Remove deprecated OpenSSL RSA APIs

[PranavSenthilnathan]

Remove deprecated OpenSSL RSA APIs. The RSA type and RSA_* methods have been deprecated in favor of EVP_PKEY. Most of our code already has moved, but this cleans up the function loading and updates the remaining places. The build allows deprecated APIs, but for local testing I've been using -DOPENSSL_API_COMPAT=0x30500000L -DOPENSSL_NO_DEPRECATED to error on deprecated APIs.

[dotnet-policy-service]

Tagging subscribers to this area: @bartonjs, @vcsjones, @dotnet/area-system-security
See info in area-owners.md if you want to be subscribed.

[Copilot]

Pull request overview

This PR continues the migration away from deprecated OpenSSL RSA* APIs toward EVP-based APIs (primarily EVP_PKEY), updating certificate generation and key-validation paths, and adjusting shim/configure logic to better tolerate RSA legacy symbol availability.

Changes:

• Update self-signed certificate generation to use/generated EVP_PKEY* directly (removing EVP_PKEY_get1_RSA / EVP_PKEY_set1_RSA usage in that flow).
• Add an EVP-based RSA “quick check” (EVP_PKEY_get_bn_param) for OpenSSL 3+ to avoid relying on legacy RSA object access.
• Add HAVE_OPENSSL_RSA_PRIMITIVE configure/shim support and relax several RSA-related shim bindings to “lightup” (runtime-detected) functions.

Reviewed changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 4 comments.

Show a summary per file

File	Description
src/native/libs/System.Security.Cryptography.Native/pal_ssl.c	Switch self-signed cert helper to return the generated EVP_PKEY* instead of extracting/setting a legacy RSA*.
src/native/libs/System.Security.Cryptography.Native/pal_evp_pkey_rsa.c	Factor legacy private-key-availability check into a helper and gate it on EVP_PKEY_get0_RSA lightup availability.
src/native/libs/System.Security.Cryptography.Native/pal_evp_pkey.c	Introduce QuickRsaCheckEvp using EVP_PKEY_get_bn_param; adjust RSA validation flow to prefer EVP-param extraction.
src/native/libs/System.Security.Cryptography.Native/pal_crypto_config.h.in	Add HAVE_OPENSSL_RSA_PRIMITIVE feature define.
src/native/libs/System.Security.Cryptography.Native/osslcompat_30.h	Add RSA parameter-name constants needed for EVP param extraction on older headers.
src/native/libs/System.Security.Cryptography.Native/opensslshim.h	Add RSA primitive fallback declarations and convert multiple RSA-related bindings to lightup functions.
src/native/libs/System.Security.Cryptography.Native/configure.cmake	Add compile probe for RSA primitive availability (RSA_new/RSA_free).

[Copilot]

Pull request overview

Copilot reviewed 7 out of 7 changed files in this pull request and generated 4 comments.

[Copilot]

Pull request overview

Copilot reviewed 8 out of 8 changed files in this pull request and generated 4 comments.

[Copilot]

Pull request overview

Copilot reviewed 8 out of 8 changed files in this pull request and generated 2 comments.

[bartonjs]

• The managed to native transition for import/export are in terms of SPKI and PKCS8, so they aren't affected by the loss of RSA_get0_factors and friends.
• I think we already don't have good tests for creating an RSAOpenSsl from an RSA*, and I'm having trouble imagining how we'd know it was "OK" to pass a synthetic pointer value in to make sure we got a sensible "uh, there's no EVP_PKEY_set1_RSA...", so it makes sense to not see test changes for that.
• All of the new EVP_PKEY vs RSA adapter functions seem to be declared static.
• I briefly entertained the idea of suggesting probing off of HEADER_RSA_H instead of probing for RSA_new... but, nah.

So, looks like this "I think you can #if away some more code in direct build mode" is probably the last thing from me.

[Copilot]

Pull request overview

Copilot reviewed 8 out of 8 changed files in this pull request and generated 2 comments.

[PranavSenthilnathan]

RSA_F_RSA_NULL_PRIVATE_DECRYPT is 0 is OpenSSL 3.0+ and 132 otherwise. It's used in ERR_put_error for the func argument which has been deprecated (and func doesn't seem very useful anyway). I can use the 132 value but I think it's fine to just remove it altogether here instead of conditionally defining the macros.

[bartonjs]

Since the code would only hit when compiled with the 3.0 headers and run on 1.1... it should be passing 132, not 0.

[Copilot]

Pull request overview

Copilot reviewed 8 out of 8 changed files in this pull request and generated 1 comment.

[Copilot]

QuickRsaCheckCore treats a getKey(...) failure as a definitive key failure (ret=0) and may set RSA_R_VALUE_MISSING. With the OpenSSL 3.0+ accessor, EVP_PKEY_get_bn_param can fail for provider-managed/opaque keys even when EVP_PKEY_check would succeed. Consider returning -1 (indeterminate) on getKey failure so CheckKey can fall back to EVP_PKEY_check, and reserve definitive failure for the case where required public parameters are confirmed missing.

Suggested change

	if (ERR_peek_error() == 0)
	{
	ERR_PUT_error(ERR_LIB_RSA, 0, RSA_R_VALUE_MISSING, __FILE__, __LINE__);
	}
	// Some OpenSSL 3.0+ provider-managed or opaque keys cannot expose the RSA
	// parameters through getKey() even though EVP_PKEY_check can still validate
	// them. Treat this as indeterminate so the caller can fall back.
	ret = -1;

[PranavSenthilnathan]

Getting n and e should not fail and if they do (e.g. due to OOM) then it's not retryable, so it should be fine to return that the key is invalid.

[Copilot]

Pull request overview

Copilot reviewed 8 out of 8 changed files in this pull request and generated 1 comment.