Support AES-GCM for iOS-like platforms

[tipa]

AES-GCM algorithm (as well as ChaCha20Poly1305 and AES-CCM) are available for macOS, powered by CryptoKit, but not on iOS.

As CryptoKit is also available on iOS (iOS 13+), maybe there is an easy way to also bring support to iOS?

Motivation: I am building a cross-platform app for Windows, iOS, Android & macOS. Missing support for AES-GCM on iOS forces me to either pull in an additional dependency (e.g. BouncyCastle) or use AES-CBC (which seemingly the whole internet is advising against in favor of AES-GCM)

NOTE: once this is implemented we should update the docs: https://github.com/dotnet/docs/blob/main/docs/standard/security/cross-platform-cryptography.md

[ghost]

Tagging subscribers to this area: @dotnet/area-system-security, @bartonjs, @vcsjones See info in area-owners.md if you want to be subscribed.

Issue Details

---

[AES-GCM algorithm](https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.aesgcm) (as well as [ChaCha20Poly1305](https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.chacha20poly1305)) as available for macOS, [powered by CryptoKit](https://github.com/dotnet/runtime/issues/29811), but not on iOS. As [CryptoKit](https://developer.apple.com/documentation/cryptokit/) is also available on iOS (iOS 13+), maybe there is an easy way to also bring support to iOS? Motivation: I am building a cross-platform app for Windows, iOS, Android & macOS. Missing support for AES-GCM on iOS forces me to either pull in an additional dependency (e.g. BouncyCastle) or use AES-CBC (which seemingly the whole internet is advising against in favor of AES-GCM)

Author:	tipa
Assignees:	-
Labels:	`area-System.Security`, `untriaged`
Milestone:	-

[ghost]

Tagging subscribers to 'os-ios': @steveisok, @akoeplinger, @kotlarmilos See info in area-owners.md if you want to be subscribed.

Issue Details

---

[AES-GCM algorithm](https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.aesgcm) (as well as [ChaCha20Poly1305](https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.chacha20poly1305)) as available for macOS, [powered by CryptoKit](https://github.com/dotnet/runtime/issues/29811), but not on iOS. As [CryptoKit](https://developer.apple.com/documentation/cryptokit/) is also available on iOS (iOS 13+), maybe there is an easy way to also bring support to iOS? Motivation: I am building a cross-platform app for Windows, iOS, Android & macOS. Missing support for AES-GCM on iOS forces me to either pull in an additional dependency (e.g. BouncyCastle) or use AES-CBC (which seemingly the whole internet is advising against in favor of AES-GCM)

Author:	tipa
Assignees:	-
Labels:	`area-System.Security`, `untriaged`, `os-ios`
Milestone:	-

[tipa]

Yes, available for macOS, but not iOS - that's why I opened this issue :) PlatformNotSupportedException is still thrown on net8.0-ios

[EgorBo]

Yes, available for macOS, but not iOS - that's why I opened this issue :) PlatformNotSupportedException is still thrown on net8.0-ios

Yep, sorry, didn't notice 🙂

[vcsjones]

As CryptoKit is also available on iOS (iOS 13+), maybe there is an easy way to also bring support to iOS?

The last time @filipnavara and I looked in to this, there were challenges for mobile Apple platforms. This comment for ChaCha20Poly1305 summarizes things: https://github.com/dotnet/runtime/issues/52482#issuecomment-838290365

That issue also tracks ChaCha20Poly1305 for iOS / tvOS as well.

[vcsjones]

@filipnavara has the state of this changed with _MainLinkerFlags? You're more well versed on the iOS side of things.

[filipnavara]

We discussed it in June with @akoeplinger. The current situation is that we still support iOS versions without built-in Swift. That may change in .NET 9 but nothing is set in stone yet. The old workaround to weakly link against system Swift libraries no longer works because Apple decided to move parts of swiftFoundation into Foundation framework. Thus you need to additionally tell the linker to weakly link to Foundation framework itself. It's doable but fragile and likely not worth the effort. If we are targeting .NET 9 at this point then we may as well get the necessary minimum iOS version bump and do it the proper/simple way.

[vcsjones]

Cross referencing this: https://github.com/dotnet/runtime/issues/91736

I believe that is the major blocker for this. Once this is addressed we can link to the swift runtime.

CryptoKit is still iOS 13 though. We can use if #available in the swift shim to return an error code that the platform is not supported.

[ghost]

Tagging subscribers to 'os-tvos': @steveisok, @akoeplinger See info in area-owners.md if you want to be subscribed.

Issue Details

---

[AES-GCM algorithm](https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.aesgcm) (as well as [ChaCha20Poly1305](https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.chacha20poly1305) and [AES-CCM](https://learn.microsoft.com/en-us/dotnet/api/system.security.cryptography.aesccm)) are available for macOS, [powered by CryptoKit](https://github.com/dotnet/runtime/issues/29811), but not on iOS. As [CryptoKit](https://developer.apple.com/documentation/cryptokit/) is also available on iOS (iOS 13+), maybe there is an easy way to also bring support to iOS? Motivation: I am building a cross-platform app for Windows, iOS, Android & macOS. Missing support for AES-GCM on iOS forces me to either pull in an additional dependency (e.g. BouncyCastle) or use AES-CBC (which seemingly the whole internet is advising against in favor of AES-GCM)

Author:	tipa
Assignees:	-
Labels:	`area-System.Security`, `os-ios`, `os-tvos`, `os-maccatalyst`
Milestone:	Future