInfoAsn`.
src/libraries/Common/src/System/Security/Cryptography/Asn1/SpecifiedECDomain.xml.cs	Converts to `ValueSpecifiedECDomain` ref struct and span-based decode/encode.
src/libraries/Common/src/System/Security/Cryptography/Asn1/SpecifiedECDomain.xml	Switches emission to `emitType="ref"` and valueTypeName dependencies.
src/libraries/Common/src/System/Security/Cryptography/Asn1/Rc2CbcParameters.xml.cs	Adds `ValueRc2CbcParameters` alongside struct emission for span-based decoding.
src/libraries/Common/src/System/Security/Cryptography/Asn1/Rc2CbcParameters.xml	Switches emission to `emitType="both"` and preserves schema comments.
src/libraries/Common/src/System/Security/Cryptography/Asn1/Rc2CbcParameters.manual.cs	Moves shared RC2 table to file-scoped helper and extends logic to `Value*` type.
src/libraries/Common/src/System/Security/Cryptography/Asn1/RSAPublicKeyAsn.xml.cs	Converts to `ValueRSAPublicKeyAsn` ref struct and span-based decode/encode.
src/libraries/Common/src/System/Security/Cryptography/Asn1/RSAPublicKeyAsn.xml	Switches emission to `emitType="ref"`.
src/libraries/Common/src/System/Security/Cryptography/Asn1/RSAPrivateKeyAsn.xml.cs	Converts to `ValueRSAPrivateKeyAsn` ref struct and span-based decode/encode.
src/libraries/Common/src/System/Security/Cryptography/Asn1/RSAPrivateKeyAsn.xml	Switches emission to `emitType="ref"`.
src/libraries/Common/src/System/Security/Cryptography/Asn1/PssParamsAsn.xml.cs	Converts PSS params to `ValuePssParamsAsn`-only emission and updates default init validation.
src/libraries/Common/src/System/Security/Cryptography/Asn1/PssParamsAsn.xml	Switches emission to `emitType="ref"` and removes non-value typeName references.
src/libraries/Common/src/System/Security/Cryptography/Asn1/PssParamsAsn.manual.cs	Removes struct extension; keeps logic on `ValuePssParamsAsn`.
src/libraries/Common/src/System/Security/Cryptography/Asn1/PrivateKeyInfoAsn.xml.cs	Adds `ValuePrivateKeyInfoAsn` with span-based decode/encode and attributes enumerator.
src/libraries/Common/src/System/Security/Cryptography/Asn1/PrivateKeyInfoAsn.xml	Emits both struct + value, adds valueTypeName for AlgorithmIdentifier/Attribute and valueName enumerator.
src/libraries/Common/src/System/Security/Cryptography/Asn1/Pkcs7/SignerIdentifierAsn.xml.cs	Applies validator refactor pattern to generated ASN.1 choice.
src/libraries/Common/src/System/Security/Cryptography/Asn1/Pkcs7/CertificateChoiceAsn.xml.cs	Applies validator refactor pattern to generated ASN.1 choice.
src/libraries/Common/src/System/Security/Cryptography/Asn1/Pbkdf2SaltChoice.xml.cs	Converts PBKDF2 salt choice to value/ref emission and span-based encode/decode.
src/libraries/Common/src/System/Security/Cryptography/Asn1/Pbkdf2SaltChoice.xml	Switches emission to `emitType="ref"` and valueTypeName for AlgorithmIdentifier.
src/libraries/Common/src/System/Security/Cryptography/Asn1/Pbkdf2Params.xml.cs	Converts PBKDF2 params to `ValuePbkdf2Params` ref struct and value salt/PRF types.
src/libraries/Common/src/System/Security/Cryptography/Asn1/Pbkdf2Params.xml	Switches emission to `emitType="ref"` and valueTypeName salt/prf.
src/libraries/Common/src/System/Security/Cryptography/Asn1/PBES2Params.xml.cs	Converts PBES2 params to `ValuePBES2Params` ref struct and value AlgorithmIdentifiers.
src/libraries/Common/src/System/Security/Cryptography/Asn1/PBES2Params.xml	Switches emission to `emitType="ref"` and valueTypeName KDF/encryption.
src/libraries/Common/src/System/Security/Cryptography/Asn1/PBEParameter.xml.cs	Converts PBE params to `ValuePBEParameter` ref struct and span-based decode/encode.
src/libraries/Common/src/System/Security/Cryptography/Asn1/PBEParameter.xml	Switches emission to `emitType="ref"`.
src/libraries/Common/src/System/Security/Cryptography/Asn1/MLKemPrivateKeyBothAsn.xml.cs	Converts ML-KEM Both sequence to value/ref type with span-based decode/encode.
src/libraries/Common/src/System/Security/Cryptography/Asn1/MLKemPrivateKeyBothAsn.xml	Switches emission to `emitType="ref"`.
src/libraries/Common/src/System/Security/Cryptography/Asn1/MLKemPrivateKeyAsn.xml.cs	Converts ML-KEM private key choice to value/ref type with explicit Has* flags.
src/libraries/Common/src/System/Security/Cryptography/Asn1/MLKemPrivateKeyAsn.xml	Switches emission to `emitType="ref"` and valueTypeName for Both.
src/libraries/Common/src/System/Security/Cryptography/Asn1/MLDsaPrivateKeyBothAsn.xml.cs	Converts ML-DSA Both sequence to value/ref type with span-based decode/encode.
src/libraries/Common/src/System/Security/Cryptography/Asn1/MLDsaPrivateKeyBothAsn.xml	Switches emission to `emitType="ref"`.
src/libraries/Common/src/System/Security/Cryptography/Asn1/MLDsaPrivateKeyAsn.xml.cs	Converts ML-DSA private key choice to value/ref type with explicit Has* flags.
src/libraries/Common/src/System/Security/Cryptography/Asn1/MLDsaPrivateKeyAsn.xml	Switches emission to `emitType="ref"` and valueTypeName for Both.
src/libraries/Common/src/System/Security/Cryptography/Asn1/GeneralSubtreeAsn.xml.cs	Removes BOM and aligns generated header formatting.
src/libraries/Common/src/System/Security/Cryptography/Asn1/GeneralNameAsn.xml.cs	Applies validator refactor pattern to generated ASN.1 choice.
src/libraries/Common/src/System/Security/Cryptography/Asn1/FieldID.xml.cs	Converts FieldID to `ValueFieldID` ref struct with span-backed parameters.
src/libraries/Common/src/System/Security/Cryptography/Asn1/FieldID.xml	Switches emission to `emitType="ref"`.
src/libraries/Common/src/System/Security/Cryptography/Asn1/EncryptedPrivateKeyInfoAsn.xml.cs	Adds `ValueEncryptedPrivateKeyInfoAsn` for span-based encrypted PKCS#8 parsing.
src/libraries/Common/src/System/Security/Cryptography/Asn1/EncryptedPrivateKeyInfoAsn.xml	Emits both struct + value and adds valueTypeName AlgorithmIdentifier.
src/libraries/Common/src/System/Security/Cryptography/Asn1/ECPrivateKey.xml.cs	Converts EC private key to `ValueECPrivateKey` with span fields and Has* flags.
src/libraries/Common/src/System/Security/Cryptography/Asn1/ECPrivateKey.xml	Switches emission to `emitType="ref"` and valueTypeName for parameters.
src/libraries/Common/src/System/Security/Cryptography/Asn1/ECDomainParameters.xml.cs	Converts ECDomainParameters to value/ref choice with HasSpecified flag.
src/libraries/Common/src/System/Security/Cryptography/Asn1/ECDomainParameters.xml	Switches emission to `emitType="ref"` and valueTypeName specified domain.
src/libraries/Common/src/System/Security/Cryptography/Asn1/DssParms.xml.cs	Converts DssParms to `ValueDssParms` ref struct and span-based decode.
src/libraries/Common/src/System/Security/Cryptography/Asn1/DssParms.xml	Switches emission to `emitType="ref"`.
src/libraries/Common/src/System/Security/Cryptography/Asn1/DirectoryStringAsn.xml.cs	Applies validator refactor pattern to generated ASN.1 choice.
src/libraries/Common/src/System/Security/Cryptography/Asn1/CurveAsn.xml.cs	Converts CurveAsn to value/ref type with span fields and HasSeed flag.
src/libraries/Common/src/System/Security/Cryptography/Asn1/CurveAsn.xml	Switches emission to `emitType="ref"`.
src/libraries/Common/src/System/Security/Cryptography/Asn1/AttributeAsn.xml.cs	Adds `Encode` for `ValueAttributeAsn`.
src/libraries/Common/src/System/Security/Cryptography/Asn1/AlgorithmIdentifierAsn.xml.cs	Adds `Encode` implementation for `ValueAlgorithmIdentifierAsn`.
src/libraries/Common/src/System/Security/Cryptography/Asn1/AlgorithmIdentifierAsn.manual.cs	Adds adapter to convert legacy `AlgorithmIdentifierAsn` to `ValueAlgorithmIdentifierAsn`.

Comments suppressed due to low confidence (6)

src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/RSAPssX509SignatureGenerator.cs:1

ValueAlgorithmIdentifierAsn.Encode only emits Parameters when HasParameters is set. Here Parameters is assigned but HasParameters is never set to true, so the encoded RSA-PSS AlgorithmIdentifier will omit the parameters entirely. Set HasParameters = true when assigning Parameters (and keep Parameters as the DER-encoded PSS params).
src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/RSAPssX509SignatureGenerator.cs:1
ValueAlgorithmIdentifierAsn.Encode only emits Parameters when HasParameters is set. Here Parameters is assigned but HasParameters is never set to true, so the encoded RSA-PSS AlgorithmIdentifier will omit the parameters entirely. Set HasParameters = true when assigning Parameters (and keep Parameters as the DER-encoded PSS params).
src/libraries/Common/src/System/Security/Cryptography/RSAAndroid.cs:1
ValueAlgorithmIdentifierAsn requires HasParameters = true for Parameters to be written during Encode. As written, the NULL parameters value will be dropped, producing an AlgorithmIdentifier without parameters, which can break Android’s SPKI decoding path (especially since the comment notes Android requires the encoded SPKI). Set HasParameters = true when assigning the DER NULL parameters.
src/libraries/Common/src/System/Security/Cryptography/MLDsaPkcs8.cs:1
ValueMLDsaPrivateKeyAsn is a CHOICE-backed value type where encoding relies on companion flags (e.g., HasSeed, HasExpandedKey) to decide which alternative is present. This code assigns Seed / ExpandedKey but never sets the corresponding Has* flags, which can cause Encode to throw (no choice selected) or emit an empty/invalid value. Set privateKeyAsn.HasSeed = true (seed path) and privateKeyAsn.HasExpandedKey = true (expanded key path) when assigning these spans.
src/libraries/Common/src/System/Security/Cryptography/MLDsaPkcs8.cs:1
ValueMLDsaPrivateKeyAsn is a CHOICE-backed value type where encoding relies on companion flags (e.g., HasSeed, HasExpandedKey) to decide which alternative is present. This code assigns Seed / ExpandedKey but never sets the corresponding Has* flags, which can cause Encode to throw (no choice selected) or emit an empty/invalid value. Set privateKeyAsn.HasSeed = true (seed path) and privateKeyAsn.HasExpandedKey = true (expanded key path) when assigning these spans.
src/libraries/Common/src/System/Security/Cryptography/MLDsaPkcs8.cs:1
ValueMLDsaPrivateKeyAsn is a CHOICE-backed value type where encoding relies on companion flags (e.g., HasSeed, HasExpandedKey) to decide which alternative is present. This code assigns Seed / ExpandedKey but never sets the corresponding Has* flags, which can cause Encode to throw (no choice selected) or emit an empty/invalid value. Set privateKeyAsn.HasSeed = true (seed path) and privateKeyAsn.HasExpandedKey = true (expanded key path) when assigning these spans.

You can also share your feedback on Copilot code review. Take the survey.

src/libraries/Common/src/System/Security/Cryptography/Asn1/AttributeAsn.xml.cs

src/libraries/Common/src/System/Security/Cryptography/Asn1/RSAPrivateKeyAsn.xml.cs

src/libraries/Common/src/System/Security/Cryptography/KeyFormatHelper.cs

src/libraries/Common/src/System/Security/Cryptography/PasswordBasedEncryption.cs

bartonjs · 2026-03-13T18:19:18Z

A few nits, bu 57A0 t looks like a good start overall. (Looks like some test source is missing a Value prefix)

Copilot

Pull request overview

This PR migrates a large portion of the cryptography ASN.1 key loading/encoding paths to the new ref struct “Value” loaders/encoders, reducing reliance on PointerMemoryManager and enabling more span-based parsing.

Changes:

Replace many ReadOnlyMemory<byte>-based ASN.1 decode/encode calls with ReadOnlySpan<byte> + Value* ref-struct loaders.
Add Value-loader Encode(...) support for several generated ASN.1 types used in key wrapping/rewriting flows.
Move DEBUG-only asn:Choice tag validation into file-scoped validators to ensure validation executes once (especially for emitType="both").

Reviewed changes

Copilot reviewed 95 out of 95 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
src/libraries/System.Security.Cryptography/tests/X509Certificates/ExportTests.cs	Switch tests to `Value*` ASN.1 decoders (span-based).
src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/RSAPssX509SignatureGenerator.cs	Build RSA-PSS AlgorithmIdentifier using `Value*` ASN.1 types.
src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/Asn1/TimeAsn.xml.cs	Move DEBUG choice tag validation to file-scoped validator.
src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/Asn1/DistributionPointNameAsn.xml.cs	Move DEBUG choice tag validation to file-scoped validator.
src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/Asn1/CertificationRequestInfoAsn.xml.cs	Add `Encode(...)` for `ValueCertificationRequestInfoAsn`.
src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/RSA.cs	Remove `PointerMemoryManager` usage and move RSA imports to span-based helpers.
src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/KeyBlobHelpers.cs	Add `ReadOnlySpan<byte>` overloads for integer normalization helpers.
src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/EccKeyFormatHelper.cs	Convert EC key parsing to `Value*` ASN.1 decoders and spans.
src/libraries/System.Security.Cryptography.Pkcs/src/System/Security/Cryptography/Pkcs/CmsSignature.RSA.cs	Decode PSS params via `ValuePssParamsAsn`.
src/libraries/System.Security.Cryptography.Pkcs/src/System/Security/Cryptography/Pkcs/Asn1/SignedAttributesSet.xml.cs	Move DEBUG choice tag validation to file-scoped validator.
src/libraries/System.Security.Cryptography.Pkcs/src/System/Security/Cryptography/Pkcs/Asn1/Rfc3161TstInfo.xml.cs	Add `Encode(...)` for `ValueRfc3161TstInfo`.
src/libraries/System.Security.Cryptography.Pkcs/src/System/Security/Cryptography/Pkcs/Asn1/RecipientInfoAsn.xml.cs	Move DEBUG choice tag validation to file-scoped validator.
src/libraries/System.Security.Cryptography.Pkcs/src/System/Security/Cryptography/Pkcs/Asn1/RecipientIdentifierAsn.xml.cs	Move DEBUG choice tag validation to file-scoped validator.
src/libraries/System.Security.Cryptography.Pkcs/src/System/Security/Cryptography/Pkcs/Asn1/OriginatorIdentifierOrKeyAsn.xml.cs	Move DEBUG choice tag validation to file-scoped validator.
src/libraries/System.Security.Cryptography.Pkcs/src/System/Security/Cryptography/Pkcs/Asn1/MessageImprint.xml.cs	Add `Encode(...)` for `ValueMessageImprint`.
src/libraries/System.Security.Cryptography.Pkcs/src/System/Security/Cryptography/Pkcs/Asn1/KeyAgreeRecipientIdentifierAsn.xml.cs	Move DEBUG choice tag validation to file-scoped validator.
src/libraries/Common/tests/System/Security/Cryptography/MLKemBaseTests.cs	Switch PKCS#8 assertions to `Value*` decoders.
src/libraries/Common/tests/System/Security/Cryptography/AsnUtils.cs	Switch PKCS#8 assertions to `Value*` decoders.
src/libraries/Common/tests/System/Security/Cryptography/AlgorithmImplementations/MLDsa/MLDsaTestHelpers.cs	Use `Value*` PKCS#8/MLDsa ASN.1 types and flags.
src/libraries/Common/tests/System/Security/Cryptography/AlgorithmImplementations/MLDsa/MLDsaImplementationTests.cs	Update MLDsa ASN construction to `Value*` and choice flags.
src/libraries/Common/src/System/Security/Cryptography/X509Certificates/X509CertificateLoader.Pkcs12.cs	Parse PBE/PBES2/PBKDF2 params with `Value*` decoders.
src/libraries/Common/src/System/Security/Cryptography/SlhDsa.cs	Move SPKI/PKCS#8 readers to span + `ValueAlgorithmIdentifierAsn`.
src/libraries/Common/src/System/Security/Cryptography/RSAOpenSsl.cs	Refactor export/import helpers to spans and `Value*` ASN.1 checks.
src/libraries/Common/src/System/Security/Cryptography/RSAKeyFormatHelper.cs	Convert RSA key/SPKI/PKCS#8 helpers to span + `Value*` decoders.
src/libraries/Common/src/System/Security/Cryptography/RSAKeyFormatHelper.Pkcs1.cs	Convert PKCS#1 parsing to `ValueRSAPrivateKeyAsn`/`ValueRSAPublicKeyAsn`.
src/libraries/Common/src/System/Security/Cryptography/RSAAppleCrypto.macOS.cs	Update AlgorithmIdentifier plumbing to `ValueAlgorithmIdentifierAsn`.
src/libraries/Common/src/System/Security/Cryptography/RSAAppleCrypto.cs	Remove pointer pinning from RSA public key import; span-based parse.
src/libraries/Common/src/System/Security/Cryptography/RSAAndroid.cs	Rework RSA public key import to span parsing + Value SPKI encode.
src/libraries/Common/src/System/Security/Cryptography/PasswordBasedEncryption.cs	Add span-based AlgorithmIdentifier overload + optional span wrapper.
src/libraries/Common/src/System/Security/Cryptography/MLKemPkcs8.cs	Use `ValueAlgorithmIdentifierAsn` and `ValueMLKemPrivateKeyAsn` in export.
src/libraries/Common/src/System/Security/Cryptography/MLKem.cs	Update SPKI/PKCS#8 readers to spans and `ValueMLKemPrivateKeyAsn`.
src/libraries/Common/src/System/Security/Cryptography/MLDsaPkcs8.cs	Use `ValueAlgorithmIdentifierAsn` and `ValueMLDsaPrivateKeyAsn` in export.
src/libraries/Common/src/System/Security/Cryptography/MLDsaCng.Windows.cs	Switch PKCS#8 decoding to span + `ValueMLDsaPrivateKeyAsn`; remove pinning.
src/libraries/Common/src/System/Security/Cryptography/MLDsa.cs	Convert SPKI/PKCS#8 parsing to KeyFormatHelper span-based readers.
src/libraries/Common/src/System/Security/Cryptography/KeyFormatHelper.cs	Make SPKI/PKCS#8 readers span-based using `Value*` ASN.1 structs.
src/libraries/Common/src/System/Security/Cryptography/KeyFormatHelper.Encrypted.cs	Make encrypted PKCS#8 reader span-based and decode via `ValueEncryptedPrivateKeyInfoAsn`.
src/libraries/Common/src/System/Security/Cryptography/KeyBlobHelpers.cs	Add span-based integer conversions and forwarders.
src/libraries/Common/src/System/Security/Cryptography/Helpers.cs	Build “unknown algorithm” exception from `ValueAlgorithmIdentifierAsn`.
src/libraries/Common/src/System/Security/Cryptography/DSAKeyFormatHelper.cs	Convert DSA parsers to `ValueAlgorithmIdentifierAsn` and `ValueDssParms`.
src/libraries/Common/src/System/Security/Cryptography/CompositeMLDsaManaged.ECDsa.cs	Use `ValueECPrivateKey` parsing for composite ECDSA private key import.
src/libraries/Common/src/System/Security/Cryptography/CompositeMLDsa.cs	Move SPKI/PKCS#8 readers to spans and `ValueAlgorithmIdentifierAsn`.
src/libraries/Common/src/System/Security/Cryptography/CngPkcs8.cs	Rewrite PKCS#8 EC flow to use `ValuePrivateKeyInfoAsn` / `ValueECPrivateKey`.
src/libraries/Common/src/System/Security/Cryptography/Asn1/X509ExtensionAsn.xml.cs	Add `Encode(...)` for `ValueX509ExtensionAsn`.
src/libraries/Common/src/System/Security/Cryptography/Asn1/SubjectPublicKeyInfoAsn.xml.cs	Add `Encode(...)` for `ValueSubjectPublicKeyInfoAsn`.
src/libraries/Common/src/System/Security/Cryptography/Asn1/SpecifiedECDomain.xml.cs	Convert SpecifiedECDomain to `emitType="ref"` and span-based fields.
src/libraries/Common/src/System/Security/Cryptography/Asn1/SpecifiedECDomain.xml	Emit `SpecifiedECDomain` as `ref struct` and use value-type subfields.
src/libraries/Common/src/System/Security/Cryptography/Asn1/Rc2CbcParameters.xml.cs	Add `ValueRc2CbcParameters` and decoding/encoding paths.
src/libraries/Common/src/System/Security/Cryptography/Asn1/Rc2CbcParameters.xml	Change emit type to `both`.
src/libraries/Common/src/System/Security/Cryptography/Asn1/Rc2CbcParameters.manual.cs	Share RC2 EKB encoding across struct + value ref struct implementations.
src/libraries/Common/src/System/Security/Cryptography/Asn1/RSAPublicKeyAsn.xml.cs	Convert RSAPublicKey to `ValueRSAPublicKeyAsn` with span-based fields.
src/libraries/Common/src/System/Security/Cryptography/Asn1/RSAPublicKeyAsn.xml	Emit RSAPublicKey as `ref struct`.
src/libraries/Common/src/System/Security/Cryptography/Asn1/RSAPrivateKeyAsn.xml.cs	Convert RSAPrivateKey to `ValueRSAPrivateKeyAsn` with span-based fields.
src/libraries/Common/src/System/Security/Cryptography/Asn1/RSAPrivateKeyAsn.xml	Emit RSAPrivateKey as `ref struct`.
src/libraries/Common/src/System/Security/Cryptography/Asn1/PssParamsAsn.xml.cs	Shift PSS params to `ValuePssParamsAsn` ref struct and defaults.
src/libraries/Common/src/System/Security/Cryptography/Asn1/PssParamsAsn.xml	Emit PSS params as `ref struct`.
src/libraries/Common/src/System/Security/Cryptography/Asn1/PssParamsAsn.manual.cs	Remove non-value struct helper; keep `ValuePssParamsAsn` helper.
src/libraries/Common/src/System/Security/Cryptography/Asn1/PrivateKeyInfoAsn.xml.cs	Add `ValuePrivateKeyInfoAsn` + attributes enumerator over spans.
src/libraries/Common/src/System/Security/Cryptography/Asn1/PrivateKeyInfoAsn.xml	Emit `PrivateKeyInfoAsn` as both + add value-type attribute enumerator hook.
src/libraries/Common/src/System/Security/Cryptography/Asn1/Pkcs7/SignerIdentifierAsn.xml.cs	Move DEBUG choice validation to file-scoped validator.
src/libraries/Common/src/System/Security/Cryptography/Asn1/Pkcs7/CertificateChoiceAsn.xml.cs	Move DEBUG choice validation to file-scoped validator.
src/libraries/Common/src/System/Security/Cryptography/Asn1/Pbkdf2SaltChoice.xml.cs	Convert PBKDF2 salt choice to `ValuePbkdf2SaltChoice` ref struct + flags.
src/libraries/Common/src/System/Security/Cryptography/Asn1/Pbkdf2SaltChoice.xml	Emit PBKDF2 salt choice as `ref struct` and value-type subfield.
src/libraries/Common/src/System/Security/Cryptography/Asn1/Pbkdf2Params.xml.cs	Convert PBKDF2 params to `ValuePbkdf2Params` and value-type subfields.
src/libraries/Common/src/System/Security/Cryptography/Asn1/Pbkdf2Params.xml	Emit PBKDF2 params as `ref struct` and value-type subfields.
src/libraries/Common/src/System/Security/Cryptography/Asn1/PBES2Params.xml.cs	Convert PBES2 params to `ValuePBES2Params` with value-type algorithm IDs.
src/libraries/Common/src/System/Security/Cryptography/Asn1/PBES2Params.xml	Emit PBES2 params as `ref struct` with value-type algorithm IDs.
src/libraries/Common/src/System/Security/Cryptography/Asn1/PBEParameter.xml.cs	Convert PBE params to `ValuePBEParameter` with span-based salt.
src/libraries/Common/src/System/Security/Cryptography/Asn1/PBEParameter.xml	Emit PBE params as `ref struct`.
src/libraries/Common/src/System/Security/Cryptography/Asn1/MLKemPrivateKeyBothAsn.xml.cs	Convert to `ValueMLKemPrivateKeyBothAsn` with span-based fields.
src/libraries/Common/src/System/Security/Cryptography/Asn1/MLKemPrivateKeyBothAsn.xml	Emit ML-KEM both key as `ref struct`.
src/libraries/Common/src/System/Security/Cryptography/Asn1/MLKemPrivateKeyAsn.xml.cs	Convert to `ValueMLKemPrivateKeyAsn` choice with explicit `Has*` flags.
src/libraries/Common/src/System/Security/Cryptography/Asn1/MLKemPrivateKeyAsn.xml	Emit ML-KEM private key choice as `ref struct` with value-type subfield.
src/libraries/Common/src/System/Security/Cryptography/Asn1/MLDsaPrivateKeyBothAsn.xml.cs	Convert to `ValueMLDsaPrivateKeyBothAsn` with span-based fields.
src/libraries/Common/src/System/Security/Cryptography/Asn1/MLDsaPrivateKeyBothAsn.xml	Emit ML-DSA both key as `ref struct`.
src/libraries/Common/src/System/Security/Cryptography/Asn1/MLDsaPrivateKeyAsn.xml.cs	Convert to `ValueMLDsaPrivateKeyAsn` choice with explicit `Has*` flags.
src/libraries/Common/src/System/Security/Cryptography/Asn1/MLDsaPrivateKeyAsn.xml	Emit ML-DSA private key choice as `ref struct` with value-type subfield.
src/libraries/Common/src/System/Security/Cryptography/Asn1/GeneralSubtreeAsn.xml.cs	Normalize header text (generated file) to remove BOM marker.
src/libraries/Common/src/System/Security/Cryptography/Asn1/GeneralNameAsn.xml.cs	Move DEBUG choice validation to file-scoped validator.
src/libraries/Common/src/System/Security/Cryptography/Asn1/FieldID.xml.cs	Convert to `ValueFieldID` with span-based parameters.
src/libraries/Common/src/System/Security/Cryptography/Asn1/FieldID.xml	Emit FieldID as `ref struct`.
src/libraries/Common/src/System/Security/Cryptography/Asn1/EncryptedPrivateKeyInfoAsn.xml.cs	Add `ValueEncryptedPrivateKeyInfoAsn` with span-based EncryptedData.
src/libraries/Common/src/System/Security/Cryptography/Asn1/EncryptedPrivateKeyInfoAsn.xml	Emit as `both` + support value-type algorithm ID.
src/libraries/Common/src/System/Security/Cryptography/Asn1/ECPrivateKey.xml.cs	Convert to `ValueECPrivateKey` with `Has*` flags and span fields.
src/libraries/Common/src/System/Security/Cryptography/Asn1/ECPrivateKey.xml	Emit ECPrivateKey as `ref struct` with value-type domain params.
src/libraries/Common/src/System/Security/Cryptography/Asn1/ECDomainParameters.xml.cs	Convert to `ValueECDomainParameters` choice with `HasSpecified` flag.
src/libraries/Common/src/System/Security/Cryptography/Asn1/ECDomainParameters.xml	Emit ECDomainParameters as `ref struct`.
src/libraries/Common/src/System/Security/Cryptography/Asn1/DssParms.xml.cs	Convert to `ValueDssParms` ref struct.
src/libraries/Common/src/System/Security/Cryptography/Asn1/DssParms.xml	Emit DssParms as `ref struct`.
src/libraries/Common/src/System/Security/Cryptography/Asn1/DirectoryStringAsn.xml.cs	Move DEBUG choice validation to file-scoped validator.
src/libraries/Common/src/System/Security/Cryptography/Asn1/CurveAsn.xml.cs	Convert to `ValueCurveAsn` with span fields and `HasSeed` flag.
src/libraries/Common/src/System/Security/Cryptography/Asn1/CurveAsn.xml	Emit CurveAsn as `ref struct`.
src/libraries/Common/src/System/Security/Cryptography/Asn1/AttributeAsn.xml.cs	Add `Encode(...)` for `ValueAttributeAsn`.
src/libraries/Common/src/System/Security/Cryptography/Asn1/AlgorithmIdentifierAsn.xml.cs	Add `Encode(...)` for `ValueAlgorithmIdentifierAsn`.
src/libraries/Common/src/System/Security/Cryptography/Asn1/AlgorithmIdentifierAsn.manual.cs	Add conversion helper to `ValueAlgorithmIdentifierAsn`.

Comments suppressed due to low confidence (4)

src/libraries/Common/src/System/Security/Cryptography/RSAAndroid.cs:1

ValueAlgorithmIdentifierAsn.Encode only writes Parameters when HasParameters is true. Here Parameters is populated but HasParameters is never set, so the resulting RSA AlgorithmIdentifier will omit the required NULL parameters (rsaEncryption parameters are typically NULL). Set HasParameters = true when assigning ExplicitDerNull.
src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/RSA.cs:1
Previously this path validated/decoded only the first ASN.1 value (localRead) by slicing via PointerMemoryManager<byte>(..., localRead). Passing the full source span can cause ReadRsaPublicKey to fail if source contains trailing data beyond the first encoded value (even though bytesRead reports only localRead). Call RSAKeyFormatHelper.ReadRsaPublicKey(source.Slice(0, localRead), ...) to preserve the prior behavior.
src/libraries/Common/src/System/Security/Cryptography/Asn1/PrivateKeyInfoAsn.xml.cs:1
_reader is not definitely assigned when encoded.IsEmpty, which will either fail compilation (definite assignment in a struct constructor) or leave MoveNext() using an uninitialized reader. Initialize _reader = default; before the if (or add an else) so the enumerator is well-defined for the empty-attributes case.
src/libraries/Common/src/System/Security/Cryptography/PasswordBasedEncryption.cs:1
This helper is only used with byte in this file. Making it non-generic (e.g., OptionalReadOnlySpanByte) avoids generic ref-struct instantiation and keeps the intent tighter/clearer, while still allowing the same “span + HasValue” pattern.

You can also share your feedback on Copilot code review. Take the survey.

Copilot

Pull request overview

This PR migrates key ASN.1 parsing/encoding paths across System.Security.Cryptography (and PKCS) to use the newer emitted ref struct “Value*” loaders, reducing allocations and removing many PointerMemoryManager-based pinning patterns.

Changes:

Switch key-reading helpers and several algorithm implementations (RSA/EC/DSA and PQC types) from ReadOnlyMemory<T>-based decoders to ReadOnlySpan<T> + Value* ASN.1 loaders.
Extend emitted value loaders to support Encode and move asn:Choice validation into file-scoped validators invoked once in DEBUG.
Update tests and supporting helpers to decode through Value* types and span-based APIs.

Reviewed changes

Copilot reviewed 95 out of 95 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
src/libraries/System.Security.Cryptography/tests/X509Certificates/ExportTests.cs	Updates encryption-algorithm assertions to decode via `Value*` ASN.1 loaders.
src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/RSAPssX509SignatureGenerator.cs	Uses `Value*` ASN.1 types for RSA-PSS algorithm identifier construction/encoding.
src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/Asn1/TimeAsn.xml.cs	Moves DEBUG validation into a file-scoped validator for tag uniqueness; keeps struct API.
src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/Asn1/DistributionPointNameAsn.xml.cs	Same DEBUG validation refactor to file-scoped validator for tag uniqueness.
src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/Asn1/CertificationRequestInfoAsn.xml.cs	Adds `Encode` support for the value emitted loader (`ValueCertificationRequestInfoAsn`).
src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/RSA.cs	Removes `PointerMemoryManager` usage in import paths; uses span-based key readers.
src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/KeyBlobHelpers.cs	Adds span-based overload to support new `Value*` decoder output.
src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/EccKeyFormatHelper.cs	Switches EC key decoding to `Value*` types and span-based inputs; adjusts PKCS8 attribute handling.
src/libraries/System.Security.Cryptography.Pkcs/src/System/Security/Cryptography/Pkcs/CmsSignature.RSA.cs	Uses `ValuePssParamsAsn` for PSS parameter decoding.
src/libraries/System.Security.Cryptography.Pkcs/src/System/Security/Cryptography/Pkcs/Asn1/SignedAttributesSet.xml.cs	Moves DEBUG choice validation into file-scoped validator.
src/libraries/System.Security.Cryptography.Pkcs/src/System/Security/Cryptography/Pkcs/Asn1/Rfc3161TstInfo.xml.cs	Adds value-loader properties/encode support for optional fields.
src/libraries/System.Security.Cryptography.Pkcs/src/System/Security/Cryptography/Pkcs/Asn1/RecipientInfoAsn.xml.cs	Moves DEBUG choice validation into file-scoped validator.
src/libraries/System.Security.Cryptography.Pkcs/src/System/Security/Cryptography/Pkcs/Asn1/RecipientIdentifierAsn.xml.cs	Moves DEBUG choice validation into file-scoped validator.
src/libraries/System.Security.Cryptography.Pkcs/src/System/Security/Cryptography/Pkcs/Asn1/OriginatorIdentifierOrKeyAsn.xml.cs	Moves DEBUG choice validation into file-scoped validator.
src/libraries/System.Security.Cryptography.Pkcs/src/System/Security/Cryptography/Pkcs/Asn1/MessageImprint.xml.cs	Adds `Encode` support for `ValueMessageImprint`.
src/libraries/System.Security.Cryptography.Pkcs/src/System/Security/Cryptography/Pkcs/Asn1/KeyAgreeRecipientIdentifierAsn.xml.cs	Moves DEBUG choice validation into file-scoped validator.
src/libraries/Common/tests/System/Security/Cryptography/MLKemBaseTests.cs	Updates encrypted PKCS8 inspection to use `Value*` decoders.
src/libraries/Common/tests/System/Security/Cryptography/AsnUtils.cs	Updates encrypted PKCS8 inspection helper to use `Value*` decoders.
src/libraries/Common/tests/System/Security/Cryptography/AlgorithmImplementations/MLDsa/MLDsaTestHelpers.cs	Updates encode/decode helpers to `Value*` types and span-based PKCS8 parsing.
src/libraries/Common/tests/System/Security/Cryptography/AlgorithmImplementations/MLDsa/MLDsaImplementationTests.cs	Updates test ASN construction to `Value*` types.
src/libraries/Common/src/System/Security/Cryptography/X509Certificates/X509CertificateLoader.Pkcs12.cs	Switches PKCS#12 KDF iteration parsing to `Value*` decoders and span parameters.
src/libraries/Common/src/System/Security/Cryptography/SlhDsa.cs	Switches KeyFormatHelper callbacks and identifier parsing to span + `ValueAlgorithmIdentifierAsn`.
src/libraries/Common/src/System/Security/Cryptography/RSAOpenSsl.cs	Switches export/import transforms and PKCS#8 verification to span-based helpers and `Value*` decoders.
src/libraries/Common/src/System/Security/Cryptography/RSAKeyFormatHelper.cs	Converts APIs to `ReadOnlySpan<byte>` and `ValueAlgorithmIdentifierAsn`; removes pinning helpers.
src/libraries/Common/src/System/Security/Cryptography/RSAKeyFormatHelper.Pkcs1.cs	Converts PKCS#1 decode to `ValueRSAPrivateKeyAsn`/`ValueRSAPublicKeyAsn` and spans.
src/libraries/Common/src/System/Security/Cryptography/RSAAppleCrypto.macOS.cs	Updates RSA public key reading to use `ValueAlgorithmIdentifierAsn`.
src/libraries/Common/src/System/Security/Cryptography/RSAAppleCrypto.cs	Removes `PointerMemoryManager` usage in RSA public key import; uses span-based validation.
src/libraries/Common/src/System/Security/Cryptography/RSAAndroid.cs	Removes `PointerMemoryManager` and constructs SPKI via `ValueSubjectPublicKeyInfoAsn`.
src/libraries/Common/src/System/Security/Cryptography/PasswordBasedEncryption.cs	Adds span-based optional-parameter plumbing and overloads for value algorithm identifiers.
src/libraries/Common/src/System/Security/Cryptography/MLKemPkcs8.cs	Switches PKCS#8 export ASN to `Value*` types and spans.
src/libraries/Common/src/System/Security/Cryptography/MLKem.cs	Switches key readers/identifier parsing to span + `Value*` types.
src/libraries/Common/src/System/Security/Cryptography/MLDsaPkcs8.cs	Switches PKCS#8 export ASN to `Value*` types and spans.
src/libraries/Common/src/System/Security/Cryptography/MLDsaCng.Windows.cs	Converts PKCS#8 parsing to span + `Value*` types; adjusts key selection logic accordingly.
src/libraries/Common/src/System/Security/Cryptography/MLDsa.cs	Uses KeyFormatHelper span-based reading; switches private key parsing to `Value*` decoders.
src/libraries/Common/src/System/Security/Cryptography/KeyFormatHelper.cs	Converts key readers (SPKI/PKCS8) to span + `Value*` types; removes pinning paths.
src/libraries/Common/src/System/Security/Cryptography/KeyFormatHelper.Encrypted.cs	Converts encrypted PKCS#8 decode path to span + `ValueEncryptedPrivateKeyInfoAsn`.
src/libraries/Common/src/System/Security/Cryptography/KeyBlobHelpers.cs	Adds span-based helpers and keeps memory overloads delegating to span versions.
src/libraries/Common/src/System/Security/Cryptography/Helpers.cs	Updates algorithm-unknown exception creation to accept `ValueAlgorithmIdentifierAsn` and encode it.
src/libraries/Common/src/System/Security/Cryptography/DSAKeyFormatHelper.cs	Converts DSA parsing to span + `ValueAlgorithmIdentifierAsn` and `ValueDssParms`.
src/libraries/Common/src/System/Security/Cryptography/CompositeMLDsaManaged.ECDsa.cs	Switches EC private key parsing to `ValueECPrivateKey` and value-domain parameter checks.
src/libraries/Common/src/System/Security/Cryptography/CompositeMLDsa.cs	Switches key readers/identifier parsing to span + value algorithm identifiers.
src/libraries/Common/src/System/Security/Cryptography/CngPkcs8.cs	Converts EC PKCS#8 rewrite path to span + value PKCS#8/EC decoders and encoded-attributes forwarding.
src/libraries/Common/src/System/Security/Cryptography/Asn1/X509ExtensionAsn.xml.cs	Adds `Encode` support for value extension loader.
src/libraries/Common/src/System/Security/Cryptography/Asn1/SubjectPublicKeyInfoAsn.xml.cs	Adds `Encode` support for value SPKI loader.
src/libraries/Common/src/System/Security/Cryptography/Asn1/SpecifiedECDomain.xml.cs	Converts SpecifiedECDomain to `emitType="ref"` value loader with span fields/option flags.
src/libraries/Common/src/System/Security/Cryptography/Asn1/SpecifiedECDomain.xml	Updates generator settings and switches to value-type referenced subtypes.
src/libraries/Common/src/System/Security/Cryptography/Asn1/Rc2CbcParameters.xml.cs	Adds `ValueRc2CbcParameters` with encode/decode.
src/libraries/Common/src/System/Security/Cryptography/Asn1/Rc2CbcParameters.xml	Switches to `emitType="both"` to support both struct and value loader.
src/libraries/Common/src/System/Security/Cryptography/Asn1/Rc2CbcParameters.manual.cs	Refactors shared EKB table into file-scoped helper usable by both struct and value loader.
src/libraries/Common/src/System/Security/Cryptography/Asn1/RSAPublicKeyAsn.xml.cs	Converts to `emitType="ref"` value loader with spans.
src/libraries/Common/src/System/Security/Cryptography/Asn1/RSAPublicKeyAsn.xml	Switches emission to `ref` type.
src/libraries/Common/src/System/Security/Cryptography/Asn1/RSAPrivateKeyAsn.xml.cs	Converts to `emitType="ref"` value loader with spans.
src/libraries/Common/src/System/Security/Cryptography/Asn1/RSAPrivateKeyAsn.xml	Switches emission to `ref` type.
src/libraries/Common/src/System/Security/Cryptography/Asn1/PssParamsAsn.xml.cs	Switches PSS params to `emitType="ref"` and updates defaults decoding to `Value*` types.
src/libraries/Common/src/System/Security/Cryptography/Asn1/PssParamsAsn.xml	Switches emission from `both` to `ref`.
src/libraries/Common/src/System/Security/Cryptography/Asn1/PssParamsAsn.manual.cs	Removes non-value helper and keeps padding logic on `ValuePssParamsAsn`.
src/libraries/Common/src/System/Security/Cryptography/Asn1/PrivateKeyInfoAsn.xml.cs	Adds `ValuePrivateKeyInfoAsn` with encode/decode and a value-friendly attribute enumerator.
src/libraries/Common/src/System/Security/Cryptography/Asn1/PrivateKeyInfoAsn.xml	Switches to `emitType="both"` and adds value enumerator metadata for Attributes.
src/libraries/Common/src/System/Security/Cryptography/Asn1/Pkcs7/SignerIdentifierAsn.xml.cs	Moves DEBUG choice validation into file-scoped validator.
src/libraries/Common/src/System/Security/Cryptography/Asn1/Pkcs7/CertificateChoiceAsn.xml.cs	Moves DEBUG choice validation into file-scoped validator.
src/libraries/Common/src/System/Security/Cryptography/Asn1/Pbkdf2SaltChoice.xml.cs	Converts salt choice to value loader with explicit `Has*` flags and file-scoped DEBUG validator.
src/libraries/Common/src/System/Security/Cryptography/Asn1/Pbkdf2SaltChoice.xml	Switches emission to `ref` and uses value algorithm identifier for OtherSource.
src/libraries/Common/src/System/Security/Cryptography/Asn1/Pbkdf2Params.xml.cs	Converts PBKDF2 params to value loader using value salt-choice and algorithm identifier.
src/libraries/Common/src/System/Security/Cryptography/Asn1/Pbkdf2Params.xml	Switches emission to `ref` and updates subtype references to value types.
src/libraries/Common/src/System/Security/Cryptography/Asn1/PBES2Params.xml.cs	Converts PBES2 params to value loader using value algorithm identifiers.
src/libraries/Common/src/System/Security/Cryptography/Asn1/PBES2Params.xml	Switches emission to `ref` and uses value algorithm identifier subtypes.
src/libraries/Common/src/System/Security/Cryptography/Asn1/PBEParameter.xml.cs	Converts PBE parameter to value loader with spans.
src/libraries/Common/src/System/Security/Cryptography/Asn1/PBEParameter.xml	Switches emission to `ref`.
src/libraries/Common/src/System/Security/Cryptography/Asn1/MLKemPrivateKeyBothAsn.xml.cs	Converts to `emitType="ref"` value loader with spans.
src/libraries/Common/src/System/Security/Cryptography/Asn1/MLKemPrivateKeyBothAsn.xml	Switches emission to `ref`.
src/libraries/Common/src/System/Security/Cryptography/Asn1/MLKemPrivateKeyAsn.xml.cs	Converts to value choice with `Has*` flags and file-scoped DEBUG validator.
src/libraries/Common/src/System/Security/Cryptography/Asn1/MLKemPrivateKeyAsn.xml	Switches emission to `ref` and uses value subtype for Both.
src/libraries/Common/src/System/Security/Cryptography/Asn1/MLDsaPrivateKeyBothAsn.xml.cs	Converts to `emitType="ref"` value loader with spans.
src/libraries/Common/src/System/Security/Cryptography/Asn1/MLDsaPrivateKeyBothAsn.xml	Switches emission to `ref`.
src/libraries/Common/src/System/Security/Cryptography/Asn1/MLDsaPrivateKeyAsn.xml.cs	Converts to value choice with `Has*` flags and file-scoped DEBUG validator.
src/libraries/Common/src/System/Security/Cryptography/Asn1/MLDsaPrivateKeyAsn.xml	Switches emission to `ref` and uses value subtype for Both.
src/libraries/Common/src/System/Security/Cryptography/Asn1/GeneralSubtreeAsn.xml.cs	Normalizes header comment formatting in generated output.
src/libraries/Common/src/System/Security/Cryptography/Asn1/GeneralNameAsn.xml.cs	Moves DEBUG choice validation into file-scoped validator.
src/libraries/Common/src/System/Security/Cryptography/Asn1/FieldID.xml.cs	Converts to `emitType="ref"` value loader with spans.
src/libraries/Common/src/System/Security/Cryptography/Asn1/FieldID.xml	Switches emission to `ref`.
src/libraries/Common/src/System/Security/Cryptography/Asn1/EncryptedPrivateKeyInfoAsn.xml.cs	Adds `ValueEncryptedPrivateKeyInfoAsn` with encode/decode and span fields.
src/libraries/Common/src/System/Security/Cryptography/Asn1/EncryptedPrivateKeyInfoAsn.xml	Switches to `emitType="both"` and introduces value algorithm identifier subtype.
src/libraries/Common/src/System/Security/Cryptography/Asn1/ECPrivateKey.xml.cs	Converts EC private key to value loader with span fields and explicit `Has*` flags.
src/libraries/Common/src/System/Security/Cryptography/Asn1/ECPrivateKey.xml	Switches emission to `ref` and updates parameter subtype to value domain parameters.
src/libraries/Common/src/System/Security/Cryptography/Asn1/ECDomainParameters.xml.cs	Converts to value choice with `HasSpecified` flag and file-scoped DEBUG validator.
src/libraries/Common/src/System/Security/Cryptography/Asn1/ECDomainParameters.xml	Switches emission to `ref` and uses value subtype for Specified.
src/libraries/Common/src/System/Security/Cryptography/Asn1/DssParms.xml.cs	Converts DSS parameters to `emitType="ref"` value loader.
src/libraries/Common/src/System/Security/Cryptography/Asn1/DssParms.xml	Switches emission to `ref`.
src/libraries/Common/src/System/Security/Cryptography/Asn1/DirectoryStringAsn.xml.cs	Moves DEBUG choice validation into file-scoped validator.
src/libraries/Common/src/System/Security/Cryptography/Asn1/CurveAsn.xml.cs	Converts curve ASN.1 to value loader with span fields and `HasSeed` flag.
src/libraries/Common/src/System/Security/Cryptography/Asn1/CurveAsn.xml	Switches emission to `ref`.
src/libraries/Common/src/System/Security/Cryptography/Asn1/AttributeAsn.xml.cs	Adds `Encode` support for `ValueAttributeAsn`.
src/libraries/Common/src/System/Security/Cryptography/Asn1/AlgorithmIdentifierAsn.xml.cs	Adds `Encode` for `ValueAlgorithmIdentifierAsn` and switches parameters to tracked optional span.
src/libraries/Common/src/System/Security/Cryptography/Asn1/AlgorithmIdentifierAsn.manual.cs	Adds helper to convert `AlgorithmIdentifierAsn` to `ValueAlgorithmIdentifierAsn` for shared callers.

You can also share your feedback on Copilot code review. Take the survey.

src/libraries/Common/src/System/Security/Cryptography/KeyFormatHelper.cs

            catch (AsnContentException e)
-            {
+                {
                throw new CryptographicException(SR.Cryptography_Der_Invalid_Encoding, e);
            }


src/libraries/Common/src/System/Security/Cryptography/KeyFormatHelper.cs

Copilot

Pull request overview

This PR migrates a large portion of System.Security.Cryptography / System.Security.Cryptography.Pkcs ASN.1 key-loading and encoding flows from ReadOnlyMemory<byte>/heap-backed decoders to ref struct “Value*” loaders operating on ReadOnlySpan<byte>, with the goal of reducing pinning and eliminating many PointerMemoryManager usages.

Changes:

Switch key import/export helpers and platform-specific RSA/EC parsing paths to span-based Value* ASN.1 types.
Extend emitted ref struct loaders to support Encode and add/adjust value-type ASN.1 models (PBES2/PBKDF2/PSS/PKCS#8, EC/RSA key structures, etc.).
Refactor DEBUG-only ASN.1 choice-tag validation into file-scoped validators invoked from the owning type’s static constructor.

Reviewed changes

Copilot reviewed 95 out of 95 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
src/libraries/System.Security.Cryptography/tests/X509Certificates/ExportTests.cs	Update test decoding to use `Value*` ASN.1 decoders for PBE/PBES2/PBKDF2.
src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/RSAPssX509SignatureGenerator.cs	Use value ASN.1 types for RSA-PSS algorithm identifier construction/encoding.
src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/Asn1/TimeAsn.xml.cs	Move DEBUG tag validation into file-scoped validator; keep struct behavior unchanged.
src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/Asn1/DistributionPointNameAsn.xml.cs	Same file-scoped DEBUG validator pattern for choice validation.
src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/X509Certificates/Asn1/CertificationRequestInfoAsn.xml.cs	Add `Encode` support for value `CertificationRequestInfo` loader.
src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/RSA.cs	Remove `PointerMemoryManager` usage for RSA key import paths by using span-based helpers.
src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/KeyBlobHelpers.cs	Add span overload for unsigned-integer conversion helper.
src/libraries/System.Security.Cryptography/src/System/Security/Cryptography/EccKeyFormatHelper.cs	Convert EC key parsing/encoding to `Value*` ASN.1 types and span-based flows.
src/libraries/System.Security.Cryptography.Pkcs/src/System/Security/Cryptography/Pkcs/CmsSignature.RSA.cs	Decode PSS params using `ValuePssParamsAsn`.
src/libraries/System.Security.Cryptography.Pkcs/src/System/Security/Cryptography/Pkcs/Asn1/SignedAttributesSet.xml.cs	Apply file-scoped DEBUG choice-tag validator pattern.
src/libraries/System.Security.Cryptography.Pkcs/src/System/Security/Cryptography/Pkcs/Asn1/Rfc3161TstInfo.xml.cs	Add encode support and switch optionals to “HasX + span property” model.
src/libraries/System.Security.Cryptography.Pkcs/src/System/Security/Cryptography/Pkcs/Asn1/RecipientInfoAsn.xml.cs	Apply file-scoped DEBUG choice-tag validator pattern.
src/libraries/System.Security.Cryptography.Pkcs/src/System/Security/Cryptography/Pkcs/Asn1/RecipientIdentifierAsn.xml.cs	Apply file-scoped DEBUG choice-tag validator pattern.
src/libraries/System.Security.Cryptography.Pkcs/src/System/Security/Cryptography/Pkcs/Asn1/OriginatorIdentifierOrKeyAsn.xml.cs	Apply file-scoped DEBUG choice-tag validator pattern.
src/libraries/System.Security.Cryptography.Pkcs/src/System/Security/Cryptography/Pkcs/Asn1/MessageImprint.xml.cs	Add `Encode` to value message imprint loader.
src/libraries/System.Security.Cryptography.Pkcs/src/System/Security/Cryptography/Pkcs/Asn1/KeyAgreeRecipientIdentifierAsn.xml.cs	Apply file-scoped DEBUG choice-tag validator pattern.
src/libraries/Common/tests/System/Security/Cryptography/MLKemBaseTests.cs	Update tests to decode via `Value*` PBES2/PBKDF2/PBE types.
src/libraries/Common/tests/System/Security/Cryptography/AsnUtils.cs	Update test helpers to decode via `Value*` PBES2/PBKDF2/PBE types.
src/libraries/Common/tests/System/Security/Cryptography/AlgorithmImplementations/MLDsa/MLDsaTestHelpers.cs	Update ML-DSA PKCS#8 test encode/decode to `Value*` loaders.
src/libraries/Common/tests/System/Security/Cryptography/AlgorithmImplementations/MLDsa/MLDsaImplementationTests.cs	Update negative/validation tests to use `Value*` ML-DSA ASN.1 types.
src/libraries/Common/src/System/Security/Cryptography/X509Certificates/X509CertificateLoader.Pkcs12.cs	Use `Value*` PBE/PBES2/PBKDF2 decoders when reading PKCS#12 params.
src/libraries/Common/src/System/Security/Cryptography/SlhDsa.cs	Switch key-format callbacks to span + value algorithm identifier; simplify unknown-params exception path.
src/libraries/Common/src/System/Security/Cryptography/RSAOpenSsl.cs	Use span-based `RSAKeyFormatHelper` helpers and value RSA ASN.1 decode in PKCS#8 verification.
src/libraries/Common/src/System/Security/Cryptography/RSAKeyFormatHelper.cs	Convert helper APIs to span/value algorithm identifier and span-returning SPKI/PKCS#8 helpers.
src/libraries/Common/src/System/Security/Cryptography/RSAKeyFormatHelper.Pkcs1.cs	Convert PKCS#1 RSA public/private decoding to value ASN.1 loaders.
src/libraries/Common/src/System/Security/Cryptography/RSAAppleCrypto.macOS.cs	Update RSA public-key parsing path to pass value algorithm identifier.
src/libraries/Common/src/System/Security/Cryptography/RSAAppleCrypto.cs	Remove `PointerMemoryManager` from RSA public import; use span-based validation.
src/libraries/Common/src/System/Security/Cryptography/RSAAndroid.cs	Replace pinned-memory parsing with span-based `ValueAsnReader` and value SPKI construction.
src/libraries/Common/src/System/Security/Cryptography/PasswordBasedEncryption.cs	Introduce optional-span wrapper and value algorithm identifier overloads for PBE decode paths.
src/libraries/Common/src/System/Security/Cryptography/MLKemPkcs8.cs	Emit ML-KEM PKCS#8 using `Value*` algorithm id/private-key ASN.1 types and spans.
src/libraries/Common/src/System/Security/Cryptography/MLKem.cs	Switch key-format reader callbacks and ML-KEM private key parsing to value ASN.1 types.
src/libraries/Common/src/System/Security/Cryptography/MLDsaPkcs8.cs	Emit ML-DSA PKCS#8 using `Value*` algorithm id/private-key ASN.1 types and spans.
src/libraries/Common/src/System/Security/Cryptography/MLDsaCng.Windows.cs	Update ML-DSA PKCS#8 decode and span-copy logic for `Value*` private-key choice representation.
src/libraries/Common/src/System/Security/Cryptography/MLDsa.cs	Replace pinned-memory SPKI parsing with `KeyFormatHelper.ReadSubjectPublicKeyInfo` span callback; update PKCS#8 readers.
src/libraries/Common/src/System/Security/Cryptography/KeyFormatHelper.cs	Convert SPKI/PKCS#8 readers to span + value algorithm identifier and value ASN.1 loaders.
src/libraries/Common/src/System/Security/Cryptography/KeyFormatHelper.Encrypted.cs	Convert encrypted PKCS#8 reading to value ASN.1 loaders and span-based decrypt pipeline.
src/libraries/Common/src/System/Security/Cryptography/KeyBlobHelpers.cs	Add span-first overloads for unsigned integer conversions used by value ASN.1 models.
src/libraries/Common/src/System/Security/Cryptography/Helpers.cs	Change unknown-algorithm exception helper to accept value algorithm identifier and encode internally.
src/libraries/Common/src/System/Security/Cryptography/DSAKeyFormatHelper.cs	Convert DSA ASN.1 parsing to span + value algorithm identifier; drop memory-based SPKI helper overload.
src/libraries/Common/src/System/Security/Cryptography/CompositeMLDsaManaged.ECDsa.cs	Switch EC private-key parsing from pinned-memory decode to `ValueECPrivateKey` decode.
src/libraries/Common/src/System/Security/Cryptography/CompositeMLDsa.cs	Switch key-format callbacks to span + value algorithm identifier for SPKI/PKCS#8 import paths.
src/libraries/Common/src/System/Security/Cryptography/CngPkcs8.cs	Rewrite EC private key parsing using value PKCS#8 + value EC-private-key ASN.1.
src/libraries/Common/src/System/Security/Cryptography/Asn1/X509ExtensionAsn.xml.cs	Add `Encode` implementation for value extension ASN.1 type.
src/libraries/Common/src/System/Security/Cryptography/Asn1/SubjectPublicKeyInfoAsn.xml.cs	Add `Encode` implementation for value SPKI ASN.1 type.
src/libraries/Common/src/System/Security/Cryptography/Asn1/SpecifiedECDomain.xml.cs	Convert to `emitType="ref"` and update to value subtypes/spans + optional cofactor flag.
src/libraries/Common/src/System/Security/Cryptography/Asn1/SpecifiedECDomain.xml	Emit as `ref` and point subtypes to `ValueFieldID` / `ValueCurveAsn`.
src/libraries/Common/src/System/Security/Cryptography/Asn1/Rc2CbcParameters.xml.cs	Introduce value RC2-CBC params type with decode/encode over spans.
src/libraries/Common/src/System/Security/Cryptography/Asn1/Rc2CbcParameters.xml	Switch to `emitType="both"` to provide both struct and ref struct emit.
src/libraries/Common/src/System/Security/Cryptography/Asn1/Rc2CbcParameters.manual.cs	Refactor EKB encoding table to file-scoped helper and share with value RC2 params.
src/libraries/Common/src/System/Security/Cryptography/Asn1/RSAPublicKeyAsn.xml.cs	Convert to `emitType="ref"` value RSA public key model using spans.
src/libraries/Common/src/System/Security/Cryptography/Asn1/RSAPublicKeyAsn.xml	Emit RSA public key as `ref` type.
src/libraries/Common/src/System/Security/Cryptography/Asn1/RSAPrivateKeyAsn.xml.cs	Convert to `emitType="ref"` value RSA private key model using spans.
src/libraries/Common/src/System/Security/Cryptography/Asn1/RSAPrivateKeyAsn.xml	Emit RSA private key as `ref` type.
src/libraries/Common/src/System/Security/Cryptography/Asn1/PssParamsAsn.xml.cs	Convert PSS params to value (`ref`) model and update default decoding in DEBUG helper.
src/libraries/Common/src/System/Security/Cryptography/Asn1/PssParamsAsn.xml	Switch PSS params to `emitType="ref"`.
src/libraries/Common/src/System/Security/Cryptography/Asn1/PssParamsAsn.manual.cs	Move signature-padding logic onto value PSS params type.
src/libraries/Common/src/System/Security/Cryptography/Asn1/PrivateKeyInfoAsn.xml.cs	Add `ValuePrivateKeyInfoAsn` with encode/decode and a value enumerator for attributes.
src/libraries/Common/src/System/Security/Cryptography/Asn1/PrivateKeyInfoAsn.xml	Emit both struct and value forms; add `valueTypeName` and value attribute enumerator hook.
src/libraries/Common/src/System/Security/Cryptography/Asn1/Pkcs7/SignerIdentifierAsn.xml.cs	Apply file-scoped DEBUG choice-tag validator pattern.
src/libraries/Common/src/System/Security/Cryptography/Asn1/Pkcs7/CertificateChoiceAsn.xml.cs	Apply file-scoped DEBUG choice-tag validator pattern.
src/libraries/Common/src/System/Security/Cryptography/Asn1/Pbkdf2SaltChoice.xml.cs	Convert PBKDF2 salt choice to value ref struct with `Has*` flags and file-scoped DEBUG validator.
src/libraries/Common/src/System/Security/Cryptography/Asn1/Pbkdf2SaltChoice.xml	Emit PBKDF2 salt choice as `ref` type and use value algorithm identifier subtype.
src/libraries/Common/src/System/Security/Cryptography/Asn1/Pbkdf2Params.xml.cs	Convert PBKDF2 params to value ref struct and value subtypes.
src/libraries/Common/src/System/Security/Cryptography/Asn1/Pbkdf2Params.xml	Emit PBKDF2 params as `ref` type and use value subtypes.
src/libraries/Common/src/System/Security/Cryptography/Asn1/PBES2Params.xml.cs	Convert PBES2 params to value ref struct and value algorithm identifier subtypes.
src/libraries/Common/src/System/Security/Cryptography/Asn1/PBES2Params.xml	Emit PBES2 params as `ref` type using value algorithm identifiers.
src/libraries/Common/src/System/Security/Cryptography/Asn1/PBEParameter.xml.cs	Convert PBEParameter to value ref struct using spans.
src/libraries/Common/src/System/Security/Cryptography/Asn1/PBEParameter.xml	Emit PBEParameter as `ref` type.
src/libraries/Common/src/System/Security/Cryptography/Asn1/MLKemPrivateKeyBothAsn.xml.cs	Convert ML-KEM “Both” private-key ASN.1 type to value ref struct using spans.
src/libraries/Common/src/System/Security/Cryptography/Asn1/MLKemPrivateKeyBothAsn.xml	Emit ML-KEM “Both” as `ref` type.
src/libraries/Common/src/System/Security/Cryptography/Asn1/MLKemPrivateKeyAsn.xml.cs	Convert ML-KEM private-key choice to value ref struct with `Has*` flags + file-scoped DEBUG validator.
src/libraries/Common/src/System/Security/Cryptography/Asn1/MLKemPrivateKeyAsn.xml	Emit ML-KEM private-key choice as `ref` type and use value “Both” subtype.
src/libraries/Common/src/System/Security/Cryptography/Asn1/MLDsaPrivateKeyBothAsn.xml.cs	Convert ML-DSA “Both” private-key ASN.1 type to value ref struct using spans.
src/libraries/Common/src/System/Security/Cryptography/Asn1/MLDsaPrivateKeyBothAsn.xml	Emit ML-DSA “Both” as `ref` type.
src/libraries/Common/src/System/Security/Cryptography/Asn1/MLDsaPrivateKeyAsn.xml.cs	Convert ML-DSA private-key choice to value ref struct with `Has*` flags + file-scoped DEBUG validator.
src/libraries/Common/src/System/Security/Cryptography/Asn1/MLDsaPrivateKeyAsn.xml	Emit ML-DSA private-key choice as `ref` type and use value “Both” subtype.
src/libraries/Common/src/System/Security/Cryptography/Asn1/GeneralSubtreeAsn.xml.cs	Normalize generated header formatting/whitespace.
src/libraries/Common/src/System/Security/Cryptography/Asn1/GeneralNameAsn.xml.cs	Apply file-scoped DEBUG choice-tag validator pattern.
src/libraries/Common/src/System/Security/Cryptography/Asn1/FieldID.xml.cs	Convert FieldID to value ref struct using spans.
src/libraries/Common/src/System/Security/Cryptography/Asn1/FieldID.xml	Emit FieldID as `ref` type.
src/libraries/Common/src/System/Security/Cryptography/Asn1/EncryptedPrivateKeyInfoAsn.xml.cs	Add value EncryptedPrivateKeyInfo ASN.1 type with encode/decode over spans.
src/libraries/Common/src/System/Security/Cryptography/Asn1/EncryptedPrivateKeyInfoAsn.xml	Emit both forms and add value algorithm identifier subtype.
src/libraries/Common/src/System/Security/Cryptography/Asn1/ECPrivateKey.xml.cs	Convert ECPrivateKey to value ref struct with `Has*` flags and spans.
src/libraries/Common/src/System/Security/Cryptography/Asn1/ECPrivateKey.xml	Emit ECPrivateKey as `ref` type and use value ECDomainParameters subtype.
src/libraries/Common/src/System/Security/Cryptography/Asn1/ECDomainParameters.xml.cs	Convert EC domain parameters choice to value ref struct + file-scoped DEBUG validator.
src/libraries/Common/src/System/Security/Cryptography/Asn1/ECDomainParameters.xml	Emit EC domain parameters as `ref` type and use value SpecifiedECDomain subtype.
src/libraries/Common/src/System/Security/Cryptography/Asn1/DssParms.xml.cs	Convert DSS params to value ref struct and span-based decode signature.
src/libraries/Common/src/System/Security/Cryptography/Asn1/DssParms.xml	Emit DSS params as `ref` type.
src/libraries/Common/src/System/Security/Cryptography/Asn1/DirectoryStringAsn.xml.cs	Apply file-scoped DEBUG choice-tag validator pattern.
src/libraries/Common/src/System/Security/Cryptography/Asn1/CurveAsn.xml.cs	Convert CurveAsn to value ref struct with optional seed flag and spans.
src/libraries/Common/src/System/Security/Cryptography/Asn1/CurveAsn.xml	Emit CurveAsn as `ref` type.
src/libraries/Common/src/System/Security/Cryptography/Asn1/AttributeAsn.xml.cs	Add `Encode` implementation for value Attribute ASN.1 type.
src/libraries/Common/src/System/Security/Cryptography/Asn1/AlgorithmIdentifierAsn.xml.cs	Change parameters to optional span with setter-driven `HasParameters` and add `Encode` support.
src/libraries/Common/src/System/Security/Cryptography/Asn1/AlgorithmIdentifierAsn.manual.cs	Add conversion helper from classic AlgorithmIdentifier to value AlgorithmIdentifier.

You can also share your feedback on Copilot code review. Take the survey.

vcsjones and others added 27 commits March 12, 2026 11:34

First set of key loaders to use value-type reading

2562415

Migrates DSA SPKI

a2bcda3

Move parts of RSA public key loading to value loader

d4e4e01

Fix encoding of unknown algorithms

f83e2e7

Move more RSA public key reading to value readers

aafa60b

Remove dead reader code

f932e37

Remove unused memory reader

203b608

Remove now unused code

b965e1e

Value struct support for PasswordBasedEncryption

7d84a90

Spanify DSA key loader

6e809d2

Spanify RSA key loaded

c8acec4

Tweak some types for future reading

f477580

Value-ify ML-KEM PKCS#8 export

2abb5cf

Value reader and writer for ML-DSA only

d19b823

Move ECC key helpers

5d6b550

Remove unused memory-based readers

16af805

Keep torching old readers

45bd2eb

Done! Maybe? Hopefully.

45a0315

Get rid of PointerMemoryManager in Android RSA key loader

4dd9d87

Fix BOM

86ae7fb

Remove value builder since we didn't end up using it... yet

873e05f

Convert several loaders to be ref only

959d34f

Change ECPrivateKey and dependent types to ref-only

7459a29

Remove unused attributes

08e38e8

Add back validation for ref-struct only emitted types

dce0681

Actually do validation

020110a

Copilot AI review requested due to automatic review settings March 13, 2026 17:30

github-actions bot added the area-System.Security label Mar 13, 2026

dotnet-policy-service bot assigned vcsjones Mar 13, 2026

Copilot started reviewing on behalf of vcsjones March 13, 2026 17:37 View session

Copilot AI reviewed Mar 13, 2026

View reviewed changes

bartonjs reviewed Mar 13, 2026

View reviewed changes

src/libraries/Common/src/System/Security/Cryptography/Asn1/AttributeAsn.xml.cs Show resolved Hide resolved

bartonjs reviewed Mar 13, 2026

View reviewed changes

src/libraries/Common/src/System/Security/Cryptography/Asn1/RSAPrivateKeyAsn.xml.cs Show resolved Hide resolved

bartonjs reviewed Mar 13, 2026

View reviewed changes

src/libraries/Common/src/System/Security/Cryptography/KeyFormatHelper.cs Outdated Show resolved Hide resolved

bartonjs reviewed Mar 13, 2026

View reviewed changes

src/libraries/Common/src/System/Security/Cryptography/PasswordBasedEncryption.cs Show resolved Hide resolved

vcsjones added 2 commits March 13, 2026 14:59

Fix tests

60ba8d8

Back to key reader

5b44256

vcsjones added the reduce-unsafe label Mar 13, 2026

Add whitespace in the generated C#

d57e61c

Copilot AI review requested due to automatic review settings March 13, 2026 20:05

Put the BOM back.

06e2428

Copilot started reviewing on behalf of vcsjones March 13, 2026 20:11 View session

Copilot AI reviewed Mar 13, 2026

View reviewed changes

vcsjones added 2 commits March 13, 2026 17:10

Fix missing HasParameter assignments, fix missing slice

b2727b6

Change optional fields to avoid torn values

4823899

Copilot AI review requested due to automatic review settings March 13, 2026 22:38

Copilot started reviewing on behalf of vcsjones March 13, 2026 22:39 View session

Copilot AI reviewed Mar 13, 2026

View reviewed changes

src/libraries/Common/src/System/Security/Cryptography/KeyFormatHelper.cs

Comment on lines 32 to 35

catch (AsnContentException e)

{

{

throw new CryptographicException(SR.Cryptography_Der_Invalid_Encoding, e);

}

vcsjones commented Mar 13, 2026

View reviewed changes

src/libraries/Common/src/System/Security/Cryptography/KeyFormatHelper.cs Outdated Show resolved Hide resolved

Apply suggestion from @vcsjones

9c25918

Copilot AI review requested due to automatic review settings March 13, 2026 23:09

Copilot started reviewing on behalf of vcsjones March 13, 2026 23:10 View session

Copilot AI reviewed Mar 13, 2026

View reviewed changes

build-analysis bot mentioned this pull request Mar 14, 2026

System.IO.FileSystem.Tests.WorkItemExecution CI timeout on net9.0-osx-Debug-x64-Mono_Minijit_Debug-OSX.1200.Amd64.Open #101423

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Use `ref struct` key loaders#125528

Use `ref struct` key loaders#125528
vcsjones wants to merge 34 commits intodotnet:mainfrom
vcsjones:asn-value-key-loaders

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Conversation

Uh oh!

Uh oh!

Choose a reason for hiding this comment

Pull request overview

Reviewed changes

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Choose a reason for hiding this comment

Pull request overview

Reviewed changes

Uh oh!

Choose a reason for hiding this comment

Pull request overview

Reviewed changes

Uh oh!

Uh oh!

Choose a reason for hiding this comment

Pull request overview

Reviewed changes

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants