Add missing documentation for DSA, and update some existing docs. (#2794)

bartonjs · Ron Petrusha · Ron Petrusha · commit d360cb4a93af · 2019-07-24T19:11:13.000Z
* Add missing documentation for DSA, and update some existing docs.

* (Attempt to) Fix some xrefs

* Apply suggestions from code review

Co-Authored-By: Ron Petrusha &lt;ronpet@microsoft.com&gt;
diff --git a/xml/System.Security.Cryptography/DSA.xml b/xml/System.Security.Cryptography/DSA.xml
@@ -41,10 +41,14 @@
   
  To use a public-key system to digitally sign a message, the sender first applies a hash function to the message to create a message digest. The sender then encrypts the message digest with the sender's private key to create the sender's personal signature. Upon receiving the message and signature, the receiver decrypts the signature using the sender's public key to recover the message digest and hashes the message using the same hash algorithm that the sender used. If the message digest that the receiver computes exactly matches the message digest received from the sender, the receiver can assume that the message was not altered while in transit. Note that a signature can be verified by anyone, because the sender's public key is common knowledge.  
   
- Newer asymmetric algorithms are available. Consider using the <xref:System.Security.Cryptography.RSA> class, the <xref:System.Security.Cryptography.ECDsa> class, or the <xref:System.Security.Cryptography.ECDiffieHellman> class instead of the <xref:System.Security.Cryptography.DSA> class. Use <xref:System.Security.Cryptography.DSA> only for compatibility with legacy applications and data.  
-  
- This algorithm supports key lengths from 512 bits to 1024 bits in increments of 64 bits.  
+> [!IMPORTANT]
+> Newer asymmetric algorithms are available. Consider using the <xref:System.Security.Cryptography.RSA> class or the <xref:System.Security.Cryptography.ECDsa> class instead of the <xref:System.Security.Cryptography.DSA> class. Use <xref:System.Security.Cryptography.DSA> only for compatibility with legacy applications and data.  
   
+ Two different versions of the DSA algorithm exist.
+ The original form, described in FIPS 186-2, requires the use of SHA-1 as the hash algorithm and supports key lengths from 512 bits to 1024 bits in increments of 64 bits.
+ An updated version of the algorithm was described in FIPS 186-3, which enabled the use of the SHA-2 family of hash algorithms and added support for 2048 bit keys and 3072 bit keys.
+ Not all derived implementations of this type support the FIPS 186-3 enhancements to DSA. Support can be detected via the <xref:System.Security.Cryptography.AsymmetricAlgorithm.LegalKeySizes> property.
+ 
  ]]></format>
     </remarks>
     <related type="Article" href="~/docs/standard/security/cryptographic-services.md">Cryptographic Services</related>
@@ -163,7 +167,7 @@
         <returns>A new ephemeral DSA key with the specified key size.</returns>
         <remarks>To be added.</remarks>
         <exception cref="T:System.Security.Cryptography.CryptographicException">
-          <paramref name="keySizeInBits" /> is different than <see cref="P:System.Security.Cryptography.AsymmetricAlgorithm.KeySize" />.</exception>
+          <paramref name="keySizeInBits" /> is not permitted by <see cref="P:System.Security.Cryptography.AsymmetricAlgorithm.LegalKeySizes" />.</exception>
       </Docs>
     </Member>
     <Member MemberName="Create">
@@ -845,12 +849,28 @@
         <Parameter Name="bytesWritten" Type="System.Int32" RefType="out" Index="2" FrameworkAlternate="netcore-2.1;netcore-2.2;netcore-3.0;netstandard-2.1" />
       </Parameters>
       <Docs>
-        <param name="hash">To be added.</param>
-        <param name="destination">To be added.</param>
-        <param name="bytesWritten">To be added.</param>
-        <summary>To be added.</summary>
-        <returns>To be added.</returns>
-        <remarks>To be added.</remarks>
+        <param name="hash">The hash to sign.</param>
+        <param name="destination">The byte span to receive the signature.</param>
+        <param name="bytesWritten">When this method returns, contains a value that indicates the number of bytes written to <paramref name="destination"/>.</param>
+        <summary>Attempts to create the DSA signature for the specified hash into the provided buffer.</summary>
+        <returns><see langword="true"/> if <paramref name="destination"/> is large enough to receive the result; otherwise, <see langword="false"/>.</returns>
+        <remarks>
+          <format type="text/markdown"><![CDATA[  
+  
+## Remarks  
+ The default implementation of this method is to call <xref:System.Security.Cryptography.DSA.CreateSignature(System.Byte[])> and copy the result to `destination`.
+ Derived types should override this method to avoid the intermediate array creation.
+ ]]></format>
+        </remarks>
+        <exception cref="T:System.Security.Cryptography.CryptographicException">This instance represents only a public key.
+
+-or-
+
+The implementation type only supports legacy DSA (FIPS 186-2), and <paramref name="hash" /> is not a 20-byte value.
+
+-or-
+
+Creating the signature otherwise failed.</exception>
       </Docs>
     </Member>
     <Member MemberName="TryExportEncryptedPkcs8PrivateKey">
@@ -1020,13 +1040,20 @@
         <Parameter Name="bytesWritten" Type="System.Int32" RefType="out" Index="3" FrameworkAlternate="netcore-2.1;netcore-2.2;netcore-3.0;netstandard-2.1" />
       </Parameters>
       <Docs>
-        <param name="data">To be added.</param>
-        <param name="destination">To be added.</param>
-        <param name="hashAlgorithm">To be added.</param>
-        <param name="bytesWritten">To be added.</param>
-        <summary>To be added.</summary>
-        <returns>To be added.</returns>
-        <remarks>To be added.</remarks>
+        <param name="data">The data to be hashed.</param>
+        <param name="destination">The byte span to receive the hash value.</param>
+        <param name="hashAlgorithm">The name of the hash algorithm to use.</param>
+        <param name="bytesWritten">When this method returns, contains a value that indicates the number of bytes written to <paramref name="destination"/>.</param>
+        <summary>Attempts to compute the hash value of the provided data into a provided buffer.</summary>
+        <returns><see langword="true"/> if <paramref name="destination"/> is large enough to receive the result; otherwise, <see langword="false"/>.</returns>
+        <remarks>
+          <format type="text/markdown"><![CDATA[  
+  
+## Remarks  
+ The default implementation of this method is to call <xref:System.Security.Cryptography.DSA.HashData(System.Byte[], System.Int32, System.Int32, System.Security.Cryptography.HashAlgorithmName)> and copy the result to `destination`.
+ Derived types should override this method to avoid the intermediate array creation.
+ ]]></format>
+        </remarks>
       </Docs>
     </Member>
     <Member MemberName="TrySignData">
@@ -1058,12 +1085,12 @@
         <Parameter Name="bytesWritten" Type="System.Int32" RefType="out" Index="3" FrameworkAlternate="netcore-2.1;netcore-2.2;netcore-3.0;netstandard-2.1" />
       </Parameters>
       <Docs>
-        <param name="data">To be added.</param>
-        <param name="destination">To be added.</param>
-        <param name="hashAlgorithm">To be added.</param>
-        <param name="bytesWritten">To be added.</param>
-        <summary>To be added.</summary>
-        <returns>To be added.</returns>
+        <param name="data">The data to hash and sign.</param>
+        <param name="destination">The byte span to receive the signature.</param>
+        <param name="hashAlgorithm">The name of the hash algorithm to use.</param>
+        <param name="bytesWritten">When this method returns, contains a value that indicates the number of bytes written to <paramref name="destination"/>.</param>
+        <summary>Attempts to create the DSA signature for the specified data into the provided buffer.</summary>
+        <returns><see langword="true"/> if <paramref name="destination"/> is large enough to receive the result; otherwise, <see langword="false"/>.</returns>
         <remarks>To be added.</remarks>
       </Docs>
     </Member>
@@ -1121,6 +1148,11 @@
  -or-  
   
  <paramref name="signature" /> is <see langword="null" />.</exception>
+  <exception cref="T:System.Security.Cryptography.CryptographicException">The implementation type only supports legacy DSA (FIPS 186-2), and the hash algorithm is not SHA-1.
+
+-or-
+
+Verifying the signature otherwise failed.</exception>
         <exception cref="T:System.ArgumentException">
           <paramref name="hashAlgorithm" />.<see cref="P:System.Security.Cryptography.HashAlgorithmName.Name" /> is <see langword="null" /> or <see cref="F:System.String.Empty" />.</exception>
       </Docs>
@@ -1171,6 +1203,11 @@
  <paramref name="signature" /> is <see langword="null" />.</exception>
         <exception cref="T:System.ArgumentException">
           <paramref name="hashAlgorithm" />.<see cref="P:System.Security.Cryptography.HashAlgorithmName.Name" /> is <see langword="null" /> or <see cref="F:System.String.Empty" />.</exception>
+        <exception cref="T:System.Security.Cryptography.CryptographicException">The implementation type only supports legacy DSA (FIPS 186-2), and the hash algorithm is not SHA-1.
+
+-or-
+
+Verifying the signature otherwise failed.</exception>
       </Docs>
     </Member>
     <Member MemberName="VerifyData">
@@ -1201,12 +1238,19 @@
         <Parameter Name="hashAlgorithm" Type="System.Security.Cryptography.HashAlgorithmName" Index="2" FrameworkAlternate="netcore-2.1;netcore-2.2;netcore-3.0;netstandard-2.1" />
       </Parameters>
       <Docs>
-        <param name="data">To be added.</param>
-        <param name="signature">To be added.</param>
-        <param name="hashAlgorithm">To be added.</param>
-        <summary>To be added.</summary>
-        <returns>To be added.</returns>
+        <param name="data">The signed data.</param>
+        <param name="signature">The signature to be verified.</param>
+        <param name="hashAlgorithm">The hash algorithm used to create the hash value of the data.</param>
+        <summary>Verifies that a digital signature is valid by calculating the hash value of the data in a byte span using the specified hash algorithm and comparing it to the provided signature.</summary>
+        <returns><see langword="true" /> if the digital signature is valid; otherwise, <see langword="false" />.</returns>
         <remarks>To be added.</remarks>
+        <exception cref="T:System.ArgumentException">
+          <paramref name="hashAlgorithm" />.<see cref="P:System.Security.Cryptography.HashAlgorithmName.Name" /> is <see langword="null" /> or <see cref="F:System.String.Empty" />.</exception>
+        <exception cref="T:System.Security.Cryptography.CryptographicException">The implementation type only supports legacy DSA (FIPS 186-2), and the hash algorithm is not SHA-1.
+
+-or-
+
+Verifying the signature otherwise failed.</exception>
       </Docs>
     </Member>
     <Member MemberName="VerifyData">
@@ -1269,6 +1313,11 @@
  -or-  
   
  <paramref name="offset" /> + <paramref name="count" /> - 1 results in an index that is beyond the upper bound of <paramref name="data" />.</exception>
+        <exception cref="T:System.Security.Cryptography.CryptographicException">The implementation type only supports legacy DSA (FIPS 186-2), and the hash algorithm is not SHA-1.
+
+-or-
+
+Verifying the signature otherwise failed.</exception>
       </Docs>
     </Member>
     <Member MemberName="VerifySignature">
@@ -1310,6 +1359,11 @@
         <returns>
           <see langword="true" /> if <paramref name="rgbSignature" /> matches the signature computed using the specified hash algorithm and key on <paramref name="rgbHash" />; otherwise, <see langword="false" />.</returns>
         <remarks>To be added.</remarks>
+        <exception cref="T:System.Security.Cryptography.CryptographicException">The implementation type only supports legacy DSA (FIPS 186-2), and the hash value is not 20 bytes long.
+
+-or-
+
+Verifying the signature otherwise failed.</exception>
         <related type="Article" href="~/docs/standard/security/cryptographic-services.md">Cryptographic Services</related>
       </Docs>
     </Member>
@@ -1340,12 +1394,24 @@
         <Parameter Name="signature" Type="System.ReadOnlySpan&lt;System.Byte&gt;" Index="1" FrameworkAlternate="netcore-2.1;netcore-2.2;netcore-3.0;netstandard-2.1" />
       </Parameters>
       <Docs>
-        <param name="hash">To be added.</param>
-        <param name="signature">To be added.</param>
-        <summary>To be added.</summary>
-        <returns>To be added.</returns>
-        <remarks>To be added.</remarks>
+        <param name="hash">The data hash to verify.</param>
+        <param name="signature">The signature to be verify.</param>
+        <summary>Verifies that a digital signature is valid for a provided data hash.</summary>
+        <returns><see langword="true" /> if the digital signature is valid for the hash; otherwise, <see langword="false" />.</returns>
+        <remarks>
+          <format type="text/markdown"><![CDATA[  
+  
+## Remarks  
+ The default implementation of this method calls <xref:System.Security.Cryptography.DSA.VerifySignature(System.Byte[], System.Byte[])> after copying the spans to arrays.
+ Derived types should override this method to avoid the intermediate array creation.
+ ]]></format>
+        </remarks>
+        <exception cref="T:System.Security.Cryptography.CryptographicException">The implementation type only supports legacy DSA (FIPS 186-2), and the hash value is not 20 bytes long.
+
+-or-
+
+Verifying the signature otherwise failed.</exception>
       </Docs>
     </Member>
   </Members>
-</Type>
+</Type>
